19 matches found
CVE-2026-28276 Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpoint
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be...
CVE-2026-28276 Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpoint
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be...
CVE-2026-25642
CVE-2026-25642 affects HedgeDoc; prior to version 1.10.6, the security policy for files served under /uploads/ was insufficient, resulting in a too open Content-Security-Policy and enabling hosting of malicious interactive content (e.g., fake login forms) via SVG files. The issue is fixed in 1.10...
PT-2026-6783
Name of the Vulnerable Software and Affected Versions HedgeDoc versions prior to 1.10.6 Description HedgeDoc is a real-time, collaborative, markdown notes application. Versions before 1.10.6 had a permissive Content-Security-Policy for files served under the /uploads/ endpoint. This allowed for t...
CVE-2025-63317
Todoist v8896 is vulnerable to Cross Site Scripting XSS in /api/v1/uploads. Uploaded SVG files have no sanitization applied, so embedded JavaScript executes when a user opens the attachment from a task/comment...
CVE-2025-63317
Todoist v8896 is affected by an XSS vulnerability in the /api/v1/uploads endpoint. Uploaded SVG files are not sanitized, allowing embedded JavaScript to execute when a user opens the attachment from a task or comment. The Red Hat and EU/NVD entries corroborate Todoist v8896 as vulnerable to SVG-b...
EUVD-2025-50830
An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file...
CVE-2025-63678
An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file...
CVE-2025-63678
Summary: CVE-2025-63678 affects CMS Made Simple Foundation File Manager v2.2.22. An authenticated attacker with Administrator privileges can upload a crafted PHP file to the /uploads/ endpoint, potentially leading to arbitrary code execution. This aligns with multiple sources in the connected doc...
CVE-2025-63678
An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file...
CMSmadesimple 安全漏洞
CMSmadesimple is an open source content management system from the CMS Made Simple Foundation. A security vulnerability exists in CMSmadesimple version 2.2.22, which originates from the presence of an authenticated, arbitrary file upload in the /uploads/ endpoint and could lead to the execution o...
BIT-DISCOURSE-2024-24827 No rate limits on POST /uploads endpoint in Discourse
Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to...
CVE-2024-24827
Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to...
CVE-2024-24827 No rate limits on POST /uploads endpoint in Discourse
Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to...
CVE-2024-24827 No rate limits on POST /uploads endpoint in Discourse
Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to...
PT-2024-20593 · Nginx +1 · Nginx +1
Name of the Vulnerable Software and Affected Versions: Discourse versions prior to the latest stable, beta and tests-passed version Description: The issue affects Discourse, an open source platform for community discussion, due to the lack of a rate limit on the "POST /uploads" endpoint. This mak...
Discourse 安全漏洞
Discourse is an open source community discussion platform. The platform includes features such as community, email and chat rooms. Discourse suffers from a denial of service vulnerability that stems from the POST /uploads endpoint not being rate-limited. An attacker could exploit this vulnerabili...
PT-2018-14956 · Subrion · Subrion Cms
Name of the Vulnerable Software and Affected Versions: Subrion CMS version 4.2.1 Description: The issue allows remote attackers to execute arbitrary PHP code via a .pht or .phar file. This is because the .htaccess file omits these file types, specifically affecting the /panel/uploads endpoint...
PT-2018-13566 · Bluecms · Bluecms
Name of the Vulnerable Software and Affected Versions: BlueCMS version 1.6 Description: The issue allows SQL Injection via the user name parameter to the "uploads/user.php?act=index login" endpoint. Recommendations: For BlueCMS version 1.6, avoid using the user name parameter in the affected...