CVE-2026-6497

A vulnerability was determined in prasathmani TinyFileManager up to 2.6. Affected by this vulnerability is an unknown functionality of the file /filemanager.php?p= ajax=true&type=upload of the component File Upload Handler. This manipulation of the argument uploadurl causes server-side request...

CVE-2026-6497 prasathmani TinyFileManager File Upload filemanager.php server-side request forgery

A vulnerability was determined in prasathmani TinyFileManager up to 2.6. Affected by this vulnerability is an unknown functionality of the file /filemanager.php?p= ajax=true&type=upload of the component File Upload Handler. This manipulation of the argument uploadurl causes server-side request...

CVE-2026-6497 prasathmani TinyFileManager File Upload filemanager.php server-side request forgery

A vulnerability was determined in prasathmani TinyFileManager up to 2.6. Affected by this vulnerability is an unknown functionality of the file /filemanager.php?p= ajax=true&type=upload of the component File Upload Handler. This manipulation of the argument uploadurl causes server-side request...

CVE-2026-4853

The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and including 3.1.19.8. This is due to insufficient input validation on the fileName parameter in the file upload handler. The plugin sanitizes...

PT-2026-33461

Name of the Vulnerable Software and Affected Versions prasathmani TinyFileManager versions prior to 2.7 Description An issue in the File Upload Handler component allows for server-side request forgery, a flaw where an attacker can induce the server to make requests to an unintended location. This...

PT-2026-31851

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress versions up to and including 1.2.58 The plugin is susceptible to Improper Access Control due to insufficient field-level permission validation within the upload file remove AJAX handler. The...

goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload

Summary PUT upload has no path sanitization | httpserver/updown.go:20-69 This finding affects the default configuration, no flags or authentication required. Details File: httpserver/updown.go:20-69 Trigger: PUT / server.go:57-59 routes directly to put The handler uses req.URL.Path raw to build t...

CVE-2026-32759 File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is...

PT-2026-25854

Summary A critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file...

CVE-2021-47899 YetiShare File Hosting Script 5.1.0 Remote File Upload SSRF Vulnerability

YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the urluploadhandler endpoint to access sensitive files like /etc/passwd by...

CVE-2021-47899

CVE-2021-47899 affects YetiShare File Hosting Script version 5.1.0. The vulnerability is a server‑side request forgery (SSRF) in the remote file upload feature, exploitable via the url parameter in the /url_upload_handler endpoint to read local files using the file:/// protocol (e.g., /etc/passwd...

CVE-2021-28379

web/upload/UploadHandler.php in Vesta Control Panel aka VestaCP through 0.9.8-27 and myVesta through 0.9.8-26-39 allows uploads from a different origin...

CVE-2025-12640 Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager <= 3.1.5 - Missing Authorization to Authenticated (Author+) Media Replacement

The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. This is due to missing object-level authorization checks in the...

EUVD-2025-205502

A flaw has been found in ChenJinchuang Lin-CMS-TP5 up to 0.3.3. This vulnerability affects the function Upload of the file application/lib/file/LocalUploader.php of the component File Upload Handler. Executing manipulation of the argument File can lead to code injection. The attack can be execute...

CVE-2025-15009

A flaw has been found in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function FilenameUtils.getExtension of the file /dev-api/common/upload of the component Filename Handler. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launche...

ChestnutCMS 代码问题漏洞

ChestnutCMS is a front-end and back-end separated enterprise-level content management system by liweiyi individual developers. A code issue vulnerability exists in liweiyi ChestnutCMS 1.5.8 and earlier versions, which stems from the incorrect operation of the parameter File in the file...

CVE-2025-14045 URL Media Uploader <= 1.0.1 - Missing Authorization to Authenticated (Contributor+) Safe File Upload

The URL Media Uploader plugin for WordPress is vulnerable to unauthorized safe file uploads due to a missing capability check on the urlmediauploaderurluploadajaxhandler function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Contributor-leve...

CVE-2025-63994

An arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager v2.7.6 allows attackers to execute arbitrary code via uploading a crafted file...

EUVD-2025-198052

An arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager v2.7.6 allows attackers to execute arbitrary code via uploading a crafted file...

Rich Filemanager 安全漏洞

Rich Filemanager is a file manager for Pavel Personal Developer. A security vulnerability exists in Rich Filemanager version v2.7.6, which stems from the /php/UploadHandler.php component being vulnerable to an arbitrary file upload attack, which could lead to the execution of arbitrary code...