Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
File Upload
PHP
Craft Cms
NVD
GitHub
CVSS 3.0
8.8
EPSS
1.4%