CVE-2025-52207

PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory...

CVE-2021-32660

Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. In versions of @backstage/tehdocs-common prior to 0.6.4, a malicious internal actor is able to upload documentation content with malicious scripts. These...

CVE-2020-11629

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. The External Command Certificate Validator, which allows administrators to upload external linters to validate certificates, is supposed to save uploaded test certificates to the server. An attacker who has gained access to...

CVE-2020-9380

IPTV Smarters WEB TV PLAYER through 2020-02-22 allows attackers to execute OS commands by uploading a script...

CVE-2020-5844

index.php?sec=godmode/extensions&sec2;=extensions/filesrepo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742FIXPERL2020...

CVE-2019-9189

Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed because of root code execution, not as a web server user, allowing an authenticated attacker t...

CVE-2019-13464

An issue was discovered in OWASP ModSecurity Core Rule Set CRS 3.0.2. Use of X.Filename instead of XFilename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid...

CVE-2019-10390

A sandbox bypass vulnerability in Jenkins Splunk Plugin 1.7.4 and earlier allowed attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM...

Mautic Arbitrary File Upload Vulnerability

Mautic is an open source marketing automation application. An arbitrary file upload vulnerability exists in Mautic versions prior to 5.2.3, which stems from insufficient validation of uploaded file extensions and improper handling of file paths. An attacker can exploit this vulnerability to uploa...

CVE-2025-21624

ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 239, a file upload vulnerability exists in the Manage Playlist functionality of the application, specifically surrounding the uploading of playlist cover images. Without proper checks, an attacker can upload a PHP script...

CVE-2024-48123

An issue in the USB Autorun function of HI-SCAN 6040i Hitrax HX-03-19-I allows attackers to execute arbitrary code via uploading a crafted script from a USB device...

CVE-2025-21624

ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 239, a file upload vulnerability exists in the Manage Playlist functionality of the application, specifically surrounding the uploading of playlist cover images. Without proper checks, an attacker can upload a PHP script...

CVE-2025-21624

CVE-2025-21624 affects ClipBucket V5 prior to 5.5.1-239. The issue is an improper validation in the Manage Playlist file upload that allows uploading a PHP script instead of an image, enabling remote code execution (webshell) in both admin and user areas. The vulnerability is fixed in version 5.5...

CVE-2024-47946

The CVE-2024-47946 issue affects Image Access Scan2Net software. Descriptions across sources state that remote code execution is possible when an attacker with a valid Poweruser session uploads specially crafted valid PNG files containing injected PHP content as desktop backgrounds or lock screen...

PT-2024-34560 · Unknown · Anuj Kumar'S Boat Booking System

Name of the Vulnerable Software and Affected Versions: Anuj Kumar's Boat Booking System version 1.0 Description: The issue allows local attackers to upload a malicious PHP script via the Image Upload Mechanism parameter in the change-image.php file. This enables attackers to potentially execute...

PHPGurukul Boat Booking System 安全漏洞

PHPGurukul Boat Booking System is a boat booking system from PHPGurukul. A security vulnerability exists in version 1.0 of the PHPGurukul Boat Booking System, which stems from an Image Upload Mechanism parameter in change-image.php that allows a local attacker to upload malicious PHP scripts...

PT-2024-21656 · Unknown · Soplanning

Name of the Vulnerable Software and Affected Versions: SO Planning versions prior to 1.52.02 Description: A Remote Code Execution RCE vulnerability is found in the SO Planning online planning tool. If the public view setting is enabled, an attacker can upload a PHP-file that will be available for...

PT-2024-26230 · Unknown · Itsourcecode Payroll Management System

Name of the Vulnerable Software and Affected Versions: Sourcecodester Payroll Management System version 1.0 Description: The issue allows an unauthenticated attacker to upload a malicious PHP file via the "save settings" page, which is intended for image uploads. This can lead to the execution of...

D-Link DAR-7000-40 Command Execution Vulnerability

The D-Link DAR-7000-40 is an Internet Behavior Audit Gateway from China AUO D-Link. The D-Link DAR-7000-40 suffers from a command execution vulnerability, which is caused by incorrect validation of file extensions in the interface/sysmanage/license authorization.php script. An attacker can exploi...

CVE-2024-25994 PHOENIX CONTACT: Unintended script file upload in CHARX Series

An unauthenticated remote attacker can upload a arbitrary script file due to improper input validation. The upload destination is fixed and is write only...