59 matches found
EUVD-2023-54662
Malicious code in bioql PyPI...
EUVD-2025-22018
Malicious code in bioql PyPI...
Academico 代码问题漏洞
Academico is a Lavarel-based elementary and middle school school management platform from Academico Open Source. Academico has a code issue vulnerability that stems from a missing upload restriction in the file/edit-photo function, which could lead to a remote upload attack...
CVE-2025-50848
A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious...
CVE-2025-47187
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 R6.4.0.4006, and the 6970 Conference Unit through 6.4 SP4 R6.4.0.4006 or version V1 R0.1.0, could allow an unauthenticated attacker to perform a file upload attack due to missing authentication...
CVE-2025-47187
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 R6.4.0.4006, and the 6970 Conference Unit through 6.4 SP4 R6.4.0.4006 or version V1 R0.1.0, could allow an unauthenticated attacker to perform a file upload attack due to missing authentication...
Mitel 6800 Series、Mitel 6900 Series和Mitel 6900w Series 安全漏洞
Mitel 6800 Series and others are a series of telephones from the Canadian company Mindy Mitel. A security vulnerability exists in the Mitel 6800 Series, Mitel 6900 Series, and Mitel 6900w Series that stems from a lack of an authentication mechanism that could lead to a file upload attack...
CVE-2025-47187
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 R6.4.0.4006, and the 6970 Conference Unit through 6.4 SP4 R6.4.0.4006 or version V1 R0.1.0, could allow an unauthenticated attacker to perform a file upload attack due to missing authentication...
CVE-2025-47187
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 R6.4.0.4006, and the 6970 Conference Unit through 6.4 SP4 R6.4.0.4006 or version V1 R0.1.0, could allow an unauthenticated attacker to perform a file upload attack due to missing authentication...
CVE-2025-5322
The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the doupdatecar and createcar functions in all versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with...
Mattermost allows authenticated users to write files to arbitrary locations
Mattermost versions 10.5.x = 10.5.5, 9.11.x = 9.11.15, 10.8.x = 10.8.0, 10.7.x = 10.7.2, 10.6.x = 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequence...
CVE-2025-6108 hansonwang99 Spring-Boot-In-Action File Upload ImageUploadService.java watermarkTest path traversal
A vulnerability was found in hansonwang99 Spring-Boot-In-Action up to 807fd37643aa774b94fd004cc3adbd29ca17e9aa. It has been declared as critical. Affected by this vulnerability is the function watermarkTest of the file...
PT-2025-23159 · Huocms · Huocms
Name of the Vulnerable Software and Affected Versions: HuoCMS versions 3.5.1 and earlier Description: The issue allows attackers to take control of the target server through file upload. Recommendations: For HuoCMS versions 3.5.1 and earlier, at the moment, there is no information about a newer...
CVE-2022-30289
A stored Cross-site Scripting XSS vulnerability was identified in the Data Import functionality of OpenCTI through 5.2.4. An attacker can abuse the vulnerability to upload a malicious file that will then be executed by a victim when they open the file location...
CVE-2022-25242
In FileCloud before 21.3, file upload is not protected against Cross-Site Request Forgery CSRF...
CVE-2020-13443
ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges member is able to upload this. It is possible to bypass the MIME type check and file-extension check...
CVE-2025-25016
Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the creation and upload of a customized GGUF model file. An attacker can cause the server to allocate unlimited memory, leading to system unavailability by uploading a...
GHSA-5CPQ-9538-JM2J Gradio DOS in multipart boundry while uploading the file
A vulnerability in the file upload process of gradio-app/gradio version @gradio/[email protected] allows for a Denial of Service DoS attack. An attacker can append a large number of characters to the end of a multipart boundary, causing the system to continuously process each character and issue...
CVE-2024-8018 Denial of Service (DOS) in imartinez/privategpt
A vulnerability in imartinez/privategpt version 0.5.0 allows for a Denial of Service DOS attack. When uploading a file, if an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process these characters, rendering privateGPT inaccessible...