Lucene search
+L

6775 matches found

EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-45436

A weakness has been identified in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function savesettings of the file /admin/adminclassnovo.php. This manipulation of the argument img causes unrestricted upload. The attack is possible to be carried out remotely...

5.8CVSS4.9AI score
Exploits0References6
Nuclei
Nuclei
added yesterday102 views

LyLme-Spage - Arbitary File Upload

An arbitrary file upload vulnerability in the component /include/file.php of lylmespage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file. id: CVE-2024-34982 info: name: LyLme-Spage - Arbitary File Upload author: DhiyaneshDk severity: high description: | An arbitrary...

9.8CVSS6AI score0.04675EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday61 views

Samsung MagicINFO 9 Server - File Upload & Remote Code Execution

Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority. id: CVE-2025-4632 info: name: Samsung MagicINFO 9 Server - File Upload & Remote Code Execution author: s4e-i...

9.8CVSS8.9AI score0.23953EPSS
Exploits4References4
Nuclei
Nuclei
added yesterday45 views

Melis Technology Melis Platform - Unrestricted File Upload & Remote Code Execution

Melis Technology Melis Platform contains an unrestricted file upload caused by insufficient validation of 'mcsdetailimg' parameter in /melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm, letting attackers upload malicious files and achieve remote code execution, exploit requires crafted...

9.3CVSS5.6AI score0.02503EPSS
Exploits3References3
Nuclei
Nuclei
added yesterday46 views

Sangfor OSM - Arbitrary File Upload

Sangfor Operation and Maintenance Management System = 3.0.8 contains an unrestricted file upload vulnerability caused by manipulation of the "File" argument in /fort/trust/version/common/common.jsp, letting remote attackers upload arbitrary files, exploit requires no special privileges. id:...

9.8CVSS7.3AI score0.01907EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday72 views

InstaWP Connect <= 0.1.0.22 - Unauthenticated Arbitrary File Upload

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for...

9.8CVSS5.4AI score0.05794EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday30 views

WP Mobile Detector <= 3.5 - Unrestricted File Upload

WP Mobile Detector plugin for WordPress = 3.5 contains an unrestricted file upload vulnerability caused by missing file type validation in resize.php, letting unauthenticated attackers upload arbitrary files, potentially leading to remote code execution. id: CVE-2016-15043 info: name: WP Mobile...

9.8CVSS5.9AI score0.10032EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday174 views

Cisco IOS XE WLC - Arbitrary File Upload

A vulnerability in the Out-of-Band Access Point AP Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers WLCs could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.This vulnerability is due to the presence of a hard-coded JSON Web...

10CVSS8.5AI score0.17894EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2 days ago13 views

Flask-Reuploaded: Extension-denylist bypass via case-folding asymmetry in name-override path (incomplete-fix variant of CVE-2026-27641)

Header | Field | Value | |---|---| | Title | Extension-denylist bypass via case-folding asymmetry in name-override path incomplete-fix variant of CVE-2026-27641 | | Project | Flask-Reuploaded flaskuploads | | Affected | extension"shell.php" = "php" - extensionallowed"php" - DENY correct...

9.8CVSS5.8AI score0.01046EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2 days ago13 views

CVE-2026-60024

The CVE pertains to the Joomla extension Events Booking, where prior versions up to 5.8.0 allow unauthenticated users to upload media assets by default. The affected component is the Events Booking plugin for Joomla (joomdonation.com). The root cause is an insecure default configuration that perm...

5.3AI score0.00146EPSS
Exploits0References1
Nuclei
Nuclei
added 2 days ago79 views

FlowiseAI Flowise <= 2.2.6 - Arbitrary File Upload

FlowiseAI Flowise version 2.2.6 and below contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. This vulnerability allows an unauthenticated attacker to upload files outside the intended directory through path traversal, potentially leading to API key exposure and...

9.8CVSS9.2AI score0.50789EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 4 days ago5 views

CVE-2026-11579

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not verify that a file upload is made against an existing form configured with a file-upload field, accepting uploads regardless of whether any such form exists, which allows unauthenticated users to upload...

6.2AI score0.00237EPSS
Exploits0References1
Nuclei
Nuclei
added 6 days ago19 views

Blueimp jQuery-File-Upload v9.22.0 - Unrestricted File Upload

Blueimp jQuery-File-Upload v9.22.0 contains an unauthenticated arbitrary file upload caused by insufficient validation in the upload component, letting remote attackers upload malicious files, exploit requires no authentication. id: CVE-2018-9206 info: name: Blueimp jQuery-File-Upload v9.22.0 -...

9.8CVSS7.1AI score0.97107EPSS
Exploits15References4
Nuclei
Nuclei
added 6 days ago100 views

WordPress Simple File List <=4.2.2 - Remote Code Execution

An unrestricted file upload vulnerability in the WordPress Simple File List plugin before version 4.2.3 allows unauthenticated remote attackers to achieve remote code execution. The plugin's upload endpoint ee-upload-engine.php restricts file uploads based on extension, but lacks proper validatio...

6.3AI score
Exploits9References3
Positive Technologies
Positive Technologies
added 6 days ago6 views

PT-2026-57850

Name of the Vulnerable Software and Affected Versions Laravel-Mediable versions prior to 7.0.0 Description An issue exists where unauthenticated attackers can achieve remote code execution by uploading files with double extensions, such as shell.php.jpg. The PATHINFO FILENAME extraction preserves...

8.8CVSS6.5AI score0.00777EPSS
Exploits0References6
NVD
NVD
added 2026/07/12 9:16 a.m.7 views

CVE-2026-15488

A vulnerability was determined in hcr707305003 shiroiAdmin 1.1/1.3. Affected is the function FileController::upload of the file app/common/controller/FileController.php. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit...

7.5CVSS0.00291EPSS
Exploits0References7
OSV
OSV
added 2026/07/12 8:45 a.m.4 views

CVE-2026-15488 hcr707305003 shiroiAdmin FileController.php upload unrestricted upload

A vulnerability was determined in hcr707305003 shiroiAdmin 1.1/1.3. Affected is the function FileController::upload of the file app/common/controller/FileController.php. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit...

6.9CVSS6.7AI score0.00291EPSS
Exploits0References9
CVE
CVE
added 2026/07/10 7:37 p.m.16 views

CVE-2026-55466

CVE-2026-55466 (Snipe-IT) is a stored XSS vulnerability in the UploadFileRequest path before version 8.6.2. The sanitizer only processes SVG content when PHP finfo reports image/svg+xml, and UploadedFilesController serves attachments inline without StorageHelper::allowSafeInline(), enabling a low...

8.7CVSS6.1AI score0.00316EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/07/10 9:5 a.m.32 views

CVE-2026-41877 Stored XSS in R-SOFT DMS

R-SOFT DMS is vulnerable to Stored XSS in file upload functionality. Authenticated attacker can inject arbitrary HTML and JS into the name of the file being uploaded, which will be executed when visiting file list or upload status by other users. This issue was fixed in version v3.19-2832 and...

5.1CVSS0.0039EPSS
Exploits0References1
NVD
NVD
added 2026/07/10 5:16 a.m.10 views

CVE-2026-15282

The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'insappuploadimageasattachment' function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the...

9.8CVSS0.00744EPSS
Exploits1References4
Rows per page
Query Builder