Lucene search
K
GithubRecent

33227 matches found

Github Security Blog
Github Security Blog
added 2026/05/07 12:57 a.m.26 views

Gotenberg has a Server-Side Request Forgery (SSRF) Issue

Summary The SSRF hardening shipped in v8.31.0 only covers outbound URLs that Gotenberg's Go code handles — Chromium asset fetches, webhook delivery, and download-from. The LibreOffice conversion endpoint /forms/libreoffice/convert passes uploaded documents directly to LibreOffice without inspecti...

8.2CVSS5.9AI score0.00245EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:55 a.m.15 views

Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist

Summary The ExifTool metadata write blocklist in Gotenberg v8 can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. This is a bypass of the fix for GHSA-qmwh-9m9c-h36m. Details The blocklist in...

8.2CVSS5.9AI score0.0029EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:55 a.m.12 views

Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection

Unauthenticated RCE in Gotenberg via Metadata Key Newline Injection Summary Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded i...

9.8CVSS6.6AI score0.0295EPSS
Exploits2References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:52 a.m.12 views

Compromise of PyTorch Lightning PyPi Package Versions

Security Advisory: Compromise of PyTorch Lightning PyPI Package Versions Published: 2026-04-30 Last Updated: 2026-05-12 Github Advisory: CVE-2026-44484 We have identified a security incident affecting certain versions of one of our PyPI packages. What happened We have determined that one or more...

9.8CVSS5.9AI score0.00392EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:46 a.m.17 views

Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS

Summary HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br Brotli, zstd, or...

7.5CVSS5.9AI score0.00887EPSS
Exploits1References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/07 12:24 a.m.20 views

Netty Redis Codec Encoder has a CRLF Injection Issue

Security Vulnerability Report: CRLF Injection in Netty Redis Codec Encoder 1. Vulnerability Summary | Field | Value | |-------|-------| | Product | Netty | | Version | 4.2.12.Final and all prior versions with codec-redis | | Component | io.netty.handler.codec.redis.RedisEncoder | | Vulnerability...

7.1CVSS6.2AI score0.00198EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:22 a.m.16 views

Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding

Summary Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. Details Netty incorrectly marks a request as chunked when malformed "Transfer-Encoding: chunked, identity" is present. According to RFC...

7.5CVSS6AI score0.00248EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:21 a.m.13 views

Netty has HttpClientCodec response desynchronization

Summary If HttpClientCodec is configured, there are use cases when a response body from one request, can be parsed as another's. Details HttpClientCodec pairs each inbound response with an outbound request by queue.poll once per response, including for 1xx. If the client pipelines GET then HEAD a...

9.1CVSS5.8AI score0.0075EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:20 a.m.9 views

Netty Lz4FrameDecoder is vulnerable to resource exhaustion

Summary Lz4FrameDecoder allocates a ByteBuf of size decompressedLength up to 32 MB per block before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. Details...

7.5CVSS5.8AI score0.00429EPSS
Exploits1References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/07 12:19 a.m.16 views

Netty HTTP/3 QPACK literal unbounded allocation

Summary When Netty decodes HTTP/3 headers, it sometimes runs new bytelength using a length from the wire before checking that many bytes are really there. A small malicious header can claim a huge length on the order of a gigabyte. Details When decoding header blocks, the non-Huffman branch of...

7.5CVSS5.9AI score0.00437EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:18 a.m.22 views

Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization

NETTY HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization | Field | Value | |-----------|-------| | Library | io.netty:netty-codec-http | | Component | codec-http — HttpObjectDecoder | | Severity | HIGH | | Affects | HEAD, commit 4f3533ae confirmed | --- Summary HttpObjectDecoder strips a...

9.8CVSS5.8AI score0.00607EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:13 a.m.10 views

Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing

Summary Netty's chunk size parser silently overflows int, enabling request smuggling attacks. Details io.netty.handler.codec.http.HttpObjectDecodergetChunkSize silently overflows int. The size is accumulated as follows: result = 16; result += digit; The result is checked only for negative values...

