Lucene search
K

8 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:19 p.m.10 views

CVE-2026-5364

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the...

8.1CVSS5.9AI score0.0106EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/07 6:14 p.m.6 views

CVE-2026-42214

Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which...

7.8CVSS5.9AI score0.00242EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/05/07 6:14 p.m.11 views

EUVD-2026-28410

Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which...

7.8CVSS5.9AI score0.00242EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/05/07 6:14 p.m.13 views

CVE-2026-42214 Improper Control of Generation of Code ('Code Injection') in dail8859/NotepadNext

Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which...

7.8CVSS5.9AI score0.00242EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/05/07 12:0 a.m.17 views

PT-2026-38552

Name of the Vulnerable Software and Affected Versions Notepad Next versions prior to 0.14 Description The detectLanguageFromExtension function interpolates a file extension directly into a Lua script without sanitization. An attacker can craft a filename with an extension containing Lua code that...

7.8CVSS6AI score0.00242EPSS
Exploits1References11
CVE
CVE
added 2026/03/26 9:54 p.m.17 views

CVE-2026-33686

CVE-2026-33686 affects the Sharp Laravel package. Versions before 9.20.0 are vulnerable to a path traversal via the FileUtil::explodeExtension() function, which incorrectly sanitizes file extensions and can allow path separators to reach storage. The issue is resolved in 9.20.0 by using pathinfo(...

8.8CVSS5.7AI score0.00547EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/03/26 9:54 p.m.3 views

CVE-2026-33686 Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil

Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In...

8.8CVSS5.7AI score0.00547EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.13 views

PT-2026-28177

Name of the Vulnerable Software and Affected Versions Sharp versions prior to 9.20.0 Description The application does not properly sanitize file extensions, allowing path separators to be passed into the storage layer. The FileUtil::explodeExtension function in src/Utils/FileUtil.php extracts a...

8.8CVSS5.8AI score0.00547EPSS
Exploits0References8
Rows per page
Query Builder