CVE-2025-67886

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged...

CVE-2025-67706

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded...

CVE-2025-7337

GitLab CE/EE is affected in versions 7.8 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2. An authenticated user with Developer-level access could upload large files, enabling a persistent denial-of-service for all users on the instance. Root cause: the issue stems from insufficient vali...

CVE-2023-52044

Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution RCE as there is no restriction for uploading files with the .php8 extension...

CVE-2023-52044

Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution RCE as there is no restriction for uploading files with the .php8 extension...

PT-2024-6521 · Rockwell Automation · Rockwell Automation Pavilion8

Name of the Vulnerable Software and Affected Versions: Rockwell Automation Pavilion8 affected versions not specified Description: A path traversal vulnerability exists in the Rockwell Automation affected product. If exploited, the threat actor could upload arbitrary files to the server that could...

Mini-Tmall Security Breach

Mini-Tmall is a Spring Boot based mini-Tmall mall, fast deployment and running, suitable for use as a Bijou template. A security vulnerability exists in Mini-Tmall version v2024.07.03. An attacker can exploit the vulnerability to upload arbitrary files via the component uploadUserHeadImage...

CVE-2024-1148

Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and uploading of files...

CVE-2024-23756

The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 5221, allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server or deleting them...

Cross-site Scripting (XSS)

yamcs-web is vulnerable to Cross-site Scripting XSS. The vulnerability is present because there is insufficient validation when uploading files in the library. This flaw enables an attacker to upload an HTML file that contains arbitrary JavaScript. When a user opens this file, the arbitrary...

UBUNTU-CVE-2023-37206

Uploading files which contain symlinks may have allowed an attacker to trick a user into submitting sensitive data to a malicious website. This vulnerability affects Firefox 115...

Code injection

Uploading files which contain symlinks may have allowed an attacker to trick a user into submitting sensitive data to a malicious website. This vulnerability affects Firefox 115...

CVE-2023-34944

An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11. up to v1.11.18 allows attackers to execute arbitrary code via uploading a crafted SVG file...

CVE-2022-34648

Authenticated author+ Stored Cross-Site Scripting XSS vulnerability in dmitrylitvinov Uploading SVG, WEBP and ICO files plugin = 1.0.1 at WordPress...

Emerson Proficy Machine Edition 代码问题漏洞

Emerson Proficy Machine Edition is a software application from Emerson Electric USA, Inc. An automation solution. A code issue vulnerability exists in Emerson Proficy Machine Edition 9.00 and prior versions that originates from uploading any file written to the PLC logical folder to a connected P...

Top Five Attacking IPs This Month: Their Locations May Not Be Where You Think

At Wordfence, we see large amounts of threat actor data, and often that data tells unexpected stories. Taking a look at just the top five attacking IP addresses over a 30 day period, you might be surprised to find out where these attacks are originating, and what they are doing. When most people...

CVE-2022-23165

Sysaid – Sysaid 14.2.0 Reflected Cross-Site Scripting XSS - The parameter "helpPageName" used by the page "/help/treecontent.jsp" suffers from a Reflected Cross-Site Scripting vulnerability. For an attacker to exploit this Cross-Site Scripting vulnerability, it's necessary for the affected produc...

CVE-2022-22798 Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control

Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control v20.4.74 b10, v22.1.20 b62, v22.1.30 b49 - An attacker needs to log in as a guest after that the system redirects him to the service portal or EndUserPortal.JSP, then he needs to change the path in the URL to /ConcurrentLogin%2ejsp...

CVE-2022-0415

Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6...

UBUNTU-CVE-2022-0415

Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6...