26 matches found
CVE-2026-41949
Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the...
CVE-2026-34381
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on admmyfiles/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently igno...
PT-2026-29348
Name of the Vulnerable Software and Affected Versions Admidio versions 5.0.0 through 5.0.7 Description Admidio relies on .htaccess files to restrict direct HTTP access to uploaded documents. The Docker image is configured with AllowOverride None in the Apache configuration, causing these .htacces...
CVE-2025-69437
PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF file containing a malicious payload to the system and views it, the embedded JavaScript payload can...
CVE-2026-28276 Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpoint
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be...
CVE-2026-28276 Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpoint
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be...
CVE-2026-28276 Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpoint
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be...
PT-2026-22224
Name of the Vulnerable Software and Affected Versions Initiative versions prior to 0.32.2 Description An access control issue exists in Initiative, a self-hosted project management platform. Uploaded documents are served from a publicly accessible /uploads/ directory without authentication or...
CVE-2026-24039
Horilla HRMS (v1.4.0) contains an improper access-control flaw on the document-approval endpoint, allowing low-privilege users to self-approve their own uploaded documents. This weak server-side authorization check enables employees to alter admin-reserved state. The issue is fixed in v1.5.0. Aff...
CVE-2025-67341
jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users...
EUVD-2025-24948
Malicious code in bioql PyPI...
EUVD-2022-45965
Malicious code in bioql PyPI...
CVE-2025-31987
HCL Connections Docs may mishandle validation of certain uploaded documents leading to denial of service due to resource exhaustion...
CVE-2025-31987
HCL Connections Docs may mishandle validation of certain uploaded documents leading to denial of service due to resource exhaustion...
CVE-2025-31987
HCL Connections Docs may mishandle validation of certain uploaded documents leading to denial of service due to resource exhaustion...
CVE-2025-31987 HCL Connections Docs is vulnerable to a Denial of Service (DoS) attack
HCL Connections Docs may mishandle validation of certain uploaded documents leading to denial of service due to resource exhaustion...
CVE-2025-31987
Summary: CVE-2025-31987 affects HCL Connections Docs. The connected documents describe a vulnerability where improper validation of uploaded documents can cause a denial of service through resource exhaustion. Expected impact is denial of service with high availability impact; CVSS metrics in the...
CVE-2025-31987 HCL Connections Docs is vulnerable to a Denial of Service (DoS) attack
HCL Connections Docs may mishandle validation of certain uploaded documents leading to denial of service due to resource exhaustion...
PT-2025-33417 · Hcl · Hcl Connections Docs
Name of the Vulnerable Software and Affected Versions: HCL Connections Docs affected versions not specified Description: HCL Connections Docs may not properly validate uploaded documents, potentially leading to a denial of service due to resource exhaustion. Recommendations: At the moment, there ...
PT-2024-15831 · Unknown · Mintplex-Labs/Anything-Llm
Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm affected versions not specified Description: A privilege escalation issue exists, allowing users with the default role to delete documents uploaded by the admin. This is due to improper access control checks, enabli...