CVE-2026-46489 SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into eve...

CVE-2026-27605

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files project logos without validating the file type or content. It trusts the extension provided by the user...

CVE-2026-27605

CVE-2026-27605 affects Chartbrew before 4.8.4. The app allowed uploading logos without validating file type/content, trusting user-provided extensions and saving files to uploads/ for static serving. An attacker could upload an HTML file with malicious JavaScript, and since authentication tokens ...

Mattermost 安全漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. A security vulnerability exists in Mattermost that stems from an unvalidated upload type, which may result in the upload of a non-attached file type. The following versions are affected: 10.8.3 and...

Kordil EDMS 安全漏洞

Kordil EDMS is an open source electronic document management system from the Turkish company Kordil. The system supports features such as document management and document control. A security vulnerability exists in Kordil EDMS version v2.2.60rc3, which stems from an unvalidated uploaded file type...

WordPress plugin WP-Property 安全漏洞

WordPress WP-Property plugin is a real estate industry-specific plugin for the WordPress platform, which is mainly used to help users manage property listings, display listing information and attract potential customers. A file upload vulnerability exists in the WordPress WP-Property plugin, whic...

MeterSphere 路径遍历漏洞

MeterSphere is MeterSphere's open source one-stop open source continuous testing platform. A path traversal vulnerability exists in MeterSphere versions prior to 2.5.1 that stems from allowing a user to upload a file but not validate the filename, which could result in uploading the file to an...

CVE-2021-27459

A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The webserver of the affected products allows unvalidated files to be uploaded, which an attacker could utilize to execute arbitrary code...

rConfig code issue vulnerability

rConfig is an open source network configuration management utility . rConfig 3.9.4 version of the vendor.crud.php file has a code problem vulnerability , the vulnerability stems from the file upload function is not properly validated , an attacker can upload a .php file containing arbitrary PHP...

AXIS M1033-W Code Execution Vulnerability (CNVD-2018-09671)

AXIS P1354 is a network camera product from Axis Sweden. AXIS P1354 with firmware version 5.90.1.1 has a security vulnerability that originates from uploading a web page without checking the file type. A remote attacker can exploit this vulnerability to upload a webshell and execute code...