CVE-2026-28558

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the...

Online-Traffic-Offense-Management-System-1.0-Unauthenticated-RCE-PoC

Online Traffic Offense Management System 1.0 — Unauthenticated...

CVE-2023-53924 UliCMS 2023.1-sniffing-vicuna Remote Code Execution via Avatar Upload

UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution...

Skuul School Management System has a Sensitive Data Exposure Vulnerability in Uploaded Images

A security vulnerability has been detected in yungifez Skuul School Management System up to 2.6.5. This issue affects some unknown processing of the file /user/profile of the component Image Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The...

CVE-2025-10295 Angel – Fashion Model Agency WordPress CMS Theme <= 3.2.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-12862

A vulnerability was identified in projectworlds Online Notes Sharing Platform 1.0. Affected by this issue is some unknown functionality of the file /dashboard/userprofile.php. Such manipulation of the argument image leads to unrestricted upload. The attack may be performed from remote. The exploi...

CVE-2025-11398 SourceCodester Hotel and Lodge Management System Profile profile.php unrestricted upload

A weakness has been identified in SourceCodester Hotel and Lodge Management System 1.0. The impacted element is an unknown function of the file /profile.php of the component Profile Page. Executing manipulation of the argument image can lead to unrestricted upload. The attack may be launched...

EUVD-2005-0498

Malware in sbrugna...

EUVD-2022-52330

Malicious code in bioql PyPI...

CVE-2025-10083

A vulnerability was determined in SourceCodester Pet Grooming Management Software 1.0. Affected by this issue is some unknown functionality of the file /admin/profile.php. Executing manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been publicl...

CVE-2025-10083

SourceCodester Pet Grooming Management Software 1.0 contains an unrestricted file upload vulnerability in the /admin/profile.php endpoint. Exploitation is possible remotely and can lead to arbitrary file upload, with potential impact on confidentiality, integrity, and availability as indicated by...

PT-2025-36435

Name of the Vulnerable Software and Affected Versions: SourceCodester Pet Grooming Management Software version 1.0 Description: A vulnerability exists in SourceCodester Pet Grooming Management Software that allows for unrestricted file upload through manipulation of an unknown functionality withi...

CVE-2023-40050

Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution...

CVE-2022-30423

Merchandise Online Store v1.0 by oretnom23 has an arbitrary code execution RCE vulnerability in the user profile upload point in the system information...

CVE-2025-3189 Stored Cross-Site Scripting (XSS) in DoWISP

Stored Cross-Site Scripting XSS in DoWISP in versions prior to 1.16.2.50, which consists of an stored XSS through the upload of a profile picture in SVG format with malicious Javascript code in it...

CVE-2025-1593

A vulnerability classified as critical has been found in SourceCodester Best Employee Management System 1.0. This affects an unknown part of the file /hrsoft/assets/uploadImage/Profile/ of the component Profile Picture Handler. The manipulation leads to unrestricted upload. It is possible to...

CVE-2024-40513

CVE-2024-40513 affects themesebrand Chatvia v5.3.2. The vulnerability allows remote attackers to execute arbitrary code via the User profile Upload image function. Public details confirm impact and affected version; however, the exact root cause and exploit details are not provided in the documen...

PT-2024-15528 · Asus · Asus Rt-Ac86U +8

Name of the Vulnerable Software and Affected Versions: ASUS ExpertWiFi version affected versions not specified ASUS RT-AX55 version affected versions not specified ASUS RT-AX58U version affected versions not specified ASUS RT-AC67U version affected versions not specified ASUS RT-AC68R version...

CVE-2024-23734

Cross Site Request Forgery vulnerability in in the upload functionality of the User Profile pages in savignano S/Notify before 2.0.1 for Bitbucket allow attackers to replace S/MIME certificate or PGP keys for arbitrary users via crafted link...

CVE-2024-23734

Cross Site Request Forgery vulnerability in in the upload functionality of the User Profile pages in savignano S/Notify before 2.0.1 for Bitbucket allow attackers to replace S/MIME certificate or PGP keys for arbitrary users via crafted link...