15 matches found
PT-2026-52609
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.6 Description An arbitrary file read issue exists where the chatId parameter in the '/api/v1/get-upload-file' and '/api/v1/openai-assistants-file/download' endpoints is not validated. This value is passed to the...
CVE-2026-41911
OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit uploadfile and uploadimage endpoints to access files beyond the intended workspace-only filesystem policy...
EUVD-2026-26117
OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit uploadfile and uploadimage endpoints to access files beyond the intended workspace-only filesystem policy...
Arbitrary File Upload
pytorch-lightning is vulnerable to Arbitrary File Upload. The vulnerability is due to improper validation of filenames in the /api/v1/uploadfile/ endpoint, which allows an attacker to overwrite arbitrary files and potentially execute malicious code...
CVE-2025-63228
The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unauthenticated file upload vulnerability in the /uploadfile.php endpoint. An attacker can exploit this by sending a crafted POST request with a malicious file e.g., a PHP webshell to the server. The uploade...
WordPress plugin Alex Reservations: Smart Restaurant Booking 代码问题漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A code issue...
EUVD-2024-31751
Malicious code in bioql PyPI...
PT-2025-36965
Name of the Vulnerable Software and Affected Versions: FTP-Flask-python versions through 5173b68 Description: A command injection issue exists in FTP-Flask-python. The /ftp.html endpoint’s "Upload File" action constructs a shell command from the ftp file parameter and executes it using os.system...
CVE-2025-55583
Affected product: D-Link DIR-868L B1 router with firmware FW2.05WWB02. Vulnerability: unauthenticated OS command injection in fileaccess.cgi; endpoint /dws/api/UploadFile passes pre_api_arg directly to system-level shell without sanitization/authentication. Impact: remote command execution as roo...
VulnCheck KEV: CVE-2025-34046
An unauthenticated file upload vulnerability exists in the Fanwei E-Office = v9.4 web management interface. The vulnerability affects the /general/index/UploadFile.php endpoint, which improperly validates uploaded files when invoked with certain parameters uploadType=eofficelogo or...
CVE-2024-3153
mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service DOS condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents...
Arbitrary File Upload
Overview pytorch-lightning is a lightweight PyTorch wrapper for ML researchers. Scale your models. Write less boilerplate. Affected versions of this package are vulnerable to Arbitrary File Upload via the LightningApp when running on a Windows host at the /api/v1/uploadfile/ endpoint. An attacker...
PT-2024-37828 · Nanjing Xingyuantu Technology · Sparkshop
Name of the Vulnerable Software and Affected Versions: Nanjing Xingyuantu Technology SparkShop versions up to 1.1.6 Description: A critical issue affects the processing of the file "/api/Common/uploadFile". The manipulation of the file argument leads to unrestricted upload. The attack can be...
CVE-2024-3153 Uncontrolled Resource Consumption in mintplex-labs/anything-llm
mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service DOS condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents...
CVE-2024-3153
CVE-2024-3153 affects mintplex-labs/anything-llm. An uncontrolled resource consumption vulnerability exists in the upload file endpoint, enabling a denial of service by sending an invalid upload request. Documented impact is DOS with availability impact described; no official fix/version is provi...