CVE-2026-26477

A flaw was found in Dokuwiki. A remote attacker can exploit this vulnerability by utilizing the mediauploadxhr function within the media.php file. This can lead to a denial of service DoS...

CVE-2026-26477

An issue in Dokuwiki v.2025-05-14b "Librarian" 56.2 allows a remote attacker to cause a denial of service via the mediauploadxhr function in the media.php file...

EUVD-2026-14423

A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. This affects the function Upload of the file chat2db-server/chat2db-server-web/chat2db-server-web-api/src/main/java/ai/chat2db/server/web/api/controller/driver/JdbcDriverController.java of the component JDBC Driver Upload. Performing a...

PT-2026-27119

A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. This affects the function Upload of the file chat2db-server/chat2db-server-web/chat2db-server-web-api/src/main/java/ai/chat2db/server/web/api/controller/driver/JdbcDriverController.java of the component JDBC Driver Upload. Performing a...

CVE-2026-4201 glowxq glowxq-oj SysFileController.java upload unrestricted upload

A weakness has been identified in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This vulnerability affects the function Upload of the file business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFileController.java. Executing a manipulation can lead to...

glowxq-oj 代码问题漏洞

Glowxq-OJ is an online problem-solving system developed by Glowxq’s individual developers, which supports multi-language evaluations and engaging programming activities. There are code vulnerabilities in Glowxq-OJ. These vulnerabilities stem from incorrect operations related to the function Uploa...

CVE-2026-3683 bufanyun HotGo Endpoint upload.go ImageTransferStorage server-side request forgery

A vulnerability was detected in bufanyun HotGo up to 2.0. This issue affects the function ImageTransferStorage of the file /server/internal/logic/common/upload.go of the component Endpoint. The manipulation results in server-side request forgery. The attack may be launched remotely. The exploit i...

CVE-2025-12500 Checkout Field Manager (Checkout Manager) for WooCommerce <= 7.8.1 - Unauthenticated Limited File Upload

The Checkout Field Manager Checkout Manager for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the...

Base Admin 代码问题漏洞

Base Admin is a backend management system developed by huanzi-qch as an individual developer. Base Admin has code-related vulnerabilities; these vulnerabilities stem from incorrect handling of the File parameter in the Upload function within the SysFileController.java file, which could lead to th...

CVE-2026-2557

CVE-2026-2557 affects cskefu up to 8.0.1. The vulnerability is in the Upload function of MediaController.java (package com/cskefu/cc/controller/resource/MediaController.java) where the file upload path allows cross-site scripting. The issue is triggered remotely and exploit code is public (PoC). ...

PT-2026-8344

A vulnerability was detected in cskefu up to 8.0.1. Impacted is the function Upload of the file com/cskefu/cc/controller/resource/MediaController.java of the component File Upload. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and...

CVE-2026-24767

NocoDB CVE-2026-24767 describes a blind SSRF in uploadViaURL prior to version 0.301.0, where an unprotected HEAD request during metadata retrieval can trigger outbound requests before SSRF controls apply. The vulnerability affects the metadata stage of uploadViaURL, with the subsequent file fetch...

CVE-2026-24767 NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery SSRF vulnerability exists in the uploadViaURL functionality due to an unprotected HEAD request. While the subsequent file retrieval logic correctly enforces SSRF protections, t...

CVE-2025-70457

A Remote Code Execution RCE vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save...

TMS code-related vulnerabilities

TMS is a channel-based team communication and collaboration tool developed by Weicheng’s individual developers, along with a lightweight task board. Versions of TMS 2.28.0 and earlier contained code vulnerabilities. These vulnerabilities stemmed from incorrect handling of the parameter filename i...

Gin-vue-admin 代码问题漏洞

Gin-Vue-Admin is flipped-aurora open source development based on Vue and Gin a full-stack before the development of basic platform . Gin-vue-admin v2.8.7 and earlier versions of the code problem vulnerability , the vulnerability stems from the existence of path traversal in the upload function of...

CVE-2023-50639

Cross Site Scripting XSS vulnerability in CuteHttpFileServer v.1.0 and v.2.0 allows attackers to obtain sensitive information via the file upload function in the home page...

CVE-2023-31708

A Cross-Site Request Forgery CSRF in EyouCMS v1.6.2 allows attackers to execute arbitrary commands via a supplying a crafted HTML file to the Upload software format function...

CVE-2025-12640

CVE-2025-12640 concerns the WordPress plugin Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager . According to Wordfence, versions up to 3.1.5 are affected by an unauthorized arbitrary media replacement vulnerability caused by missing object-level authorizati...

CVE-2025-15448

A vulnerability was found in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. This impacts the function Upload of the file src/main/java/com/macro/mall/controller/MinioController.java. The manipulation results in unrestricted upload. It is possible to launch the attack...