6.5CVSS5.9AI score0.00364EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:12 a.m.16 views

Netty has a DNS Codec Input Validation Bypass (Encoder + Decoder)

Security Vulnerability Report: DNS Codec Input Validation Bypass in Netty Encoder + Decoder 1. Vulnerability Summary | Field | Value | |-------|-------| | Product | Netty | | Version | 4.2.12.Final and all prior versions with codec-dns | | Component | io.netty.handler.codec.dns.DnsCodecUtil | |...

9.1CVSS5.8AI score0.00969EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:11 a.m.23 views

Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735)

Security Vulnerability Report: HTTP Header Injection via HttpProxyHandler Disabled Validation in Netty 1. Vulnerability Summary | Field | Value | |-------|-------| | Product | Netty | | Version | 4.2.12.Final and all prior versions | | Component | io.netty.handler.proxy.HttpProxyHandler | |...

7.5CVSS7AI score0.00952EPSS
Exploits2References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:9 a.m.12 views

OpenSearch has ineffective TLS certificate hostname verification

Description A regression was introduced in OpenSearch 2.18.0 that caused the plugins.security.ssl.transport.enforcehostnameverification setting to be ineffective. When this setting was enabled, OpenSearch did not verify that the hostname in a connecting node's TLS certificate matched the hostname...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:8 a.m.20 views

wasmtime has a panic when allocating a table exceeding the size of the host's address space

Impact Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables ca...

7.5CVSS6AI score0.00319EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:8 a.m.17 views

OpenSearch Security plugin: DLS not applied on documents linked by has_child or has_parent relation

Description A flaw was identified in the OpenSearch Security plugin's document-level security DLS implementation. DLS restrictions were not correctly applied to search queries that use hasparent or haschild join relations. This could allow an authenticated user to access document contents that...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:8 a.m.12 views

OpenSearch vulnerable to improper authorization for Rollover Requests

Description A flaw was identified in the OpenSearch Security plugin's handling of index rollover requests. When a rollover request included an explicit target index name, the security plugin did not properly evaluate access control permissions against the target index. This could allow a user wit...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:7 a.m.18 views

OpenSearch has a bypass of REST Layer Authorization Using Malformed Paths

Description A flaw was identified in the OpenSearch REST layer that could allow authorization checks to be bypassed when processing certain malformed HTTP requests. This could permit unauthorized access to restricted API endpoints in environments that rely on REST-layer authorization...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:6 a.m.15 views

Spring Cloud AWS missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications

Impact Applications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support @NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping did not verify the signature of incoming SNS messages. An unauthenticated attacker who knows the endpoint URL could...

6.3CVSS6AI score0.00179EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:5 a.m.10 views

Vercel: Non-interactive mode includes CLI arguments in suggested command output

Summary When the Vercel CLI runs in non-interactive mode --non-interactive or auto-detected AI agent, commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via --token or -t on the command line, the token value is included...

5.5CVSS5.8AI score0.0016EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:4 a.m.31 views

Weblate vulnerable to XSS via crafted Markdown

Impact The Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. Patches https://github.com/WeblateOrg/weblate/pull/19259 Workarounds Even though the attacker might be able to inject code into the HTML, the Weblate's strict CSP should...

4.3CVSS5.8AI score0.00275EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:3 a.m.13 views

Weblate Vulnerable to Private Translation Enumeration via Screenshot API

Impact The screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. Patches https://github.com/WeblateOrg/weblate/pull/19258 Acknowledgement Weblate thanks Luay for reporting this vulnerability according to the organization's...

4.3CVSS5.8AI score0.00288EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:2 a.m.14 views

diesel-async may expose uninitialized padding bytes for MySQL temporal columns

Summary diesel-async exposes uninitialized stack padding to safe code on every read of a MySQL DATE, TIME, DATETIME, or TIMESTAMP column. Reading that buffer is undefined behavior, and the leaked bytes can contain stale heap/stack contents, so this is both a soundness bug and a potential...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 12:1 a.m.10 views

gix-fs: Symlink prefix-reuse allows worktree escape during checkout

Summary A malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to. Details During checkout, all symlink index entries are deferred and created after regular files using a...

