44 matches found
CVE-2026-22707
Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the administrator-configured MIME type restrictions plugin.upload.security.allowedTypes and deniedTypes. The same restrictions were correctly...
CVE-2026-22707 Strapi Upload Plugin MIME Validation Bypass via Content API
Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the administrator-configured MIME type restrictions plugin.upload.security.allowedTypes and deniedTypes. The same restrictions were correctly...
CVE-2026-22707
In Strapi, prior to 5.33.3, the Upload plugin’s Content API endpoints did not enforce the administrator-configured MIME restrictions, allowing an authenticated Content API user to upload disallowed file types (e.g., HTML, SVG). The Content API handlers bypassed magic-byte MIME checks and allow/de...
EUVD-2012-5464
Malware in sbrugna...
CVE-2024-10225
A vulnerability in haotian-liu/llava v1.2.0 allows an attacker to cause a Denial of Service DoS by appending a large number of characters to the end of a multipart boundary in a file upload request. This causes the server to continuously process each character, rendering the application...
CVE-2024-9437
SuperAGI version v0.0.14 is vulnerable to an unauthenticated Denial of Service DoS attack. The vulnerability exists in the resource upload request, where appending characters, such as dashes -, to the end of a multipart boundary in an HTTP request causes the server to continuously process each...
CVE-2024-9437
SuperAGI version v0.0.14 is vulnerable to an unauthenticated Denial of Service DoS attack. The vulnerability exists in the resource upload request, where appending characters, such as dashes -, to the end of a multipart boundary in an HTTP request causes the server to continuously process each...
CVE-2024-10051 Unauthenticated Denial of Service in shaunwei/realchar
Realchar version v0.0.4 is vulnerable to an unauthenticated denial of service DoS attack. The vulnerability exists in the file upload request handling, where appending characters, such as dashes -, to the end of a multipart boundary in an HTTP request causes the server to continuously process eac...
CVE-2024-9437 Unauthenticated Denial of Service in transformeroptimus/superagi
SuperAGI version v0.0.14 is vulnerable to an unauthenticated Denial of Service DoS attack. The vulnerability exists in the resource upload request, where appending characters, such as dashes -, to the end of a multipart boundary in an HTTP request causes the server to continuously process each...
CVE-2024-37084 CVE-2024-37084: Remote code execution in Spring Cloud Data Flow
In Spring Cloud Data Flow versions prior to 2.11.4, a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server...
CVE-2024-22263
Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload path, a malicious user who has access to skipper server api...
CVE-2024-22263
CVE-2024-22263 affects Spring Cloud Data Flow’s Skipper server, where improper sanitization of upload paths enables a malicious user with API access to write arbitrary files to the file system and potentially compromise the server. The vulnerability targets the upload mechanism (upload path handl...
CVE-2024-3153
mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service DOS condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents...
CVE-2024-3153
mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service DOS condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents...
CVE-2024-3153 Uncontrolled Resource Consumption in mintplex-labs/anything-llm
mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service DOS condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents...
PT-2024-24131 · Mintplex · Anything-Llm
Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm affected versions not specified Description: The issue is related to an uncontrolled resource consumption vulnerability in the upload file endpoint, which can lead to a denial of service DOS condition. Specifically,...
CVE-2022-31194 Path traversal vulnerabilities in DSpace JSPUI submission upload
DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowi...
Design/Logic Flaw
Affected versions of Atlassian Crucible allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the file upload request feature of code reviews. The affected versions are before version 4.7.4, and from version 4.8.0 before 4.8.5...
TextPattern CMS 4.8.3 - Remote Code Execution (Authenticated)
!/usr/bin/python3 Exploit Title: TextPattern = 4.8.3 - Authenticated Remote Code Execution via Unrestricted File Upload Google Dork: N/A Date: 16/10/2020 Exploit Author: Michele '0blio' Cisternino Vendor Homepage: https://textpattern.com/ Software Link: https://github.com/textpattern/textpattern...
Apache Solr < 7.1.0 Remote Code Execution
Remote code execution occurs in Apache Solr versions 7.1.0 with Apache Lucene 7.1.0 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. This can be exploited to upload malicious data to the /upload request handler or as Blind XX...