EUVD-2026-19488

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3...

CVE-2021-27964

SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file...

CVE-2005-1881

upload.php in YaPiG 0.92b, 0.93u and 0.94u does not properly restrict the file extension for uploaded image files, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code...

CVE-2023-4300

The Import XML and RSS Feeds WordPress plugin before 2.1.4 does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution...

CVE-2022-26974

Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a file upload mechanism. Lack of input sanitization in the upload mechanism leads to reflected XSS...

CVE-2019-18417

Sourcecodester Restaurant Management System 1.0 allows an authenticated attacker to upload arbitrary files that can result in code execution. The issue occurs because the application fails to adequately sanitize user-supplied input, e.g., "add a new food" allows .php files...

CVE-2019-11568

An issue was discovered in AikCms v2.0. There is a File upload vulnerability, as demonstrated by an admin/page/system/nav.php request with PHP code in a .php file with the application/octet-stream content type...

CVE-2020-12846

Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files exe,sh,bat,jar in the Contact section of the mailbox as an avatar image for ...

CVE-2020-10103

An XSS issue was discovered in Zammad 3.0 through 3.2. Malicious code can be provided by a low-privileged user through the File Upload functionality in Zammad. The malicious JavaScript will execute within the browser of any user who opens a specially crafted link to the uploaded file with an acti...

CVE-2023-40028

Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can...

CVE-2022-0937

Stored xss in showdoc through file upload in GitHub repository star7th/showdoc prior to 2.10.4...

CVE-2023-25970

Unrestricted Upload of File with Dangerous Type vulnerability in Zendrop Zendrop – Global Dropshipping.This issue affects Zendrop – Global Dropshipping: from n/a through 1.0.0...

CVE-2023-50729

Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file upload vulnerability in File feature allows attackers to execute arbitrary code on the server. This vulnerability is more prevalent because Traccar is recommended to run web servers as root...

CVE-2019-12099

In PHP-Fusion 9.03.00, editprofile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/formfileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload...

CVE-2019-12102

Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabsmedia.aspx URI. NOTE: The vendor disputes the report because the researcher did not configure the media library permissions...

PT-2025-53789

Name of the Vulnerable Software and Affected Versions givanz VvvebJs version 1.7.2 Description givanz VvvebJs version 1.7.2 is subject to a File Upload issue through the save.php file. Recommendations At the moment, there is no information about a newer version that contains a fix for this...

ELOG <= 3.1.5 Multiple Vulnerabilities

ELOG is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:elogproject:elog"; ifdescription...

CVE-2025-12682 Easy Upload Files During Checkout <= 2.9.8 - Unauthenticated Arbitrary JavaScript File Upload

The Easy Upload Files During Checkout plugin for WordPress is vulnerable to arbitrary JavaScript file uploads due to missing file type validation in the 'fileduringcheckout' function in all versions up to, and including, 2.9.8. This makes it possible for unauthenticated attackers to upload...

EUVD-2019-18943

Malware in sbrugna...

EUVD-2020-23507

Malware in sbrugna...