7.8CVSS6.1AI score0.00248EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:50 p.m.28 views

Hono: bodyLimit() can be bypassed for chunked / unknown-length requests

Summary bodyLimit does not reliably enforce maxSize for requests without a usable Content-Length e.g. Transfer-Encoding: chunked. Oversized requests can reach handlers and return 200 instead of 413. Details For chunked / unknown-length requests, bodyLimit wraps the body in a stream that counts...

6.5CVSS5.8AI score0.00219EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:49 p.m.11 views

hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection

Summary Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx or createElement APIs during server-side rendering, specially crafted values may...

6.1CVSS5.7AI score0.0014EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:49 p.m.16 views

Lemmy resend-verification endpoint exposes registered email addresses to unauthenticated users

Summary The unauthenticated resend-verification endpoint returns different responses for registered and unregistered email addresses. A malicious third party can submit candidate addresses to /api/v4/account/auth/resendverificationemail and distinguish accounts from misses. Details...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:43 p.m.17 views

Playwright Capture permits access to local files and internal network resources during page capture

Playwright Capture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms, such as window.location.href, to make the capture process open file:// URLs or request resources hosted on...

8.7CVSS5.8AI score0.00319EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:42 p.m.13 views

Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefix

Description A vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots %2e%2e. This allows an attacker to bypass security filters by injecting encoded path...

6.9CVSS5.8AI score0.00203EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:39 p.m.18 views

ldap3_proto has LDAP Filter stack exhaustion

Impact LDAP queries are not validated for depth, which can cause the parser both PEG and ASN to exhaust the stack. This may cause a denial of service in applications that process queries. Workarounds N/A Resources Related to GHSA-r5fr-9gmv-jggh...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:39 p.m.8 views

kanidmd_lib: Image upload validators run before authorization; PNG validator panics on malformed input

Summary The POST /v1/domain/image and POST /v1/oauth2/rsname/image handlers call validateimage on the uploaded body before the ACL check that restricts image upload to admins. Any bug in an image validator is therefore reachable by an unauthenticated remote client rather than being admin-gated. O...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:38 p.m.9 views

scim_proto and kanidm_proto have an authenticated process abort via SCIM filter stack exhaustion

Summary A single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses ≈ 4–12 KB drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with std::process::abort — the entire...

8.7CVSS5.9AI score0.00317EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/06 11:37 p.m.11 views

Kanidm has non-constant-time comparison of OAuth2 client_secret

Summary The kanidmd OAuth2 token-exchange /oauth2/token and token-introspection /oauth2/token/introspect endpoints compare the supplied clientsecret against the stored secret using Rust's PartialEq on String, which short-circuits on the first mismatching byte. This produces an observable timing...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:34 p.m.24 views

Kanidm: Stored HTML injection in "passkey-enrolment" partial via displayname → htmx-driven authenticated request forgery

Summary The kanidmd web UI renders the WebAuthn passkey-registration challenge as raw JSON inside an inline element using the Askama |safe filter. The challenge embeds the account's displayname, which serdejson serialises without escaping . A displayname containing therefore terminates the script...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:31 p.m.7 views

webauthn-rs-core/webauthn-authenticator-rs: Origin validation mismatch possible when subdomains are allowed

Summary webauthn-rs-core Relying Partyrp and webauthn-authenticator-rs client checked that an Origin in CollectedClientDataorigin is valid for an RP IDrpid with str::endswithends-with, without checking for a dot . before the RP ID when allowing subdomainsregisterable-suffix. This check is flawed,...

5.9AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/06 11:28 p.m.8 views

ShellHub has crash-DoS via field injection in filter and sort-by parameters

Summary The device list endpoint accepts user-controlled identifiers in two places that are passed directly as BSON/SQL keys in the database layer without validation: 1. The name field of each filter property in the base64-encoded filter query parameter. 2. The sortby query parameter. Any...

