Kimai has an arbitrary file read in its invoice PDF renderer (admin)

Summary Users with the role System-Admin ROLESYSTEADMIN and the permission uploadinvoicetemplate can upload PDF invoice templates, which can call pdfContext.setOption'associatedfiles', ... inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles, whose writer calls...

CVE-2026-44298 Kimai: Arbitrary file read in invoice PDF renderer (admin)

Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin ROLESYSTEADMIN and the permission uploadinvoicetemplate can upload PDF invoice templates, which can call pdfContext.setOption'associatedfiles', ... inside the sandboxe...

mingSoft MCMS does not properly restrict file uploads

A flaw has been found in mingSoft MCMS 6.1.1. The affected element is an unknown function of the file /ms/file/uploadTemplate.do of the component Template Archive Handler. Executing a manipulation of the argument File can lead to unrestricted upload. The attack can be launched remotely. The explo...

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the uploadTemplate.do component. An attacker can upload arbitrary files by sending crafted requests to the affected endpoint. Remediation There is no fixed version for net.mingsoft:ms-mcms. References - GitHub...

CVE-2026-2666 mingSoft MCMS Template Archive uploadTemplate.do unrestricted upload

A flaw has been found in mingSoft MCMS 6.1.1. The affected element is an unknown function of the file /ms/file/uploadTemplate.do of the component Template Archive Handler. Executing a manipulation of the argument File can lead to unrestricted upload. The attack can be launched remotely. The explo...

MingSoft MCMS 安全漏洞

MingSoft MCMS is a modular content management framework developed by MingSoft Corporation in China. Version 6.1.1 of MingSoft MCMS contains a security vulnerability, which stems from incorrect handling of the File parameter in the file/ms/file/uploadTemplate.do file. This vulnerability could lead...

PT-2026-20494

Name of the Vulnerable Software and Affected Versions mingSoft MCMS version 6.1.1 Description A flaw exists in mingSoft MCMS 6.1.1 related to unrestricted file upload. The issue is located within the Template Archive Handler component, specifically in a function associated with the...

CVE-2024-37821

An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file...

RockOA 跨站脚本漏洞

RockOA Xinhuo is an open source office OA system. A cross-site scripting vulnerability exists in RockOA 2.6.3, which originates from a callback parameter in the /webmain/public/upload/tplupload.html file containing cross-site scripting. No details of the vulnerability are available at this time...

PT-2024-27767 · Unknown · Dolibarr Erp/Crm

Name of the Vulnerable Software and Affected Versions: Dolibarr ERP CRM versions up to 19.0.1 Description: The issue concerns an arbitrary file upload vulnerability in the Upload Template function. This vulnerability allows attackers to execute arbitrary code by uploading a crafted .SQL file...

Dolibarr ERP/CRM Security Breach

Dolibarr ERP/CRM is a Web-based enterprise resource planning ERP and customer relationship management CRM system from the Dolibarr Foundation in France. The system can be used to manage products, inventory, invoices, orders, and more. A security vulnerability exists in Dolibarr ERP/CRM version...

CVE-2023-7026

A vulnerability was found in Lightxun IPTV Gateway up to 20231208. It has been rated as problematic. This issue affects some unknown processing of the file /ZHGXTV/index.php/admin/index/webuploadtemplate.html. The manipulation of the argument file leads to unrestricted upload. The attack may be...

Lightxun IPTV Gateway Code Issue Vulnerability

Lightxun IPTV Gateway is a gateway product from China Lightxun Technology Lightxun. A code issue vulnerability exists in Lightxun IPTV Gateway, which originates from some unknown processing in /ZHGXTV/index.php/admin/index/webuploadtemplate.html, which leads to unrestricted uploads via the...

PT-2023-32842 · Unknown · Lightxun Iptv Gateway

Name of the Vulnerable Software and Affected Versions: Lightxun IPTV Gateway versions up to 20231208 Description: A vulnerability was found in the processing of the file /ZHGXTV/index.php/admin/index/web upload template.html. The manipulation of the file argument leads to unrestricted upload. The...

CVE-2022-47928

In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/uploadfile.ctp...

VulnCheck KEV: CVE-2020-8243

Ivanti Pulse Connect Secure contains an unspecified vulnerability in the admin web interface that could allow an authenticated attacker to upload a custom template to perform code execution...

CVE-2018-18835

uploadtemplate in system/changeskin.php in DocCms 2016.5.12 allows remote attackers to execute arbitrary PHP code via a template file...

Xxe

An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity XXE attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the...

Information Disclosure

Fabric is vulnerable to information disclosure. When uploading templates using the uploadtemplate function, if the intended destination is invalid, the file ends up world-readable in the home folder...