Lucene search
K

1393 matches found

Nuclei
Nuclei
added yesterday16 views

dash-uploader 0.1.0 - 0.7.0a2 - Unauthenticated Arbitrary File Write via Path Traversal

fohrloop dash-uploader v0.1.0 through v0.7.0a2 contains a directory traversal vulnerability caused by improper handling in dashuploader/httprequesthandler.py components, letting remote attackers execute arbitrary code, exploit requires no special privileges. id: CVE-2026-38360 info: name:...

9.8CVSS7.2AI score0.05982EPSS
Exploits4References4
Nuclei
Nuclei
added yesterday22 views

dash-uploader 0.1.0 - 0.7.0a2 - Denial-of-Service via flowTotalChunks

fohrloop dash-uploader v0.1.0 through v0.7.0a2 contains a remote code execution caused by improper handling in Upload function and maxfilesize parameter in dashuploader components, letting remote attackers execute arbitrary code, exploit requires crafted request. id: CVE-2026-38361 info: name:...

7.5CVSS7.5AI score0.02643EPSS
Exploits5References4
Nuclei
Nuclei
added yesterday52 views

WordPress Plugin Uploader 1.0.4 - Cross-Site Scripting

Multiple cross-site scripting vulnerabilities in views/notify.php in the Uploader plugin 1.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 notify or 2 blog parameter. id: CVE-2013-2287 info: name: WordPress Plugin Uploader 1.0.4 - Cross-Site Scripting...

4.3CVSS6.2AI score0.09239EPSS
Exploits1References4
NVD
NVD
added 2 days ago9 views

CVE-2026-49969

Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource. Attackers can craft URLs targeting...

7.4CVSS0.00241EPSS
Exploits0References3
NVD
NVD
added 2 days ago10 views

CVE-2026-49970

Laravel-Mediable before 7.0.0 contains a path traversal vulnerability in the File::sanitizePath function that allows attackers to write uploaded files to arbitrary locations by controlling the directory argument passed to MediaUploader::toDestination. Attackers can exploit the permissive...

8.8CVSS0.00771EPSS
Exploits0References3
NVD
NVD
added 4 days ago6 views

CVE-2026-7544

The Mux Video Uploader plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the muxvideoenqueuesettingsscript. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive data...

4.3CVSS0.00237EPSS
Exploits0References6
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-43128

The Mux Video Uploader plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the muxvideoenqueuesettingsscript. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive data...

4.3CVSS6.1AI score0.00237EPSS
Exploits0References6
Cvelist
Cvelist
added 4 days ago35 views

CVE-2026-7544 Mux Video Uploader <= 1.1.4 - Authenticated (Subscriber+) Information Exposure

The Mux Video Uploader plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the muxvideoenqueuesettingsscript. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive data...

4.3CVSS0.00237EPSS
Exploits0References6
CVE
CVE
added 4 days ago13 views

CVE-2026-7544

Summary (CVE-2026-7544) : The Mux Video Uploader WordPress plugin (≤ v1.1.4) is vulnerable to Sensitive Information Exposure via muxvideo_enqueue_settings_script. Authenticated users with subscriber-level access or higher can extract sensitive data, including Mux API credentials. The CVE notes th...

4.3CVSS6.1AI score0.00237EPSS
Exploits0References6
Snyk
Snyk
added 2026/07/01 6:18 p.m.3 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the upload endpoint. An attacker can exhaust system memory by submitting specially crafted requests, potentially causing the service to become unavailable. Remediation Upgrade...

7.5CVSS6AI score0.00312EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/01 6:18 p.m.5 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the upload endpoint. An attacker can exhaust system memory by submitting specially crafted requests, potentially causing the service to become unavailable. Remediation Upgrade...

7.5CVSS6AI score0.00312EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/29 1:47 p.m.8 views

EUVD-2026-40114

phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the comple...

8.7CVSS5.8AI score0.00365EPSS
Exploits0References4
OSV
OSV
added 2026/06/29 1:47 p.m.4 views

CVE-2026-56124 phpUploader < 2.0.2 Unauthenticated Database Exposure via index model

phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the comple...

8.7CVSS6AI score0.00365EPSS
Exploits0References7
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-320 dash-uploader has a directory traversal vulnerability

Impact An unauthenticated path traversal vulnerability exists in dash-uploader versions 0.1.0 through 0.7.0a2. The library's HTTP request handler at dashuploader/httprequesthandler.py reads three form parameters uploadid, resumableFilename, resumableIdentifier from request.form.get and passes the...

9.8CVSS6.1AI score0.05982EPSS
Exploits4References9
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.13 views

PT-2026-53284

Name of the Vulnerable Software and Affected Versions phpUploader versions prior to 2.0.2 Description An unauthenticated information disclosure exists where remote attackers can access the full contents of the uploaded-files database table by visiting any page of the application. The index model...

8.7CVSS5.8AI score0.00365EPSS
Exploits0References6
CVE
CVE
added 2026/06/23 7:44 p.m.19 views

CVE-2026-53929

NocoDB (pre-2026.05.1) is affected by a Stored Cross-Site Scripting vulnerability when NC_SECURE_ATTACHMENTS=true. An authenticated uploader could deliver .html or .svg attachments that the browser renders inline from the NocoDB origin due to a header-key casing mismatch (ResponseContentDispositi...

5.1CVSS5.8AI score0.00288EPSS
Exploits0References1
OSV
OSV
added 2026/06/16 10:18 p.m.7 views

MAL-2026-5932 Malicious code in package-uploader (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 69b86134d9cd019c2d8ad172eed54cd4a48839d69ed2c6af52b79ef5080da765 [email protected] ships an install-hook.js that runs automatically as the npm postinstall script package.json declares "postinstall": "node...

5.8AI score
Exploits0References2
Packet Storm
Packet Storm
added 2026/06/09 12:0 a.m.66 views

📄 Meta AI Information Disclosure

Meta AI has publicly accessible hosted files generated through the upload workflow that expose unsanitized object metadata through response headers. The exposed metadata contains uploader-associated information including public IP addresses and additional internal object properties. The issue...

5.5AI score
Exploits0
GithubExploit
GithubExploit
added 2026/06/06 8:49 p.m.138 views

Exploit for Authentication Bypass Using an Alternate Path or Channel in Sangoma Freepbx

FreePBX 16 — Unauthenticated SQLi to RCE Proof-of-concept exp...

10CVSS6.4AI score0.93286EPSS
Exploits25
RedhatCVE
RedhatCVE
added 2026/06/05 7:49 p.m.16 views

CVE-2026-38360

Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dashuploader/httprequesthandler.py, BaseHttpRequestHandler.gettemproot, BaseHttpRequestHandler.post components...

9.8CVSS6.2AI score0.05982EPSS
Exploits4References1
Rows per page
Query Builder