Skip to main content

File Upload

4027 CVEs technique

Monthly

CVE-2026-61457 MEDIUM PATCH This Month

Remote code execution in the Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 is achievable by authenticated API users holding the api.media.write permission via a double-extension file upload bypass. The HandlesMediaUploads::validateFileExtension() method uses PHP's pathinfo() to inspect only the final file extension, meaning a file named shell.php.jpg passes the dangerous-extension blocklist while retaining a .php segment that certain web server configurations will execute as PHP. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique is well-understood and exploitation is low-complexity once permission prerequisites are met.

File Upload PHP RCE Grav
NVD GitHub VulDB
CVSS 4.0
5.3
CVE-2026-11579 MEDIUM POC PATCH This Month

Unauthenticated file upload to the WordPress Media Library is possible in Kali Forms - Contact Form & Drag-and-Drop Builder versions before 2.4.17, because the plugin's upload handler accepts file submissions without verifying that a corresponding form with a file-upload field actually exists on the site. Any unauthenticated remote attacker can directly invoke the upload endpoint and deposit files into the Media Library. Impact is bounded by WordPress's core MIME type allowlist, which prevents upload of executable files and thereby rules out code execution; a publicly available proof-of-concept is confirmed by WPScan, and no CISA KEV listing is present at time of analysis.

File Upload RCE WordPress Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-48356 CRITICAL Act Now

Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file upload (CWE-434) that runs in the context of the current user, letting an attacker inject malicious scripts and hijack a victim's account or session. Exploitation is network-reachable and marked unauthenticated by the CVSS vector but requires the victim to visit a crafted URL or interact with a compromised page, and the scope is changed (impact extends beyond the vulnerable component). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; Adobe rates it CVSS 9.6 critical.

File Upload RCE Adobe Adobe Commerce Adobe Commerce B2B +2
NVD
CVSS 3.1
9.6
EPSS
28.3%
CVE-2026-15677 MEDIUM POC This Month

Unrestricted file upload in code-projects Online Job Portal 1.0 exposes unauthenticated remote attackers to arbitrary file upload via the txtFile parameter in /JobSeekerInsert.php, enabling likely webshell deployment and subsequent server-side code execution. A public proof-of-concept exploit exists (no KEV listing), substantially lowering the exploitation barrier for any internet-exposed instance. The CVSS 4.0 impact metrics are conservatively rated Low across C/I/A, which understates the realistic post-exploitation potential of an unrestricted PHP file upload - successful webshell placement typically yields full OS command execution in the web server process context.

PHP File Upload Online Job Portal
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-58409 CRITICAL Act Now

Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by installing a plugin ZIP that contains a webshell. Because 'php' is explicitly whitelisted in ALLOWED_EXTENSIONS and the DENIED_EXTENSIONS denylist fails to catch standard .php files, any PHP file inside the archive is extracted directly under the web root and becomes immediately executable over HTTP without the plugin ever being enabled. The /plugins/install-url route additionally allows the archive to be sourced from any attacker-controlled HTTPS URL, validated only against an attacker-supplied SHA-256 hash. No public exploit identified at time of analysis and it is not on CISA KEV.

PHP File Upload RCE Crm
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-14906 MEDIUM This Month

PDF save functionality in Firefox for iOS allows maliciously crafted page titles to manipulate the output file path, enabling overwrites of existing PDF files or bundled application content within the Firefox iOS sandbox. All versions prior to 152.4 on Apple iOS devices are affected. An attacker operating a malicious website can lure a user into saving a page as PDF, causing the crafted title to resolve to an unintended file path within the app sandbox - potentially corrupting application state or stored documents. No public exploit has been identified at time of analysis, though SSVC classifies the vulnerability as automatable with partial technical impact.

Apple File Upload Mozilla Firefox For Ios
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-49972 HIGH PATCH This Week

Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

PHP Nginx RCE File Upload Apache +1
NVD GitHub
CVSS 4.0
7.7
EPSS
0.8%
CVE-2026-6847 CRITICAL Act Now

Remote code execution in ThemisNETPanel (vendor 4real) allows unauthenticated network attackers to fully compromise the underlying server by abusing a file-upload endpoint that lacks any authentication check. An attacker submits a base64-encoded PHP payload, writes it as an arbitrary PHP file, and executes it in the web application's context. Reported by CERT-PL with a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass File Upload RCE PHP Themisnetpanel
NVD
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-57719 CRITICAL Act Now

Arbitrary file upload in CodeRevolution's Aimogen Pro WordPress plugin (versions up to and including 2.8.3) lets attackers upload files of dangerous types, typically enabling deployment of a PHP web shell and full remote code execution on the host. The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) rates it 10.0 critical, reflecting network-reachable, low-complexity, unauthenticated exploitation with a scope change. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

File Upload Aimogen Pro
NVD
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-57710 CRITICAL Act Now

Arbitrary file upload in the WoowBot Pro Max WordPress plugin (quantumcloud) through version 14.1.7 allows an authenticated attacker to upload files of dangerous types, leading to remote code execution on the underlying WordPress host. The scope-change CVSS 9.9 reflects that a low-privileged account can pivot to full server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Patchstack has confirmed and cataloged the flaw.

File Upload Woowbot Pro Max
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-15539 LOW POC Monitor

Unrestricted file upload in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers with administrative access to upload arbitrary PHP files via the Book Image Upload feature at /admin/index.php?page=books, enabling remote code execution on the host server. A public exploit proof-of-concept has been disclosed on Medium under the title 'Critical Authenticated Remote Code Execution via Unrestricted File Upload,' confirming practical exploitability. While PR:H limits exposure to actors holding admin credentials, successful exploitation yields full server-side code execution, making this a high-impact finding within its threat model.

PHP File Upload Online Book Store System
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-15553 MEDIUM This Month

Unrestricted file upload in Ragic Enterprise Cloud Database exposes all versions to unauthenticated remote exploitation, allowing attackers to plant malicious files that are subsequently served to authenticated platform users for download. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the application performs no meaningful validation of file type, content, or extension before persisting uploads. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the zero-authentication requirement and network-accessible attack vector make this a low-barrier, high-supply-chain-risk issue in environments where Ragic is used for file collaboration.

