CVE-2026-42845

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload GHSA-w4rc-p66m-x6qq. Public form uploads now strip path components from the POST-supplied filename and hard-block page-content extensions md, yaml...

PT-2026-6205

Name of the Vulnerable Software and Affected Versions Open eClass versions prior to 4.2 Description The Open eClass platform, previously known as GUnet eClass, is a course management system. A file upload validation bypass allows attackers to upload files with restricted extensions by including...

Improper Protection of Alternate Path

Overview Affected versions of this package are vulnerable to Improper Protection of Alternate Path due to insufficient validation in attachment editing APIs. An attacker can upload files with restricted extensions by modifying the attachment name, leading to unauthorized file uploads and further...

Improper Protection of Alternate Path

Overview Affected versions of this package are vulnerable to Improper Protection of Alternate Path due to insufficient validation in attachment editing APIs. An attacker can upload files with restricted extensions by modifying the attachment name, leading to unauthorized file uploads and further...

Improper Protection of Alternate Path

Overview Affected versions of this package are vulnerable to Improper Protection of Alternate Path due to insufficient validation in attachment editing APIs. An attacker can upload files with restricted extensions by modifying the attachment name, leading to unauthorized file uploads and further...

Improper Protection of Alternate Path

Overview Affected versions of this package are vulnerable to Improper Protection of Alternate Path due to insufficient validation in attachment editing APIs. An attacker can upload files with restricted extensions by modifying the attachment name, leading to unauthorized file uploads and further...

Improper Protection of Alternate Path

Overview Affected versions of this package are vulnerable to Improper Protection of Alternate Path due to insufficient validation in attachment editing APIs. An attacker can upload files with restricted extensions by modifying the attachment name, leading to unauthorized file uploads and further...

CVE-2025-68939

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...

ManageWiki 授权问题漏洞

ManageWiki is an open source extension for Miraheze. A license issue vulnerability exists in ManageWiki, which stems from improper extension management and could result in restricted extensions being automatically disabled...

Able to attach restricted files to Jira issues from Email

h3. Issue Summary From 9.15, admins can now restrict unwanted file extensions from being uploaded through issues. However, the restriction does not work when the attachment is sent via email. The files with restricted extensions are being uploaded to Jira issues. Reference:Restrict unwanted file...

CVE-2023-22937

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gzl...