CVE-2026-35392 goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3...

CVE-2024-41599

Cross Site Scripting vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the file upload method...

PT-2025-13573 · Unknown · Invoiceplane

Name of the Vulnerable Software and Affected Versions: InvoicePlane versions 1.6.11 and before Description: The issue concerns a remote code execution vulnerability in the upload file method of the Upload controller. This vulnerability allows for remote code execution, potentially leading to...

CVE-2024-52787

Vulnerability summary: Libre-chat v0.0.6 is affected by a path traversal flaw in the upload_documents method. By supplying a crafted filename in an uploaded file, an attacker can traverse the filesystem. This is corroborated by multiple sources (Red Hat CVE entry, GHSA advisory, Veracode summary,...

Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)

An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on depending on the permissions of the underlying filesystem. E.g. This can lead to a delayed...

GHSA-WMJG-VQHV-Q5P5 Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)

An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on depending on the permissions of the underlying filesystem. E.g. This can lead to a delayed...

Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)

An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on depending on the permissions of the underlying filesystem. E.g. This can lead to a delayed...

PT-2024-32320 · Unknown · Ruby On Rails +1

Name of the Vulnerable Software and Affected Versions: Camaleon CMS versions prior to 2.8.2 Description: An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS...

CVE-2024-41599

Cross Site Scripting vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the file upload method...

CVE-2024-41599

This CVE concerns RuoYi (v4.7.9 and earlier). The issue is described as a Cross Site Scripting vulnerability that enables a remote attacker to execute arbitrary code via the file upload method. Concrete details from connected sources confirm affected software and the basic vulnerability pattern, ...

CVE-2024-41599

Cross Site Scripting vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the file upload method...

curl security and bug fix update

7.61.1-33.5 - cap SFTP packet size sent RHEL-5485 - when keyboard-interactive auth fails, try password 2229800 - unify the upload/method handling CVE-2023-28322 - fix cookie injection with none file CVE-2023-38546 - lowercase the domain names before PSL checks CVE-2023-46218...

GHSA-75M5-HH4R-Q9GX GeoServer Arbitrary file renaming vulnerability in REST Coverage/Data Store API

Summary An arbitrary file renaming vulnerability exists that enables an authenticated administrator with permissions to modify stores through the REST Coverage Store or Data Store API to rename arbitrary files and directories with a name that does not end in ".zip". Details Store file uploads...

PT-2023-27728 · Dwsurvey · Dwsurvey

Name of the Vulnerable Software and Affected Versions: DWSurvey DWSurvey-OSS versions 3.2.0 and earlier Description: The issue allows a remote attacker to execute arbitrary code via the saveimage method and savveFile in the action/UploadAction.java file. This enables the attacker to upload...

curl security update

7.76.1-23.el92.2 - unify the upload/method handling CVE-2023-28322 - fix host name wildcard checking CVE-2023-28321...

Sysaid Technologies Sysaid 代码问题漏洞

Sysaid Technologies SysAid is a suite of IT service management solutions from Sysaid Technologies, Israel. A security vulnerability exists in Sysaid Technologies Sysaid versions prior to 23.2.14 b18, which stems from a malicious user with administrative privileges may be able to upload dangerous...

RiteCMS 3.1.0 Shell Upload / Remote Code Execution

Exploit Title: RiteCMS 3.1.0 - Remote Code Execution RCE Authenticated Date: 25/07/2021 Exploit Author: faisalfs10x https://github.com/faisalfs10x Vendor Homepage: https://ritecms.com/ Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip Version: = 3.1.0...

CVE-2020-15123

In codecov npm package before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE CVE-2020-7597 for GHSA-5q88-cjfq-g2mh was...

GHSA-XP63-6VF5-XF3V Command injection in codecov (npm package)

Impact The upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE was issued: CVE-2020-7597, but the fix was incomplete. It only blocked &, and...

Directory traversal

Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. dot dot in the filename parameter to the 1 log, 2 upload, or 3 linuxpkgs method...