Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A security flaw has been discovered in ProjectSend r2002. This vulnerability affects unknown code of the file upload.php. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version r2029 is able to resolve this issue. The patch is named 2c0d25824ab571b6c219ac1a188ad9350149661b. You should upgrade the affected component.
AnalysisAI
Cross-site request forgery (CSRF) in ProjectSend r2002 allows unauthenticated remote attackers to perform unauthorized file upload operations via the upload.php endpoint with user interaction (UI:R). The vulnerability has been publicly disclosed with exploit code available, and ProjectSend has released patched version r2029 with commit 2c0d25824ab571b6c219ac1a188ad9350149661b to remediate the issue. While the CVSS score of 4.3 indicates low-to-moderate severity, the presence of public exploit code and lack of authentication requirements elevates the real-world risk for unpatched instances.
Technical ContextAI
ProjectSend is a PHP-based open-source file sharing application. The vulnerability resides in the upload.php file and is rooted in a Cross-Site Request Forgery (CWE-352) weakness, a class of vulnerability where an attacker can trick authenticated users into unwittingly submitting requests to perform actions on the target application. The attack mechanism exploits insufficient CSRF token validation or absence of proper anti-CSRF protections in the file upload handling logic. The CVSS vector indicates the attack requires user interaction (UI:R) and network accessibility (AV:N) with low attack complexity (AC:L), meaning a user must be socially engineered or tricked into visiting a malicious page while logged into ProjectSend. The PR:N rating confirms no authentication credentials are needed from the attacker themselves; the attacker leverages the victim's authenticated session.
RemediationAI
ProjectSend users should upgrade immediately to version r2029 or later, which includes the security fix via commit 2c0d25824ab571b6c219ac1a188ad9350149661b. The patched release is available at https://github.com/projectsend/projectsend/releases/tag/r2029. For organizations unable to upgrade immediately, implement network-level protections such as WAF (Web Application Firewall) rules to detect and block suspicious file upload requests to upload.php, enforce SameSite cookie attributes in application configuration if supported, and educate users against clicking untrusted links while authenticated to ProjectSend. Verify successful patching by confirming the commit hash 2c0d25824ab571b6c219ac1a188ad9350149661b is present in the running deployment. Additional hardening information is available via the VulDB references at https://vuldb.com/vuln/355414.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19176
GHSA-8x9f-c335-83wq