Access Control Bypass

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Access Control Bypass in the REST API upload process. An attacker can upload attachments to private issues without proper authorization by leveraging authenticated access to endpoints they are...

CVE-2026-2942 ProSolution WP Client <= 1.9.9 - Unauthenticated Arbitrary File Upload via proSol_fileUploadProcess

The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'proSolfileUploadProcess' function in all versions up to, and including, 1.9.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the...

Focalboard 安全漏洞

Focalboard is a multilingual, self-hosted project management tool open source by Mattermost Community. Version 8.0 of Focalboard contains a security vulnerability. This vulnerability stems from the lack of verification of file ownership during the upload process, which may allow authenticated...

EUVD-2026-16425

Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting XSS vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScri...

EUVD-2019-19852

CEWE PHOTO SHOW 6.4.3 contains a denial of service vulnerability that allows attackers to crash the application by submitting an excessively long buffer to the password field. Attackers can paste a large string of repeated characters into the password input during the upload process to trigger an...

CVE-2019-25552 CEWE PHOTO SHOW 6.4.3 Denial of Service via Password Field

CEWE PHOTO SHOW 6.4.3 contains a denial of service vulnerability that allows attackers to crash the application by submitting an excessively long buffer to the password field. Attackers can paste a large string of repeated characters into the password input during the upload process to trigger an...

CVE-2019-25552

CEWE PHOTO SHOW 6.4.3 contains a denial of service vulnerability that allows attackers to crash the application by submitting an excessively long buffer to the password field. Attackers can paste a large string of repeated characters into the password input during the upload process to trigger an...

CVE-2019-25552

CVE-2019-25552 affects CEWE PHOTO SHOW 6.4.3. A denial of service exists where an excessively long buffer submitted to the password field during the upload process can crash the application. The vulnerability stems from processing a large string of repeated characters in the password input, leadi...

PT-2026-26897

CEWE PHOTO SHOW 6.4.3 contains a denial of service vulnerability that allows attackers to crash the application by submitting an excessively long buffer to the password field. Attackers can paste a large string of repeated characters into the password input during the upload process to trigger an...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the upload process. An attacker can bypass team-specific file upload restrictions by uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team...

CVE-2025-70457

A Remote Code Execution RCE vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save...

CVE-2019-11447

An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatarfile field to index.php?mod=main=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a...

EUVD-2023-60242

ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server...

CVE-2023-53980

ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server...

CVE-2023-53980 ProjectSend r1605 Remote Code Execution via File Extension Manipulation

ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server...

PT-2025-52717

Name of the Vulnerable Software and Affected Versions ProjectSend version r1605 Description ProjectSend r1605 contains a remote code execution issue that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions throug...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the improper privilege management for in the upload process. An attacker can install or remove arbitrary packages and potentially execute malicious code by leveraging insufficient access controls in the...

📄 Packet Storm EXIF Data Disclosure

A bad code push allowed EXIF data to remain in some photos on Packet Storm. Our analysis shows only 0.004% of uploaded pictures were affected and they have all been stripped to ensure no further exposure. Fortunately, the affected pictures only include items related to an admin of the site and th...

CVE-2024-31217

Strapi is an open-source content management system. Prior to version 4.22.0, a denial-of-service vulnerability is present in the media upload process causing the server to crash without restarting, affecting either development and production environments. Usually, errors in the application cause ...

CVE-2019-19589

The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are valid JAR archives. Note: It has been argued that "The vulnerability reported in PDF Embedder Plugin is not valid as the plugin itself doesn't control or manage the file upload...