Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the upload function configuration. An attacker can write arbitrary files with any extension to any location on the target server by uploading crafted files. Remediation There is no fixed version for...

CVE-2025-55383

Moss before v0.15 has a file upload vulnerability. The "upload" function configuration allows attackers to upload files of any extension to any location on the target server...

CVE-2025-8841

A vulnerability was identified in zlt2000 microservices-platform up to 6.0.0. Affected by this vulnerability is the function Upload of the file zlt-business/file-center/src/main/java/com/central/file/controller/FileController.java. The manipulation leads to unrestricted upload. The attack can be...

CVE-2025-8841

CVE-2025-8841 affects zlt2000 microservices-platform up to version 6.0.0. The vulnerability resides in the Upload function of zlt-business/file-center/src/main/java/com/central/file/controller/FileController.java and enables unrestricted file uploads. Attack can be launched remotely, and public d...

CVE-2025-8750 macrozheng mall Add Product Page upload cross site scripting

A vulnerability has been found in macrozheng mall up to 1.0.3 and classified as problematic. Affected by this vulnerability is the function Upload of the file /minio/upload of the component Add Product Page. The manipulation of the argument File leads to cross site scripting. The attack can be...

CVE-2025-6282

A vulnerability was found in xlang-ai OpenAgents up to ff2e46440699af1324eb25655b622c4a131265bb and classified as critical. Affected by this issue is the function createuploadfile of the file backend/api/file.py. The manipulation leads to path traversal. The exploit has been disclosed to the publ...

PT-2025-26246 · Unknown · Xlang-Ai Openagents

Name of the Vulnerable Software and Affected Versions: xlang-ai OpenAgents versions up to ff2e46440699af1324eb25655b622c4a131265bb Description: A critical issue was found in the create upload file function of the backend/api/file.py file, leading to path traversal. The exploit has been disclosed ...

CVE-2024-50348

InstantCMS is a free and open source content management system. In photo upload function in the photo album page there is no input validation taking place. Due to this attackers are able to inject the XSS Cross Site Scripting payload and execute. This vulnerability is fixed in 2.16.3...

CVE-2024-9903

A vulnerability classified as critical has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.0. This affects the function fileUpload of the file /admin/File/fileUpload. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The...

CVE-2024-54730

Flatnotes...

CVE-2024-54687

Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting XSS via the Documents module and function uploadAndSaveFile in CRMEntity.php...

CVE-2022-30013

A stored cross-site scripting XSS vulnerability in the upload function of totaljs CMS 3.4.5 allows attackers to execute arbitrary web scripts via a JavaScript embedded PDF file...

CVE-2022-44942

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function...

CVE-2022-25574

A stored cross-site scripting XSS vulnerability in the upload function of /admin/show.php allows attackers to execute arbitrary web scripts or HTML via a crafted image file...

CVE-2022-34025

Vesta v1.0.0-5 was discovered to contain a cross-site scripting XSS vulnerability via the post function at /web/api/v1/upload/UploadHandler.php...

CVE-2022-2049

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function...

CVE-2021-38611

A command-injection vulnerability in the Image Upload function of the NASCENT RemKon Device Manager 4.0.0.0 allows attackers to execute arbitrary commands, as root, via shell metacharacters in the filename parameter to assets/index.php...

CVE-2020-19914

Cross Site Scripting XSS in xiunobbs 4.0.4 allows remote attackers to execute arbitrary web script or HTML via the attachment upload function...

PT-2025-21631 · Unknown · Production Ssm +1

Name of the Vulnerable Software and Affected Versions: feng ha ha/megagao ssm-erp version 1.0 production ssm version 1.0 Description: A critical vulnerability has been found in the affected software, affecting the uploadPicture function of the PictureServiceImpl.java file. The manipulation of the...

DumbDrop 跨站脚本漏洞

DumbDrop is a DumbWare open source application. A cross-site scripting vulnerability exists in versions prior to DumbDrop db27b25, which stems from a DOM cross-site scripting vulnerability in the upload function...