CVE-2025-14842

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated...

CVE-2023-53952

Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed...

EUVD-2025-204592

Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed...

CVE-2023-53952 Dotclear 2.25.3 Authenticated Remote Code Execution via File Upload

Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed...

EUVD-2023-60210

SitemagicCMS 4.4.3 contains a remote code execution vulnerability that allows attackers to upload malicious PHP files to the files/images directory. Attackers can upload a .phar file with system command execution payload to compromise the web application and execute arbitrary system commands...

CVE-2023-53924 UliCMS 2023.1-sniffing-vicuna Remote Code Execution via Avatar Upload

UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution...

CVE-2023-53921

SitemagicCMS 4.4.3 is affected by a remote code execution vulnerability via unrestricted file upload. The issue allows uploading a .phar file containing a system command execution payload into the files/images directory, enabling attackers to execute arbitrary commands on the hosting system. Docu...

CVE-2023-53885 Webutler v3.2 Remote Code Execution via Arbitrary File Upload

Webutler v3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload PHP files with system command execution. Attackers can upload a PHAR file with embedded system commands to the media browser and execute arbitrary commands by accessing the uploaded fil...

EUVD-2018-7739

Malware in sbrugna...

EUVD-2022-44063

Malicious code in bioql PyPI...

CVE-2021-33352

An issue in Wyomind Help Desk Magento 2 extension v.1.3.6 and before fixed in v.1.3.7 allows attacker to execute arbitrary code via a phar file upload in the ticket message field...

Wyomind Magento 代码问题漏洞

Wyomind Magento is a ticketing system from Wyomind. A security vulnerability exists in Wyomind Help Desk Magento 2 extension version v.1.3.6 and earlier versions. An attacker can exploit this vulnerability to execute arbitrary code by uploading a phar file via the ticket message field...

CVE-2022-40797

Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDENUPLOADS value in conf.json only blocks .php, .php4, and .php5 files. Visiting any .phar file invokes the PHP interpreter in some realistic web-server configurations...

CVE-2022-40797

Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDENUPLOADS value in conf.json only blocks .php, .php4, and .php5 files. Visiting any .phar file invokes the PHP interpreter in some realistic web-server configurations...

Design/Logic Flaw

Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDENUPLOADS value in conf.json only blocks .php, .php4, and .php5 files. Visiting any .phar file invokes the PHP interpreter in some realistic web-server configurations...

CVE-2022-40797

Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDENUPLOADS value in conf.json only blocks .php, .php4, and .php5 files. Visiting any .phar file invokes the PHP interpreter in some realistic web-server configurations...

PT-2022-25541 · Unknown · Roxy Fileman

Name of the Vulnerable Software and Affected Versions: Roxy Fileman version 1.4.6 Description: The issue allows Remote Code Execution via a .phar upload. This is because the default FORBIDDEN UPLOADS value in conf.json only blocks .php, .php4, and .php5 files. In some web-server configurations,...

GHSA-352X-HC2F-FWFF Pimcore RCE via PHAR upload

In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different...

Pimcore RCE via PHAR upload

In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different...

Design/Logic Flaw

A remote command execution vulnerability in shopxo 1.9.3 allows an attacker to upload malicious code generated by phar where the suffix is JPG, which is uploaded after modifying the phar suffix...