CVE-2025-67886

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged...

EUVD-2019-2452

Malware in sbrugna...

EUVD-2022-29047

Malicious code in bioql PyPI...

EUVD-2022-44727

Malicious code in bioql PyPI...

CVE-2022-43083

An arbitrary file upload vulnerability in admin-add-vehicle.php of Vehicle Booking System v1.0 allows attackers to execute arbitrary code via a crafted PHP file...

CVE-2024-7863 Favicon Generator < 2.1 - Arbitrary File Upload via CSRF

The Favicon Generator CLOSED WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the server...

CVE-2023-45856

qdPM 9.2 allows remote code execution by using the Add Attachments feature of Edit Project to upload a .php file to the /uploads URI...

YITH WooCommerce Gift Cards < 3.20.0 - Unauthenticated Arbitrary File Upload

The plugin does not validate files to be uploaded, allowing unauthenticated attackers to upload arbitrary files, such as PHP...

CVE-2022-0440

The Catch Themes Demo Import WordPress plugin before 2.1.1 does not validate one of the file to be imported, which could allow high privivilege admin to upload an arbitrary PHP file and gain RCE even in the case of an hardened blog ie DISALLOWUNFILTEREDHTML, DISALLOWFILEEDIT and DISALLOWFILEMODS...

PT-2020-20179 · Artica · Artica Pandora Fms

Name of the Vulnerable Software and Affected Versions: Artica Pandora FMS version 7.42 Description: The issue allows Web Admin users to execute arbitrary code by uploading a .php file via the Updater or Extension component. However, the vendor reports that this functionality is intended...