File Upload Enterprise Cloud Database
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-15518 LOW POC Monitor

Unrestricted file upload in AREA 17 Twill CMS (versions up to 3.6.0) allows authenticated admin users to upload arbitrary file types via the `qqfilename` parameter in the Media Library Insert Page, creating a direct path to remote code execution on the underlying server. A public proof-of-concept documenting the full exploitation chain from file upload to RCE has been published by Bytium. No vendor patch exists - the vendor was contacted during responsible disclosure and did not respond, leaving all installations on affected versions without an official remediation path.

PHP File Upload Twill Cms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-15488 MEDIUM This Month

Unrestricted file upload in shiroiAdmin versions 1.1 and 1.3 (PHP admin panel by hcr707305003) exposes the `FileController::upload` function to unauthenticated remote exploitation, enabling attackers to upload arbitrary files - including PHP webshells - to the server without authentication. A public exploit has been disclosed (CVSS 4.0 E:P), and the vendor did not respond to coordinated disclosure. Exploitation conditions are severe: the CVSS 4.0 vector confirms network-accessible, zero-authentication, low-complexity exploitation with no user interaction required.

Authentication Bypass File Upload PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-61448 LOW PATCH Monitor

Stored XSS execution in Parse Server (versions 9.0.0 through pre-9.10.0-alpha.2 and all 8.x releases through 8.6.83) allows authenticated users with file-upload permissions to inject persistent JavaScript that executes in the application's origin against other users, but only when a cloud-based storage adapter is configured. By crafting a deliberately malformed Content-Type header - such as 'image' or 'image/' - an attacker exploits a gap in the mime-package lookup path that renders the fileUpload.fileExtensions blocklist ineffective, causing the malformed value to be stored verbatim in Amazon S3, Google Cloud Storage, or Azure Blob Storage. Browsers receiving a syntactically invalid Content-Type fall back to MIME sniffing and render HTML file bodies as web pages in the application's origin; no public exploit has been identified and the vulnerability is absent from CISA KEV, but the stored nature means a single successful upload persists as a live threat until patched or the file is removed.

XSS Google Microsoft File Upload Parse Server
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-57827 CRITICAL Act Now

Unauthenticated arbitrary file upload in the RSFiles download-manager extension for Joomla (by RSJoomla) lets remote attackers upload executable files (e.g. PHP web shells) and achieve full remote code execution on the hosting server. The CVSS 4.0 threat metrics flag exploitation as active (E:A) and automatable (AU:Y), and NVD/ADP assigns maximum urgency, but no CISA KEV listing was provided in this data. A vendor product page and a third-party technical writeup are referenced; standalone public exploit code was not confirmed in the supplied sources.

File Upload Rsjoomla Com Rsfiles Extension For Joomla
NVD VulDB
CVSS 4.0
10.0
EPSS
0.3%
CVE-2026-57828 CRITICAL Act Now

Arbitrary file upload in the Phoca Download extension for Joomla lets any authenticated registered user upload executable files (e.g. PHP) that the server will run, yielding full remote code execution. The flaw is scored 9.0 (CVSS 4.0) and is exploitable over the network by low-privilege accounts, so any site permitting self-registration is directly at risk. A public technical write-up describing the RCE technique exists, though no active exploitation has been confirmed by CISA KEV.

File Upload Phoca Cz Phoca Download Extension For Joomla
NVD VulDB
CVSS 4.0
9.0
EPSS
0.3%
CVE-2026-2354 HIGH This Week

Arbitrary file upload in the Swiss Toolkit For WP WordPress plugin (versions ≤ 1.4.6) lets authenticated Author-level (and higher) users bypass file-type validation and upload executable PHP, potentially achieving remote code execution on the host. The flaw stems from the upload_extension_files() function using a substring match instead of a real extension check when the optional 'Enhanced Multi-Format Image Support' feature is enabled. Reported by Wordfence with a CVSS of 8.8; no public exploit identified at time of analysis.

WordPress RCE File Upload Swiss Toolkit For Wp
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-58661 MEDIUM PATCH This Month

Disk space exhaustion in n8n's data-table file upload endpoint allows an authenticated user to progressively fill the host's disk by repeatedly uploading files whose cumulative size is never checked against what already exists in the shared temporary directory. Affected versions span all n8n releases before 2.28.0 on the 2.x branch and before 1.123.58 on the 1.x branch. The flaw is rooted in a stateless per-request quota that ignores previously written files, enabling a low-privileged user to loop uploads between periodic cleanup cycles until disk space is exhausted, potentially disrupting the host and all co-resident services. No public exploit code or CISA KEV listing has been identified at time of analysis.

Denial Of Service File Upload N8n
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-41877 MEDIUM This Month

Stored XSS in R-SOFT DMS file upload functionality allows authenticated attackers to embed arbitrary HTML and JavaScript within uploaded filenames, which subsequently execute in the browsers of any user viewing the file list or upload status pages. The vulnerability affects the document management system's filename rendering pipeline, which fails to sanitize input before output into HTML context. Fixed versions are available (v3.19-2832 and v3.17-2580); no public exploit identified at time of analysis, and the product is not listed in the CISA KEV catalog.

XSS File Upload
NVD VulDB
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-15282 CRITICAL Act Now

Unauthenticated arbitrary file upload in the Instant Appointment WordPress plugin (all versions ≤ 1.2) lets remote attackers upload files of any type through the 'insapp_upload_image_as_attachment' function, which lacks file-type validation, potentially enabling remote code execution by planting a PHP webshell. Any WordPress site running the plugin is exploitable without authentication or user interaction, matching its 9.8 CVSS rating. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

WordPress RCE File Upload
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-13430 HIGH This Week

Remote code execution in the Post Export Import with Media WordPress plugin (all versions ≤ 1.13.1) is possible because a trailing-dot filename bypass (e.g. 'shell.php.') defeats the extension allow-list in ajax_import_media_start(), letting an administrator-level user smuggle an executable PHP file into the uploads directory during a media import. Reported by Wordfence, the flaw carries CVSS 7.2 and has no public exploit identified at time of analysis; exploitation requires existing administrator (PR:H) access, making it primarily a hardening/defense-in-depth bypass rather than a mass-exploitable entry point.

