Astra Linux - уязвимость в velocity

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache...

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the getApiToken method when rendering invoice templates via the Twig sandbox environment. An attacker can access hashed API tokens of users by embedding calls to this method in a custom invoice...

CVE-2025-51650

An arbitrary file upload vulnerability in the component /controller/PicManager.php of FoxCMS v1.2.6 allows attackers to execute arbitrary code via uploading a crafted template file...

PT-2025-7139 · Q Free · Q-Free Maxtime

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions less than or equal to 2.11.0 Description: The issue allows an authenticated remote attacker to upload malicious files via crafted HTTP requests due to an unrestricted upload of files with dangerous types in the templat...

CVE-2022-47928

In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/uploadfile.ctp...

PT-2022-28090 · Misp · Misp

Name of the Vulnerable Software and Affected Versions: MISP versions prior to 2.4.167 Description: The issue is related to Cross-Site Scripting XSS in the template file uploads, specifically in the app/View/Templates/upload file.ctp file. This allows for malicious script execution. Recommendation...

jpress 代码问题漏洞

Jpress is Jpress team of a set of blogging platform developed using the Java language . A security vulnerability exists in jpress that stems from vulnerability to RCE attacks via io.jpress.web.admin. Attackers can exploit this vulnerability by uploading templates and injecting malicious code...