5.4CVSS5.9AI score0.00253EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:23 p.m.15 views

@axonflow/openclaw fix introduces plugin cache and credential-file permission hardening

Summary Two related permission defects in this AxonFlow plugin allowed registration credentials and cache state to be readable by other local users on hosts where the calling user's home directory was at the conventional 0755 mode. Affected versions Versions 1.3.2 and below. Impact 1. Cache and...

5.7AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:22 p.m.7 views

ShellHub has cross-tenant IDOR in `GET /api/sessions/:uid` that discloses SSH session data

Summary GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps belonging to any other namespace...

6.5CVSS6AI score0.00246EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:19 p.m.9 views

ShellHub has cross-tenant IDOR in `GET /api/devices/:uid` that discloses device data of any namespace

Summary GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace tenant. Any authenticated user JWT or API Key who knows or can guess a device UID can read device metadata from any other namespac...

6.5CVSS5.9AI score0.00246EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:16 p.m.7 views

axonflow-sdk-java: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification

Summary The AxonFlow SDK's WebhookSubscription or equivalent type did not expose the HMAC-SHA256 signing key returned by the platform's CreateWebhook endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the X-AxonFlow-Signature header on incoming webhook...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:16 p.m.7 views

axonflow-sdk-typescript: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification

Summary The AxonFlow SDK's WebhookSubscription or equivalent type did not expose the HMAC-SHA256 signing key returned by the platform's CreateWebhook endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the X-AxonFlow-Signature header on incoming webhook...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:15 p.m.8 views

axonflow-sdk-go: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification

Summary The AxonFlow SDK's WebhookSubscription or equivalent type did not expose the HMAC-SHA256 signing key returned by the platform's CreateWebhook endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the X-AxonFlow-Signature header on incoming webhook...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:14 p.m.6 views

axonflow-sdk-python: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification

Summary The AxonFlow SDK's WebhookSubscription or equivalent type did not expose the HMAC-SHA256 signing key returned by the platform's CreateWebhook endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the X-AxonFlow-Signature header on incoming webhook...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:13 p.m.11 views

Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening

Summary Eight independently-filed bug fixes in the v7.1.3 → v7.5.0 release window collectively close a set of multi-tenant isolation, access-control, and policy-enforcement defects in the AxonFlow platform. They are filed as a single consolidated advisory because the recommended remediation is a...

5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:10 p.m.7 views

Netty epoll transport denial of service via RST on half-closed TCP connection

Summary Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread. Affected versions All versions of 4.2.x...

7.5CVSS5.9AI score0.00408EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:9 p.m.11 views

Keras vulnerable to DoS via Malicious .keras Model (HDF5 Shape Bomb Causes Petabyte Allocation in KerasFileEditor)

Summary Keras’s model loader KerasFileEditor unsafely loads user-supplied .keras model files containing HDF5-based weight files without performing any validation on HDF5 dataset metadata. An attacker can craft a .keras archive containing a valid model.weights.h5 file whose dataset declares an...

7.6CVSS6.8AI score0.00299EPSS
Exploits3References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:5 p.m.10 views

Nerdbank.MessagePack: Attacker-controlled stackalloc in DateTime decoding causes process-terminating StackOverflowException

Summary Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a...

7.5CVSS5.9AI score0.00358EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:4 p.m.8 views

Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks

Impact The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting...

4.3CVSS5.8AI score0.0017EPSS
Exploits0References3Affected Software3
Github Security Blog
Github Security Blog
added 2026/05/06 11:3 p.m.6 views

Grav Form Plugin has an Anonymous Page Content Overwrite via Form File Upload filename Override

Summary Tested on Form 9.0.3 released on April, 28th The Form plugin's file upload handler at user/plugins/form/classes/Form.php:583 accepts a POST-supplied filename parameter $filename = $post'filename' ?? $upload'file''name' that overrides the original uploaded filename. The override passes...

8.7CVSS5.8AI score0.00622EPSS
Exploits0References4Affected Software1
Total number of security vulnerabilities33227