Path Traversal

mindsdb is vulnerable to a path traversal. The vulnerability is due to improper handling of user-controlled file paths in the file upload API when JSON requests are used, which allows an unauthenticated attacker to exploit directory traversal and read arbitrary files from the server filesystem an...

CVE-2021-47746

NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite system files by...

CVE-2025-68472

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PU...

PYSEC-2026-90

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PU...

MindsDB has improper sanitation of filepath that leads to information disclosure and DOS

Summary BlueRock discovered an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. Details The PUT handler in file.py directly joins user-controlled data into a...

MindsDB 安全漏洞

MindsDB is an emerging low-code machine learning platform from MindsDB, Inc. A security vulnerability exists in MindsDB versions prior to 25.11.1, which stems from user-controlled data in the File Upload API being spliced directly to a file system path, potentially leading to a path traversal...

Exploit for Missing Authorization in Givewp

CVE-2025-2025-52691-SmarterMail-Exp Environment Setup S...

WeKan 安全漏洞

WeKan is a Kanban application from the WeKan open source. A security vulnerability exists in WeKan version 18.15 and earlier, which stems from the Attachment Upload API treating the Authorization bearer value as a userId, which could lead to application-level denial of service and identity spoofi...

CVE-2025-66214 Ladybug has an XMLDecoder Deserialization Vulnerability (Java RCE)

Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. Versions prior to 3.0-20251107.114628 contain the APIs /iaf/ladybug/api/report/storage and /iaf/ladybug/api/report/upload, which allow uploading gzip-compressed XML files with user-controllable conten...

EUVD-2018-0794

Malware in sbrugna...

EUVD-2025-12818

Malicious code in bioql PyPI...

EUVD-2023-25807

Malicious code in bioql PyPI...

GHSA-W469-HJ2F-JPR5 Harness Allows Arbitrary File Write in Gitness LFS server

Impact Open Source Harness git LFS server Gitness exposes api to retrieve and upload files via git LFS. Implementation of upload git LFS file api is vulnerable to arbitrary file write. Due to improper sanitization for upload path, a malicious authenticated user who has access to Harness Gitness...

PT-2025-23639

Name of the Vulnerable Software and Affected Versions quequnlong shiyi-blog versions up to 1.2.1 Description A critical issue has been discovered, affecting an unknown part of the file /api/file/upload. The manipulation of the file/source argument leads to path traversal. This issue can be...

CVE-2023-47464

Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 before 4.5.0 allows a remote attacker to execute arbitrary code via the upload API function...

CVE-2019-10719

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714...

CVE-2025-4178

A vulnerability was found in xiaowei1118 javaserver up to 11a5bac8f4ba1c17e4bc1b27cad6d24868500e3a on Windows and classified as critical. This issue affects some unknown processing of the file /src/main/java/com/changyu/foryou/controller/FoodController.java of the component File Upload API. The...

CVE-2025-4178

A vulnerability was found in xiaowei1118 javaserver up to 11a5bac8f4ba1c17e4bc1b27cad6d24868500e3a on Windows and classified as critical. This issue affects some unknown processing of the file /src/main/java/com/changyu/foryou/controller/FoodController.java of the component File Upload API. The...

CVE-2025-4178

A vulnerability was found in xiaowei1118 javaserver up to 11a5bac8f4ba1c17e4bc1b27cad6d24868500e3a on Windows and classified as critical. This issue affects some unknown processing of the file /src/main/java/com/changyu/foryou/controller/FoodController.java of the component File Upload API. The...

CVE-2025-4178 xiaowei1118 java_server File Upload API FoodController.java path traversal

A vulnerability was found in xiaowei1118 javaserver up to 11a5bac8f4ba1c17e4bc1b27cad6d24868500e3a on Windows and classified as critical. This issue affects some unknown processing of the file /src/main/java/com/changyu/foryou/controller/FoodController.java of the component File Upload API. The...