WordPress PHP RCE File Upload Post Export Import With Media
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2026-14894 CRITICAL Act Now

Unauthenticated remote code execution in the Super Forms - Drag & Drop Form Builder WordPress plugin (all versions through 6.3.313) allows attackers to upload executable files via the nopriv submit_form AJAX handler, which lacks both file-type validation (CWE-434) and any capability check. The plugin's only guardrail is a session nonce, but the companion super_create_nonce nopriv action lets any visitor mint a valid sf_nonce and session cookie on demand, collapsing the attack to two unauthenticated HTTP requests. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivial exploitability make this a high-priority patch item.

WordPress RCE File Upload Super Forms Drag Drop Form Builder
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-51924 HIGH This Week

Authenticated remote code execution in docuForm GmbH Client v11.11c lets low-privileged users abuse the report.php file-upload component to run arbitrary code on the server. The flaw combines an authorization-bypass weakness (CWE-639) with unrestricted file upload, so an attacker with any valid account can escalate to full server compromise. No public exploit identified at time of analysis, though a third-party gist referenced in NVD may contain technical write-up material; EPSS is low (0.24%, 15th percentile) and the CVE is not in CISA KEV.

Authentication Bypass File Upload RCE PHP
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-53769 Ruby MEDIUM POC PATCH GHSA This Month

{FIELD_ID}? or update? policy checks - even when both explicitly return false for the requesting user. Primarily impacts Avo Pro/Advanced multi-role deployments where non-administrator operators are expected to be constrained by per-field authorization policies. A PoC request spec confirms exploitation on Avo 3.31.2; no CISA KEV listing, so no confirmed active exploitation at time of analysis.

Authentication Bypass File Upload
NVD GitHub
CVSS 3.1
6.5
CVE-2026-43752 MEDIUM PATCH This Month

Arbitrary code execution on the host operating system is achievable by an authenticated FileMaker Server administrator via a malicious file upload through the Open Source LLM setup feature - specifically the Miniforge installer upload path - in the Admin Console. All FileMaker Server versions prior to 26.0.1 are affected; the flaw is classified as CWE-434 (unrestricted upload of a dangerous file type) and was reported directly by Apple/Claris product security. No public exploit code or CISA KEV listing exists at time of analysis, and SSVC rates exploitation as none with no automation feasibility, substantially limiting real-world risk despite the RCE classification.

RCE File Upload Filemaker Server
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-59217 MEDIUM PATCH This Month

File upload authorization bypass in Open WebUI before 0.10.0 allows authenticated users with read-only knowledge base access to inject arbitrary files into restricted knowledge bases by supplying a crafted metadata.knowledge_id parameter. The upload endpoint omits the write-access check enforced by the dedicated /api/v1/knowledge/<id>/file/add route (CWE-862), creating a privilege escalation path for any authenticated platform user. No public exploit code or CISA KEV listing exists at time of analysis, but the impact extends beyond the low CVSS integrity score - injected content directly influences LLM responses for all users of the affected knowledge base, enabling indirect prompt injection.

Authentication Bypass File Upload Open Webui
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-56291 CRITICAL POC KEV THREAT NEWS Emergency

Unauthenticated arbitrary file upload in the Balbooa Forms extension for Joomla lets remote attackers upload executable server-side scripts and achieve full remote code execution. The flaw carries a maximum CVSS 4.0 base score of 10.0 with a scope change, meaning a successful upload compromises the underlying host beyond the vulnerable extension. No public exploit identified at time of analysis, though a third-party write-up (mysites.guru) documents the flaw and the supplied CVSS metadata asserts observed attack activity.

File Upload Balbooa Com Balbooa Forms Extension For Joomla
NVD VulDB GitHub
CVSS 4.0
10.0
EPSS
0.3%
Threat
5.0
CVE-2026-15158 CRITICAL Act Now

Arbitrary file upload leading to remote code execution affects the premium Blocksy Companion Pro plugin for WordPress in all versions through 2.1.46, where the Custom Fonts extension's flawed MIME validation lets unauthenticated attackers upload executable PHP files disguised as fonts. The Custom Fonts extension registers a wp_check_filetype_and_ext filter that uses strpos() to approve any filename merely containing '.woff2' or '.ttf' anywhere in the string, so a double-extension payload like shell.woff2.php passes as a legitimate font. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress PHP RCE File Upload Blocksy Companion
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2026-8801 CRITICAL PATCH Act Now

Path-equivalence weakness in Progress MOVEit Transfer's File Upload modules lets remote attackers bypass path-normalization checks to reach or place files outside their intended scope, carrying an NVD CVSS of 9.8. It affects MOVEit Transfer before 2025.0.8 and the 2025.1.x line before 2025.1.4, and a vendor patch is available. There is no public exploit identified at time of analysis and EPSS is low (0.25%), while CISA SSVC rates exploitation as none and technical impact as only partial.

File Upload Moveit Transfer
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-60102 HIGH PATCH This Week

OS command injection in the Horde_Vfs_Smb driver of the Horde Virtual File System (VFS) API before 3.0.1 lets authenticated users execute arbitrary shell commands on the server. The flawed _escapeShellCommand() method fails to neutralize shell command-substitution sequences, so attacker-controlled filenames passed through routine file operations are interpolated into a double-quoted /bin/sh -c context and executed via proc_open() before smbclient runs. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch (v3.0.1) exists and the CVSS 4.0 base score is 7.7 (High).

Command Injection File Upload Vfs
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
1.8%
CVE-2026-58654 MEDIUM PATCH This Month

Unrestricted file upload in Grav API Plugin 1.0.0 allows authenticated users to store arbitrary content - including PHP scripts, SVG with embedded JavaScript, and polyglot payloads - via the avatar upload endpoint by supplying a forged client-declared MIME type beginning with 'image/'. The endpoint performs no server-side content inspection and imposes no extension restriction, so malicious files are written to user/accounts/avatars/ with predictable filenames. Immediate exploitation is partially mitigated by an .htaccess rule that returns HTTP 403 on direct access, but the files persist on disk and represent a latent RCE or stored XSS vector if a co-resident path traversal flaw or server misconfiguration bypasses that control. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal XSS PHP RCE File Upload
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-58480 CRITICAL PATCH Act Now

Remote code execution in the Blocksy Companion Pro WordPress plugin (all versions before 2.1.47) lets unauthenticated attackers upload executable PHP files through the Advanced Reviews feature, taking over the site. The save_attachments function relies on a flawed strpos() substring check inherited from the Custom Fonts extension, so a double-extension filename like shell.woff2.php passes validation while the server executes it as PHP. No public exploit has been identified at time of analysis, but a vendor patch (2.1.47) is available and the flaw was reported by VulnCheck.

