dash-uploader 0.1.0 - 0.7.0a2 - Denial-of-Service via flowTotalChunks

fohrloop dash-uploader v0.1.0 through v0.7.0a2 contains a remote code execution caused by improper handling in Upload function and maxfilesize parameter in dashuploader components, letting remote attackers execute arbitrary code, exploit requires crafted request. id: CVE-2026-38361 info: name:...

WordPress Plugin Uploader 1.0.4 - Cross-Site Scripting

Multiple cross-site scripting vulnerabilities in views/notify.php in the Uploader plugin 1.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 notify or 2 blog parameter. id: CVE-2013-2287 info: name: WordPress Plugin Uploader 1.0.4 - Cross-Site Scripting...

dash-uploader 0.1.0 - 0.7.0a2 - Unauthenticated Arbitrary File Write via Path Traversal

fohrloop dash-uploader v0.1.0 through v0.7.0a2 contains a directory traversal vulnerability caused by improper handling in dashuploader/httprequesthandler.py components, letting remote attackers execute arbitrary code, exploit requires no special privileges. id: CVE-2026-38360 info: name:...

CVE-2026-10172

A security flaw has been discovered in Bdtask Multi-Store Inventory Management System 1.0. The affected element is the function Upload of the file application/modules/dashboard/controllers/Module.php of the component Component Module. The manipulation of the argument module results in unrestricte...

CVE-2026-44587

creationtimestamp| type| source ---|---|--- 2026-05-23 05:40:33+00:00| published-proof-of-concept| https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-7g26-2qgj-chfg...

MAL-2026-4580 Malicious code in http-uploader-dev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 936024fb65d6ab06a1f01fcd765b534812efb873f076e81303d87c0b141bba2b package.json declares "preinstall": "bun run index.js", which on npm install invokes Bun to run index.js. index.js detects the host OS and shells out...

PT-2026-42535

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description Concrete CMS fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field during the process of saving page type composer form layouts. An authenticated...

EUVD-2022-55978

Drupal avataruploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avataruploader.pages.inc to...

CVE-2022-50957

Drupal avataruploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avataruploader.pages.inc to...

CVE-2022-50957

CVE-2022-50957 concerns Drupal “avatar_uploader” module for version 7.x-1.0-beta8, containing a reflected cross-site scripting vulnerability. The issue arises when an attacker crafts a URL that includes a script payload in the file parameter of avatar_uploader.pages.inc, enabling execution of arb...

CVE-2022-50957 Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS

Drupal avataruploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avataruploader.pages.inc to...

PT-2026-39482

Drupal avatar uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar uploader.pages.inc to...

EUVD-2026-28802

Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dashuploader/httprequesthandler.py, aseHttpRequestHandler.gettemproot, BaseHttpRequestHandler.post components...

Directory Traversal

Overview dash-uploader is an Upload large files using resumable.js Affected versions of this package are vulnerable to Directory Traversal via improper validation of user-supplied input in the gettemproot and post functions. An attacker can gain unauthorized access to files and execute arbitrary...

aurora-cycler-manager (>=0.10.0 <=0.11.2), fusion-tools (>=3.6.19 <=3.6.90) +9 more potentially affected by CVE-2026-38360 via dash-uploader (>=0.6.0 <=0.7.0a2)

dash-uploader PYPI version =0.6.0, =0.10.0, =3.6.19, =0.0.11, =0.0.30, =0.2.4b0, =0.0.50.0, =0.1.7.3, =2.0.1, =0.2.0, =0.4.1 Source cves: CVE-2026-38360 Source advisory: SNYK:PYTHON-DASHUPLOADER-16635838...

CVE-2026-38360

Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dashuploader/httprequesthandler.py, aseHttpRequestHandler.gettemproot, BaseHttpRequestHandler.post components...

Arbitrary Code Injection

Overview dash-uploader is an Upload large files using resumable.js Affected versions of this package are vulnerable to Arbitrary Code Injection via improper handling of the Upload function and the maxfilesize parameter in the affected components. An attacker can execute arbitrary code remotely by...

aurora-cycler-manager (>=0.10.0 <=0.11.2), fusion-tools (>=3.6.19 <=3.6.90) +9 more potentially affected by CVE-2026-38361 via dash-uploader (>=0.6.0 <=0.7.0a2)

dash-uploader PYPI version =0.6.0, =0.10.0, =3.6.19, =0.0.11, =0.0.30, =0.2.4b0, =0.0.50.0, =0.1.7.3, =2.0.1, =0.2.0, =0.4.1 Source cves: CVE-2026-38361 Source advisory: SNYK:PYTHON-DASHUPLOADER-16635848...

EUVD-2026-28645

An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dashuploader/httprequesthandler.py, dashuploader/upload.py in the Upload function and maxfilesize parameter, dashuploader/configureupload.py components...

PYSEC-2026-37

An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dashuploader/httprequesthandler.py, dashuploader/upload.py in the Upload function and maxfilesize parameter, dashuploader/configureupload.py components...