PT-2026-5840

Name of the Vulnerable Software and Affected Versions School ERP Pro version 1.0 Description School ERP Pro 1.0 has a file upload issue that permits students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts via the message attachment feature, leadi...

GHSA-9G95-48C6-R778 Livewire Filemanager does not restrict uploaded file types

Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup proce...

Livewire Filemanager does not restrict uploaded file types

Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup proce...

CVE-2022-50898 NanoCMS 0.4 - Remote Code Execution (RCE) (Authenticated)

NanoCMS 0.4 contains an authenticated file upload vulnerability that allows remote code execution through unvalidated page content creation. Authenticated attackers can upload PHP files with arbitrary code to the server's pages directory by exploiting the page creation mechanism without proper...

CVE-2007-4913

ipskernel/classupload.php in Invision Power Board IPB or IP.Board 2.3.1 up to 20070912 allows remote attackers to upload arbitrary script files with crafted image filenames to uploads/, where they are saved with a .txt extension and are not executable. NOTE: there are limited usage scenarios unde...

CVE-2023-4226

Unrestricted file upload in /main/inc/ajax/work.ajax.php in Chamilo LMS = v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files...

CVE-2020-36877 ReQuest Serious Play F3 Media Server <= 7.0.3 code execution

ReQuest Serious Play F3 Media Server 7.0.3 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands as the web server user. Attackers can upload PHP executable files via the Quick File Uploader page, resulting in remote code execution on...

Linux Distros Unpatched Vulnerability : CVE-2019-13464

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in OWASP ModSecurity Core Rule Set CRS 3.0.2. Use of X.Filename instead of XFilename can bypass some PHP Script Uploads rules, because P...

CVE-2012-10054

Umbraco CMS

CVE-2024-57784

An issue in the component /php/scriptuploads.php of Zenitel AlphaWeb XE v11.2.3.10 allows attackers to execute a directory traversal...

CVE-2025-21624 ClipBucket V5 Playlist Cover File Upload to Remote Code Execution

ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 239, a file upload vulnerability exists in the Manage Playlist functionality of the application, specifically surrounding the uploading of playlist cover images. Without proper checks, an attacker can upload a PHP script...

PHOENIX CONTACT CHARX SEC Input Validation Error Vulnerability

PHOENIX CONTACT CHARX SEC is a series of AC charge controllers from PHOENIX CONTACT, Germany. An input validation error vulnerability exists in PHOENIX CONTACT CHARX SEC-3000 versions prior to v1.5.1. The vulnerability stems from improper input validation, which allows an unauthenticated, remote...

CVE-2023-4819

The Shared Files WordPress plugin before 1.7.6 does not return the right Content-Type header for the specified uploaded file. Therefore, an attacker can upload an allowed file extension injected with malicious scripts...

DedeCMS Code Issues Vulnerabilities

Desdev DedeCMS Dream Weaving Content Management System is a PHP-based open-source content management system CMS of China Zhuozhuo network Desdev company. The system has content publishing, content management, content editing and content retrieval functions. A code issue vulnerability exists in...

Authorization Bypass

modsecurity-crs:buster is vulnerable to Authorization Bypass. Use of X.Filename instead of XFilename by an attacker may allow bypassing some PHP script uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid...

keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console

A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOADSCRIPTS feature is disabled...

Sourcecodester Customer Relationship Management System 代码问题漏洞

Sourcecodester Customer Relationship Management System is an open source Php project by the individual developer Carlo Montero. Used to provide an online platform for companies to manage interactions with their customers or prospects. A file upload vulnerability exists in Sourcecodester Customer...

CVE-2021-33698

SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files including script files without the proper file format validation...

SAP NetWeaver 产品代码问题漏洞

SAP Netweaver is the German SAP SAP company's set of service-oriented integrated application platform. The platform provides a development and runtime environment for SAP applications. A file upload vulnerability exists in SAP NetWeaver that stems from allowing an attacker to upload any file...

CVE-2020-13887

documentsadd.php in Kordil EDMS through 2.2.60rc3 allows Remote Command Execution because .php files can be uploaded to the documents folder...