WordPress PHP RCE File Upload Blocksy Companion
NVD
CVSS 4.0
9.2
EPSS
0.6%
CVE-2026-14489 HIGH This Week

Arbitrary file upload in the WHMCS Bridge plugin for WordPress (all versions through 6.9) lets authenticated users with Custom-level access or above upload files of any type via the unvalidated connect() function, potentially achieving remote code execution on the host. Reported by Wordfence and tracked as CWE-434, the flaw carries a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The impact hinges on the plugin's failure to enforce file-type checks before writing uploaded content to disk.

WordPress RCE File Upload Whmcs Bridge
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-14158 HIGH This Week

Remote code execution in the Widget Logic Visual WordPress plugin (all versions through 1.52) lets low-privileged authenticated users run arbitrary PHP on the server. The flaw stems from the widget-logic-update-conditional-tags AJAX action lacking a capability check and nonce verification, allowing any subscriber-and-above account to store attacker-controlled data in the 'nwlv[cod-tag]' parameter that is later passed to an eval() call by widget_logic_visual_check_visibility. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

WordPress RCE File Upload Widget Logic Visual
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-55633 HIGH PATCH This Week

Remote code execution in DataEase before 2.10.24 allows an authenticated attacker to bypass the prior H2 zip-protocol and file-dropper hardening by uploading a ZIP archive masquerading as a font file (.ttf) via the FontManage.saveFile endpoint, then invoking the H2 database zip protocol against it to execute arbitrary code on the server. The flaw is a regression that defeats an earlier fix, and carries a CVSS 4.0 score of 8.7 (High). No public exploit has been identified at time of analysis, but the vendor GitHub Security Advisory (GHSA-8x36-774q-pwqg) and two remediation commits are published.

RCE File Upload Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-23697 HIGH POC This Week

Remote code execution in Vtiger CRM before 8.4.0 lets an authenticated low-privileged user upload a malicious .phar file through the Documents module and execute arbitrary PHP. The extension denylist in config.inc.php omits .phar, and a stale Apache 2.2-syntax .htaccess is silently ignored on Apache 2.4, so the payload lands in a web-accessible directory reachable by unauthenticated HTTP - the attack begins authenticated but the final execution step is unauthenticated. Publicly available exploit code exists (published by VulnCheck/Jiva Security); no CISA KEV listing and no EPSS score were provided.

PHP Apache RCE File Upload Vtiger Crm
NVD VulDB
CVSS 4.0
8.7
EPSS
0.8%
CVE-2026-23698 HIGH POC This Week

Authenticated remote code execution in Vtiger CRM through version 8.4.0 lets an administrator upload a crafted ZIP archive through the ModuleManager import feature and drop executable PHP files directly into the web-root modules/ directory, yielding a persistent web shell. Because Apache resolves and executes those PHP files before Vtiger's routing layer runs, the resulting shell bypasses the application's authentication entirely and survives independently of the attacker's login session. Publicly available exploit code exists (VulnCheck / Jiva Security), though there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

PHP Apache RCE File Upload Vtiger Crm
NVD VulDB
CVSS 4.0
8.6
EPSS
0.9%
CVE-2026-27823 PHP CRITICAL PATCH GHSA Act Now

Remote code execution in EGroupware lets an attacker chain a broken authorization check with an arbitrary file write and an arbitrary file read to fully compromise the server. An authenticated user can forge the participant_role field in a SmallPartMediaRecorder::ajax_upload() request to impersonate a course teacher, then use path traversal to read and overwrite header.inc.php with valid but attacker-controlled PHP, yielding code execution after OPcache refresh or a setup-password change. Where self-registration is enabled the entire chain becomes reachable pre-authentication. No public exploit has been identified, but the advisory documents a complete, reproducible technique.

File Upload Path Traversal RCE PHP
NVD GitHub
CVE-2026-57871 HIGH This Week

Relative path traversal in the MicroRealEstate file upload functionality lets an authenticated low-privilege user supply crafted filenames containing directory-traversal sequences to write outside the intended upload directory and potentially overwrite system files. All releases through 1.0.0-alpha3 are affected. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 7.1, driven primarily by high availability impact.

Path Traversal File Upload
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-14345 CRITICAL Act Now

Remote code execution in the WPFunnels (Funnel Builder for WooCommerce) WordPress plugin versions up to and including 3.12.7 lets attackers write attacker-controlled 'postData' into a PHP-includeable .log file that wpfnl_show_log later renders with include_once, yielding server-side code execution. The initial injection is fully unauthenticated because the nonce guarding the optin endpoint is publicly emitted on every funnel step page, though execution only fires once an administrator opens the poisoned log via the Log Settings View while the 'Enable Logs' toggle is active. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the pre-auth injection combined with a maximal 9.8 CVSS score makes it a high-priority patch for any exposed WooCommerce funnel deployment.

WordPress RCE File Upload
NVD VulDB
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-42145 LOW PATCH Monitor

Coolify's database backup restore file upload endpoint accepts uploads without enforcing any file type or size constraints, enabling an authenticated user to degrade service availability by uploading oversized or unexpected files. All releases prior to 4.0.0-beta.474 are affected per CPE cpe:2.3:a:coollabsio:coolify. No public exploit code exists and the vulnerability is not listed in CISA KEV; with a CVSS score of 3.1 and availability-only impact, this represents a low-priority issue for most operators, especially given the authenticated access requirement.

PHP File Upload Coolify
NVD GitHub
CVSS 3.1
3.1
EPSS
0.2%
CVE-2026-9182 CRITICAL Act Now

Unrestricted file upload in Esri ArcGIS Server (all versions through 12.0) lets a remote, unauthenticated attacker push arbitrary files to an exposed administrative/upload endpoint, per CVSS PR:N. Esri self-reported the flaw (CWE-434) and rates it critical (CVSS 9.8), and successful upload of an executable payload can lead to full server compromise. There is no public exploit identified at time of analysis, and EPSS is low (0.22%, 13th percentile), indicating it is not yet a mass-exploitation target.

