1393 matches found
CVE-2026-38361
Multiple unauthenticated denial-of-service DoS issues in fohrloop dash-uploader v0.1.0 through v0.7.0a2. The chunked-upload handler dashuploader/httprequesthandler.py, dashuploader/upload.py trusts unsanitized, attacker-controlled upload parameters e.g. flowTotalChunks and does not enforce the...
CVE-2026-6619
A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...
CVE-2026-10172
A security flaw has been discovered in Bdtask Multi-Store Inventory Management System 1.0. The affected element is the function Upload of the file application/modules/dashboard/controllers/Module.php of the component Component Module. The manipulation of the argument module results in unrestricte...
CVE-2026-44587
creationtimestamp| type| source ---|---|--- 2026-05-23 05:40:33+00:00| published-proof-of-concept| https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-7g26-2qgj-chfg 2026-06-17 03:43:06+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mohfhrsnfp2j...
MAL-2026-4580 Malicious code in http-uploader-dev (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 936024fb65d6ab06a1f01fcd765b534812efb873f076e81303d87c0b141bba2b package.json declares "preinstall": "bun run index.js", which on npm install invokes Bun to run index.js. index.js detects the host OS and shells out...
PT-2026-42535
Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description Concrete CMS fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field during the process of saving page type composer form layouts. An authenticated...
EUVD-2022-55978
Drupal avataruploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avataruploader.pages.inc to...
CVE-2022-50957
Drupal avataruploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avataruploader.pages.inc to...
CVE-2022-50957
CVE-2022-50957 concerns Drupal “avatar_uploader” module for version 7.x-1.0-beta8, containing a reflected cross-site scripting vulnerability. The issue arises when an attacker crafts a URL that includes a script payload in the file parameter of avatar_uploader.pages.inc, enabling execution of arb...
CVE-2022-50957 Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS
Drupal avataruploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avataruploader.pages.inc to...
PT-2026-39482
Drupal avatar uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar uploader.pages.inc to...
EUVD-2026-28802
Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dashuploader/httprequesthandler.py, aseHttpRequestHandler.gettemproot, BaseHttpRequestHandler.post components...
aurora-cycler-manager (>=0.10.0 <=0.11.4), fusion-tools (>=3.6.19 <=3.6.90) +9 more potentially affected by CVE-2026-38360 via dash-uploader (>=0.6.0 <=0.7.0a2)
dash-uploader PYPI version =0.6.0, =0.10.0, =3.6.19, =0.0.11, =0.0.30, =0.2.4b0, =0.0.50.0, =0.1.7.3, =2.0.1, =0.2.0, =0.4.1 Source cves: CVE-2026-38360 Source advisory: OSV:GHSA-3RF6-X59V-5JFV...
GHSA-3RF6-X59V-5JFV dash-uploader has a directory traversal vulnerability
Impact An unauthenticated path traversal vulnerability exists in dash-uploader versions 0.1.0 through 0.7.0a2. The library's HTTP request handler at dashuploader/httprequesthandler.py reads three form parameters uploadid, resumableFilename, resumableIdentifier from request.form.get and passes the...
dash-uploader has a directory traversal vulnerability
Impact An unauthenticated path traversal vulnerability exists in dash-uploader versions 0.1.0 through 0.7.0a2. The library's HTTP request handler at dashuploader/httprequesthandler.py reads three form parameters uploadid, resumableFilename, resumableIdentifier from request.form.get and passes the...
aurora-cycler-manager (>=0.10.0 <=0.11.4), fusion-tools (>=3.6.19 <=3.6.90) +9 more potentially affected by CVE-2026-38360 via dash-uploader (>=0.6.0 <=0.7.0a2)
dash-uploader PYPI version =0.6.0, =0.10.0, =3.6.19, =0.0.11, =0.0.30, =0.2.4b0, =0.0.50.0, =0.1.7.3, =2.0.1, =0.2.0, =0.4.1 Source cves: CVE-2026-38360 Source advisory: SNYK:PYTHON-DASHUPLOADER-16635838...
Directory Traversal
Overview dash-uploader is an Upload large files using resumable.js Affected versions of this package are vulnerable to Directory Traversal via improper validation of user-supplied input in the gettemproot and post functions. An attacker can gain unauthorized access to files and execute arbitrary...
CVE-2026-38360
Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dashuploader/httprequesthandler.py, BaseHttpRequestHandler.gettemproot, BaseHttpRequestHandler.post components...
aurora-cycler-manager (>=0.10.0 <=0.11.4), fusion-tools (>=3.6.19 <=3.6.90) +9 more potentially affected by CVE-2026-38361 via dash-uploader (>=0.6.0 <=0.7.0a2)
dash-uploader PYPI version =0.6.0, =0.10.0, =3.6.19, =0.0.11, =0.0.30, =0.2.4b0, =0.0.50.0, =0.1.7.3, =2.0.1, =0.2.0, =0.4.1 Source cves: CVE-2026-38361 Source advisory: SNYK:PYTHON-DASHUPLOADER-16635848...