drupal/core is vulnerable to Unrestricted File Upload. The vulnerability is caused by the failure to properly sanitize filenames within the file_save_upload()
function. This allows an attacker to potentially upload malicious system files, such as .htaccess.