File Upload Arcgis Server
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-14777 LOW POC Monitor

Unrestricted file upload in SourceCodester's "Onlne Examination & Learning Management System" 1.0 (note: product name contains a known typo per CVE data) exposes the /announcements.php endpoint to arbitrary file upload by low-privileged authenticated users. A publicly available proof-of-concept, referenced under the title 'OE-LMS-RCE-3-announcements.md', demonstrates that the flaw can be leveraged for remote code execution - a significantly more severe real-world impact than the low CIA metrics in the provided CVSS 4.0 score suggest. No active exploitation (CISA KEV) has been confirmed, but the combination of low-complexity exploitation, a network-accessible vector, and a public POC elevates practical risk well above the 5.3 base score.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14776 LOW POC Monitor

Unrestricted file upload in SourceCodester Onlne Examination & Learning Management System 1.0 (a PHP-based web application whose product name contains a documented typo - 'Onlne' rather than 'Online') permits remote low-privileged authenticated users to upload arbitrary files, including PHP webshells, via the /upload_files.php endpoint by exploiting inadequate extension validation in the pathinfo() function. Publicly available exploit code exists on GitHub, with the exploit document explicitly titled to reference remote code execution against this specific upload handler. No vendor-released patch has been identified, and the vulnerability is not listed in the CISA KEV catalog, though the public exploit materially lowers the barrier to exploitation.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14775 LOW POC Monitor

Unrestricted file upload in SourceCodester Onlne Examination & Learning Management System 1.0 allows network-accessible, low-privilege attackers to upload arbitrary file types - including executable PHP webshells - via the `user_id` parameter in `/process_lesson.php`, with the publicly available proof-of-concept explicitly framed as a remote code execution chain. No CISA KEV listing exists, but a working exploit is publicly available on GitHub under the title 'OE-LMS-RCE-1'. The assigned CVSS 4.0 score of 2.1 with low-impact metrics materially understates the realistic impact; CWE-434 in PHP environments routinely enables full server compromise when uploads land in web-executable directories.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-48204 CRITICAL PATCH Act Now

Unauthenticated NoSQL operation hijacking in Apache Camel's camel-mongodb-gridfs component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) lets a remote HTTP client override the intended GridFS operation and inject MongoDB query documents. When a route bridges an HTTP consumer such as platform-http into a mongodb-gridfs: producer that has no explicit operation set (the default), the raw gridfs.operation, gridfs.objectid and gridfs.metadata headers pass through the HTTP header filter because they lack the Camel/camel prefix, allowing an attacker to turn an intended upload into remove, listAll, or findOne and to inject NoSQL operators. There is no public exploit identified at time of analysis and EPSS is low (0.16%), but CVSS is 9.8 and SSVC rates technical impact as total and automatable.

Microsoft Apache File Upload Camel
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-14736 MEDIUM This Month

Unrestricted file upload in Ruijie RG-UAC unified access controller appliances (all versions through 1.0-R1.8.2.p5) allows unauthenticated remote attackers to upload arbitrary files via the upload_image parameter in user_auth_commit.php. The combination of an authentication bypass (CWE-284) and unrestricted file type acceptance creates a pathway to persistent server-side code execution if uploaded content reaches an executable web path. A public proof-of-concept exploit exists, elevating the urgency of remediation despite the absence of a CISA KEV listing.

Authentication Bypass File Upload PHP
NVD VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-14698 LOW POC Monitor

Unrestricted file upload in SourceCodester Syllabus-Aligned Learning Management and Examination System 1.0 allows low-privileged remote attackers to upload arbitrary file types via the upload_files.php endpoint, with potential for remote code execution through PHP webshell deployment given the application's PHP runtime environment. The vulnerability is rooted in CWE-434 and carries a network-accessible attack vector with no special configuration required beyond a valid user account. A public proof-of-concept exploit is confirmed available on Pastebin; no CISA KEV listing has been identified at time of analysis.

PHP File Upload Syllabus Aligned Learning Management And Examination System
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2024-14037 CRITICAL HOSTED Monitor

Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading malicious files through the PtFjk.mob servlet. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload RCE
NVD
CVSS 4.0
9.3
EPSS
0.7%
CVE-2022-50973 CRITICAL Act Now

Yonyou KSOA 9.0 contains an unauthenticated arbitrary file upload vulnerability in the com.sksoft.bill.ImageUpload servlet that allows unauthenticated attackers to upload arbitrary files by. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload RCE
NVD
CVSS 4.0
9.3
EPSS
0.9%
CVE-2026-5524 CRITICAL Act Now

Arbitrary file upload leading to remote code execution in the Divi Form Builder WordPress plugin (versions through 5.1.8) lets unauthenticated attackers upload executable PHP files and run arbitrary code on the server. Attacker-controlled input from the acceptFileTypes POST parameter is interpolated directly into the file-validation regex in do_image_upload(), allowing alternate PHP extensions (.phtml, .phar, .php5, .php7) that evade the plugin's .php-only .htaccess block - and on Nginx the .htaccess protection does not apply at all. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 9.8 rating and Wordfence's technical disclosure make this a high-priority patching target.

WordPress Nginx PHP RCE File Upload +1
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-27419 CRITICAL Act Now

Arbitrary file upload in the Zegen WordPress theme (versions 1.1.9 and earlier) lets a low-privileged authenticated user (Subscriber role) upload files without adequate type validation, enabling upload of executable PHP and full site compromise. The CVSS 3.1 base score is 9.9 with a scope change, reflecting that a minimally-privileged account can escalate to server-level code execution. Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.

