Lucene search
K

134 matches found

NVD
NVD
added 5 days ago8 views

CVE-2026-56233

Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenticated users with build permissions to bypass upload restrictions. Attackers can append traversal sequences to the upload path, which are normalized by the WHATWG URL parser, enabling acce...

8.7CVSS0.00451EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/29 9:14 p.m.3 views

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the defaultSanitizer function in FileAdder.php. An attacker can upload files with double extensions or omitted executable extensions, potentially leading to remote code execution by bypassing fil...

8.8CVSS6.4AI score0.0044EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/02 12:0 a.m.9 views

OWASP CRS 安全漏洞

OWASP CRS is a set of open-source attack detection rules developed by the CRS Project. Versions prior to OWASP CRS 3.3.9 and 4.25.0 contained security vulnerabilities. These vulnerabilities stemmed from the lack of standardization in file extension checks for spaces, which could lead to bypassing...

7.5CVSS5.8AI score0.02172EPSS
Exploits0References8
Snyk
Snyk
added 2026/03/16 3:30 p.m.3 views

Incorrect Authorization

Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Incorrect Authorization via the upload process. An attacker can bypass team-specific file upload restrictions by uploading files in a team where...

5.3CVSS5.9AI score0.00218EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/03/05 12:0 a.m.7 views

WordPress plugin AI Engine 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application plugin. There is a...

9.1CVSS5.9AI score0.00465EPSS
Exploits0References1
NVD
NVD
added 2026/02/25 3:20 p.m.7 views

CVE-2026-3187

A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys-file/upload of the component API Endpoint. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The explo...

9.8CVSS0.00307EPSS
Exploits1References7
CNNVD
CNNVD
added 2026/02/25 12:0 a.m.11 views

FreeScout 安全漏洞

FreeScout is a lightweight and powerful free open-source help desk and shared inbox built using PHP Laravel framework by FreeScout Inc. Versions of FreeScout prior to 1.8.206 contained security vulnerabilities; these vulnerabilities were due to an incomplete list of file upload restrictions, whic...

8.8CVSS7.8AI score0.02121EPSS
Exploits3References3
CNNVD
CNNVD
added 2026/02/20 12:0 a.m.7 views

WordPress plugin Wiguard 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

9.9CVSS5.9AI score0.00434EPSS
Exploits0References1
OSV
OSV
added 2026/02/03 6:16 p.m.5 views

CVE-2020-37113

GUnet OpenEclass 1.7.3 allows authenticated users to bypass file extension restrictions when uploading files. By renaming a PHP file to .php3 or .PhP, an attacker can upload a web shell and execute arbitrary code on the server. This vulnerability enables remote code execution by bypassing the...

8.8CVSS6.6AI score0.00781EPSS
Exploits1References4
CVE
CVE
added 2026/01/28 6:15 p.m.13 views

CVE-2025-66488

Discourse (open source platform) has a vulnerability affecting installations using S3 for uploads, present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The issue allows script execution within the S3/CDN domain context when HTML/XML uploads are processed; no site credentials ar...

6.1CVSS5.7AI score0.00174EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/01/28 6:15 p.m.7 views

CVE-2025-66488 Discourse allows script execution in uploaded HTML/XML files on S3

Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. While scripts may be executed, they will only be run in the context of the S3/CDN domain, with no site credentials...

4.6CVSS5.7AI score0.00174EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/01/22 12:0 a.m.6 views

WordPress plugin Miion has a code vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that extends the...

9.9CVSS5.9AI score0.00434EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/01/22 12:0 a.m.7 views

WordPress plugin Energia has a code vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

10CVSS5.9AI score0.00507EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/01/22 12:0 a.m.6 views

WordPress plugin Blogistic code issue vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

9.9CVSS5.9AI score0.00465EPSS
Exploits0References1
NVD
NVD
added 2026/01/13 11:15 p.m.5 views

CVE-2022-50907

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code execution...

8.6CVSS0.01049EPSS
Exploits1References4
OSV
OSV
added 2026/01/13 11:15 p.m.5 views

CVE-2022-50906

e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting XSS payloads...

4.8CVSS5.9AI score0.00353EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/01/08 12:0 a.m.3 views

QloApps 安全漏洞

QloApps is a hotel management and reservation system from QloApps open source. A security vulnerability exists in QloApps version 1.7.0 and prior versions, which stems from improper file upload restrictions and could lead to remote code execution...

9.8CVSS7.8AI score0.00832EPSS
Exploits2References2
CVE
CVE
added 2025/12/22 9:35 p.m.11 views

CVE-2023-53979

Summary of the vulnerability (CVE-2023-53979) : MyBB 1.8.32 contains a chained vulnerability that authenticated administrators can exploit to bypass avatar upload restrictions and achieve remote code execution. The attack leverages the ability to modify upload path settings, upload a PHP-embedded...

8.8CVSS7.2AI score0.00703EPSS
Exploits1References5Affected Software1
Positive Technologies
Positive Technologies
added 2025/11/10 12:0 a.m.8 views

PT-2025-46221

Name of the Vulnerable Software and Affected Versions CMS Made Simple Foundation File Manager version 2.2.22 Description An authenticated arbitrary file upload issue exists in the /uploads/ endpoint of the software. An attacker with Administrator privileges can upload a crafted PHP file,...

7.2CVSS7.2AI score0.00398EPSS
Exploits1References6
EUVD
EUVD
added 2025/10/21 12:0 a.m.6 views

EUVD-2025-35195

QDocs Smart School Management System 7.1 allows authenticated users with roles such as "accountant" or "admin" to bypass file type restrictions in the media upload feature by abusing the alternate YouTube URL option. This logic flaw permits uploading of arbitrary PHP files, which are stored in a...

7.2CVSS6.3AI score0.00482EPSS
Exploits1References2
Rows per page
Query Builder