File Upload Zegen
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-53909 MEDIUM This Month

Unrestricted file upload in MyComplianceOffice MCO version 25.3.3.1 allows an authenticated low-privileged attacker to upload files of arbitrary types by bypassing client-side-only validation controls. The CVSS 4.0 vector confirms network-accessible exploitation with low complexity, requiring only a valid low-privileged account and a web proxy to intercept and modify upload requests. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

File Upload Mco
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-10134 CRITICAL Act Now

Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary Python via the flow `tool_code` mechanism, gaining full control of the Langflow process. Because the scope changes (S:C), the attacker can read every process secret, read and tamper with all flows, conversations, messages, uploads and saved components in the database, reach internal services and cloud metadata endpoints, and pivot across tenants on the same instance. This is a maximum-severity (CVSS 10.0) flaw, though no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Code Injection IBM File Upload RCE Langflow
NVD
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-58170 HIGH PATCH This Week

Trading mandate forgery in HKUDS Vibe-Trading before 0.1.10 lets an admitted (low-privileged) caller supply a proposal identifier containing path traversal sequences so the application loads an attacker-controlled JSON file as an authoritative live trading mandate. Because ceiling/limit validation is skipped when ceilings are absent, the attacker fully controls the committed mandate, enabling unauthorized live trades. A vendor patch exists and the issue was reported by VulnCheck, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal File Upload Vibe Trading
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.4%
CVE-2026-58166 HIGH POC PATCH This Week

Arbitrary file write and delete in OpenBMB ChatDev through 2.2.0 lets unauthenticated remote attackers control destination paths on the server by abusing the multipart filename in the upload session endpoint. Because save_upload_file joins the attacker-supplied filename onto the temp directory without sanitization, a traversal or absolute-path filename redirects both the write and the subsequent cleanup unlink to arbitrary host locations. Publicly available exploit code exists and a vendor fix is available (commit 4fd4da6); there is no public exploit identified as actively exploited in CISA KEV at time of analysis.

Path Traversal File Upload Chatdev
NVD GitHub
CVSS 4.0
8.8
EPSS
0.6%
CVE-2026-48276 CRITICAL POC Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets a remote attacker upload a file of a dangerous type (e.g., a CFML/JSP payload) and execute it in the context of the current user, with no user interaction required. The CVSS 3.1 base score is the maximum 10.0 with a changed scope, reflecting that successful exploitation breaches the ColdFusion process boundary. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but ColdFusion's history of weaponized file-upload/RCE bugs makes this a high-priority patch.

RCE File Upload Coldfusion
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
0.9%
CVE-2026-48283 CRITICAL Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases stems from an unrestricted dangerous-file-type upload (CWE-434) that lets a remote attacker drop and execute a malicious payload, such as a CFM/CFML webshell, in the context of the running ColdFusion user. Rated CVSS 10.0 with a changed scope, it requires no user interaction and, per the provided vector, no authentication. No public exploit identified at time of analysis, though ColdFusion's history of weaponized upload bugs makes this a high-priority patch.

RCE File Upload Coldfusion
NVD VulDB
CVSS 3.1
10.0
EPSS
0.6%
CVE-2026-53691 HIGH This Week

Remote code execution in Redeight CMS 1.0 lets an authenticated attacker upload arbitrary PHP scripts through the admin Pages module's FileAdd endpoint, which performs no extension or MIME-type validation. The uploaded file lands in the web-accessible /uploads/files/ directory and is executed directly by the web server, yielding full server-side code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

PHP RCE File Upload Redeight Cms
NVD VulDB
CVSS 4.0
8.6
EPSS
0.5%
CVE-2025-24815 HIGH PATCH This Week

Arbitrary file upload in Nokia MantaRay NM (network management) prior to 25R2-NM allows an authenticated, low-privileged attacker to bypass insufficient file-type validation and place malicious files on the host, leading to full compromise of confidentiality, integrity, and availability (CVSS 7.8). The flaw is a CWE-434 unrestricted upload; the CVSS vector specifies a local attack vector (AV:L) rather than remote network exploitation. No public exploit identified at time of analysis, and the EPSS score is very low (0.18%, 7th percentile).

Nokia File Upload Mantaray Nm
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-56290 CRITICAL POC KEV THREAT NEWS Emergency

Unauthenticated arbitrary file upload in the Joomlack Page Builder CK extension for Joomla allows remote attackers to upload executable (PHP) files and achieve full remote code execution on the host. Any Joomla site running this extension is exposed to complete compromise without credentials. No public exploit identified at time of analysis, though the CVSS 4.0 threat metric (E:A) supplied by the scoring source signals observed exploitation activity, and the maximum 10.0 score plus AU:Y (automatable) indicate this is highly attractive for mass scanning.

Authentication Bypass File Upload Joomlack Fr Page Builder Ck Extension For Joomla
NVD VulDB GitHub Exploit-DB
CVSS 4.0
10.0
EPSS
0.2%
Threat
5.0
CVE-2026-13165 HIGH PATCH This Week

Remote code execution in SzafirHost (KIR's Szafir electronic-signature host application) arises from a ZIP/JAR parser-confusion flaw: signature verification reads the archive's Central Directory while extraction reads local file headers sequentially, letting an attacker who controls the served native-library archive smuggle an unsigned malicious DLL/SO/DYLIB past the signature check. Versions prior to 1.2.2 are affected; the injected library is written to the native temp directory and loaded, yielding code execution on the victim's machine. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

RCE File Upload Szafirhost
NVD
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-13553 MEDIUM This Month

Unrestricted file upload in itsourcecode Online Hotel Management System 1.0 allows remote attackers to upload arbitrary files - including PHP webshells - via the `image` parameter of `/admin/mod_amenities/controller.php?action=add`. The CVSS 4.0 vector assigns PR:N (no privileges required), corroborated by the 'Authentication Bypass' tag, indicating the admin-facing endpoint is reachable without credentials. A published proof-of-concept exploit exists; no patch has been identified at time of analysis.

Authentication Bypass File Upload PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-13547 MEDIUM POC This Month

Unrestricted file upload in Hanwang e-Face General Management Platform 6.3.5.4 exposes unauthenticated remote attackers to arbitrary file upload via the /manage/resourceUpload/upload.do endpoint, with no input validation on file type or content per CWE-434. The CVSS 4.0 vector (PR:N, AC:L, AT:N) confirms the endpoint requires no authentication and is reachable over the network without special conditions. A publicly available proof-of-concept exploit has been disclosed via a Feishu wiki document, meaning exploitation tooling is accessible to low-skilled actors; this CVE is not yet listed in the CISA KEV catalog at time of analysis.

File Upload E Face General Management Platform
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13528 MEDIUM POC PATCH This Month

Path traversal in the ruoyi-vue-pro file upload endpoint exposes unauthenticated remote attackers to arbitrary file read and write operations via the `generateUploadPath` function in `FileServiceImpl.java`. All versions up to 2026.04-jdk8-SNAPSHOT are confirmed affected across both the YunaiV (GitHub) and zhijiantianya (Gitee) vendor distributions. Publicly available exploit code exists via GitHub issue #1146; no CISA KEV listing is present, but the unauthenticated network vector combined with a public proof-of-concept materially elevates operational risk above the CVSS 4.0 base score of 6.9 alone.

Java Path Traversal File Upload Ruoyi Vue Pro
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-56414 HIGH CISA Act Now

Arbitrary file upload in H.View HV-500S6 IP cameras lets an authenticated, high-privilege user (per CVSS PR:H) write unvalidated content to fixed, persistent filesystem paths reserved for trusted TLS certificate material, with no checks on file type, structure, or size. Because the planted data survives reboot, an attacker can corrupt or replace certificate stores to undermine device integrity, availability, and trust. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but it is the subject of a CISA ICS advisory (ICSA-26-176-05).

File Upload Hv 500S6 Ip Camera
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-33560 HIGH CISA Act Now

Arbitrary file upload in the Daktronics DMP-5000 (and related VFC-DMP-5000 and DMP-8000) media player file service lets authenticated users write files of any type - including executable binaries and scripts - directly to the server with no extension filtering or content inspection. This unrestricted upload (CWE-434) gives a low-privileged operator a path to plant and potentially execute malicious code on these OT digital-media/scoreboard controllers. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

File Upload Vfc Dmp 5000 Dmp 5000 Dmp 8000
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.3%
CVE-2026-57658 CRITICAL Act Now

Arbitrary file upload in the TemplateSpare WordPress plugin (versions 4.2.0 and earlier) allows an authenticated administrator-level user to upload files of dangerous types, enabling deployment of a PHP web shell and full server compromise. The flaw was reported by Patchstack and carries a CVSS of 9.1, but exploitation requires existing high-privilege (Administrator) access. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

File Upload
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-56059 CRITICAL Act Now

Arbitrary file upload in the Travel Booking WordPress theme (versions <= 2.2.5) lets an authenticated low-privileged Subscriber upload files of dangerous types, enabling web shell deployment and remote code execution. The CVSS 3.1 base score is 9.9 with a scope change (S:C), reflecting that a minimally-privileged account can fully compromise the underlying host. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-56058 CRITICAL Act Now

Arbitrary file upload in the Quform WordPress plugin (versions <= 2.23.0) lets authenticated users with only Subscriber-level privileges upload files of attacker-controlled type, enabling web shell deployment and full site takeover. The CVSS:3.1 vector (PR:L, S:C) reflects a low privilege bar combined with a scope change, which drives the 9.9 score. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-56027 CRITICAL Act Now

Arbitrary file upload in Booster for WooCommerce (plugin slug woocommerce-jetpack) versions <= 8.0.1 lets an authenticated customer-level user upload arbitrary files to the WordPress server, enabling web shell deployment and remote code execution. The CVSS 3.1 score of 9.9 reflects a scope change (S:C) where a low-privilege shop customer can fully compromise the underlying host. No public exploit identified at time of analysis; the issue was reported by Patchstack's audit team.

WordPress File Upload
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-71333 npm CRITICAL Act Now

Unauthenticated arbitrary file upload in Flowise (versions through 2.2.7) lets remote attackers write malicious files to arbitrary locations on the server via the whitelisted /api/v1/attachments endpoint when storageType is set to local (the default). Because the chatId and chatflowId parameters are vulnerable to path traversal, an attacker can escape the intended upload directory and drop a webshell or other executable payload, leading to remote code execution and full server compromise. No public exploit identified at time of analysis, but the flaw is trivially reachable (CVSS 4.0 9.3) and was reported by VulnCheck with a vendor security advisory.

File Upload Path Traversal RCE Flowise
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-57700 CRITICAL Act Now

Arbitrary file upload in Daan.Dev's OMGF Pro WordPress plugin (versions through 5.2.6) lets remote attackers upload files of dangerous types, enabling webshell deployment and full site/server takeover. The CVSS 3.1 base score is 10.0 with a scope-changed vector, and the vector's PR:N indicates the flaw is reachable without authentication. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

File Upload Omgf Pro
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-54024 MEDIUM PATCH This Month

Unrestricted file upload to the POST /api/convos/import endpoint in LibreChat prior to 0.8.4-rc1 allows any authenticated user to exhaust server disk space and memory, causing a denial of service. The root cause is an incomplete remediation of CVE-2024-11171: while file size limits were added to the shared multer factory, the import endpoint's independent multer instance was never updated, and the application-level fallback guard (CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES) is commented out in .env.example by default. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low exploitation complexity for any authenticated user makes this a meaningful operational risk for public-facing or open-registration deployments.

Denial Of Service File Upload Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48945 MEDIUM This Month

Unrestricted file upload in K2 Extension for Joomla (versions 1.0 through 2.26) permits attackers to embed PHP scripts inside zip or tar archives uploaded via the article gallery feature, which are then extracted as-is into the publicly accessible `/media/k2/galleries/<id>/` directory and remain directly executable via HTTP. The extension applies renaming sanitization only to recognized image types, leaving PHP, shell, and other dangerous file types completely unfiltered post-extraction - a textbook CWE-434 flaw. No public exploit has been identified at time of analysis, but the reported CVSS base vector (AV:N/AC:L/PR:N/UI:N) and the nature of the flaw indicate trivial exploitability; notably, the reported CVSS impact metrics (C:L/I:N/A:N) appear to significantly understate the actual consequence of achieving arbitrary PHP code execution on the server.

PHP File Upload K2 Extension For Joomla
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-48946 MEDIUM This Month

Unrestricted PHP file upload in K2 extension for Joomla (versions 1.0–2.26) enables any authenticated K2 Author to achieve remote code execution by uploading a PHP webshell via the frontend article-attachment upload endpoint and executing it through Apache mod_php. Because the upload handler performs no extension filtering, a `.php` file is written to `/media/k2/attachments/` and served by Apache's standard `\.php$` handler, executing arbitrary code as the web server process user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the attack path is elementary once Author-level access is obtained.

PHP Apache File Upload K2 Extension For Joomla
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-53948 MEDIUM PATCH This Month

Stored cross-site scripting in Ghost CMS (versions 6.19.4 through 6.21.0) is enabled by the Admin API file upload endpoint accepting and preserving attacker-supplied Content-Type headers without server-side validation. When Ghost is configured with S3 or GCS storage backends that serve uploaded files from the same origin as the site, an authenticated attacker can upload a file with a crafted Content-Type (e.g., text/html) that causes browsers to execute it as HTML or JavaScript, enabling stored XSS against visitors and staff. No public exploit code has been identified at time of analysis, and the vulnerability is fixed in Ghost 6.21.1.

Node.js XSS File Upload Ghost
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-54134 PyPI HIGH PATCH GHSA This Week

Arbitrary file exfiltration in OctoPrint versions through 1.11.7 and 2.0.0rc1-rc2 allows authenticated users with the FILE_UPLOAD permission to move any host file readable by the OctoPrint process into the upload folder, where it can then be downloaded. This is an incomplete-fix recurrence of CVE-2025-48067; reserved internal form fields can still be smuggled to Flask via query parameters or Tornado/Werkzeug parser differentials. No public exploit identified at time of analysis, and patches are available in 1.11.8 and 2.0.0rc3.

File Upload Python
NVD GitHub
CVE-2026-56701 PHP HIGH PATCH This Week

Arbitrary file disclosure in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated admin-panel users to read sensitive server files via XML External Entity (XXE) injection in SVG upload processing. The flaw stems from simplexml_load_string() being called without entity-loader protections, enabling exfiltration of credentials, configuration, and environment secrets. No public exploit identified at time of analysis, though the GHSA advisory includes a working proof-of-concept payload.

XXE File Upload Information Disclosure Grav
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-48500 PHP MEDIUM POC PATCH GHSA This Month

Unauthenticated arbitrary file upload in Filament (Laravel component framework) versions 3.0.0 through 3.3.51, 4.x through 4.11.4, and 5.x through 5.6.4 allows remote attackers without any credentials to write files to the application's temporary storage. Filament indiscriminately applies Livewire's WithFileUploads trait to every Livewire component embedding a schema - including the panel login form, which has no legitimate file upload need - exposing the upload endpoint publicly. The practical impact is storage exhaustion or inflated cloud storage costs; no public exploit has been identified at time of analysis.

File Upload Authentication Bypass Filament
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-56345 PHP CRITICAL Act Now

Authorization bypass in AVideo's Meet plugin (versions through 29.0) lets remote attackers hijack arbitrary user sessions, including admin, by abusing the uploadRecordedVideo.json.php endpoint which derives the target users_id from a caller-controlled filename and then invokes the passwordless User->login() path. Exploitation requires the Meet shared secret, but that secret is a deterministic MD5 of values from configuration.php and is recoverable via known path-traversal flaws or timing attacks against checkToken.json.php. No public exploit identified at time of analysis, though the VulnCheck and GHSA advisories document the attack with code-level precision.

Authentication Bypass PHP File Upload Avideo
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-55446 PyPI HIGH PATCH GHSA This Week

Unauthenticated denial-of-service in Langflow versions prior to 1.0.19 allows remote attackers to render the application unusable for all users indefinitely by sending a single crafted POST to /api/v1/files/upload/ with a malformed multipart boundary containing a very large run of hyphens. The upload endpoint processes the multipart body before performing authentication or flow-ID validation, so no token, cookie, or valid flow UUID is required. A public proof-of-concept is included in the GitHub Security Advisory GHSA-qwqc-p3q8-wcg9, though there is no public exploit identified beyond the PoC at time of analysis and the issue is not listed in CISA KEV.

Python Microsoft Apple Mozilla Denial Of Service +2
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-55778 npm LOW PATCH Monitor

Stored XSS in Parse Server's file upload handler enables authenticated users to bypass the `fileUpload.fileExtensions` blocklist by pairing a non-standard or compound filename extension (e.g., `malicious.svg~`, `malicious.html.bak`) with a dangerous Content-Type header such as `image/svg+xml` or `text/html`. On S3 and GCS storage adapters, which persist and serve the client-supplied Content-Type, the uploaded file is subsequently delivered to browsers with attacker-controlled content, executing arbitrary JavaScript against any victim who opens the file URL. This is the third incomplete-fix iteration of the same vulnerability class (following GHSA-vr5f-2r24-w5hc and GHSA-7wqv-xjf3-x35v), with patches confirmed in versions 8.6.81 and 9.9.1-alpha.11 and no public exploit or CISA KEV listing identified at time of analysis.

File Upload XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2019-25758 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Vbizz
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.7%
CVE-2026-54002 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in Kirby CMS (getkirby/cms) lets an authenticated Panel editor inject markup that survives Dom::sanitize() and executes as JavaScript when content is rendered in the Panel or on the site frontend. The flaw affects the writer and list fields plus the Sane HTML/SVG/XML sanitization API, and versions ≤ 4.9.3 and 5.0.0-alpha.1 through 5.4.3 are vulnerable. No public exploit identified at time of analysis, and this is not in CISA KEV, but the vendor rates it high severity because a low-privileged editor can escalate to an admin session.

File Upload XSS
NVD GitHub
CVSS 4.0
8.5
EPSS
0.4%
CVE-2026-55744 PHP HIGH GHSA This Week

Cross-Site Request Forgery in the Personal File Storage (PFS) module of Cotonti 1.0.0 (commit f43f1fc3) allows remote attackers to upload arbitrary files into an authenticated victim's storage by luring them to a malicious page. The 'a=upload' action in modules/pfs/inc/pfs.main.php omits the cot_check_xg() anti-CSRF token check that sibling actions like 'delete' enforce. No public exploit identified at time of analysis, though the root cause is documented in the public source code reference.

File Upload CSRF PHP Cotonti
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-9860 HIGH This Week

Remote code execution in the Offload, AI & Optimize with Cloudflare Images WordPress plugin (versions ≤1.10.2) allows authenticated Author-level users to inject PHP into wp-config.php via the 'account-id' or 'api-key' parameters of the cf_images_do_setup AJAX handler. The handler enforces only the upload_files capability instead of manage_options, and a single-quote escape flaw lets attackers break out of a PHP string literal during the define() write. No public exploit is identified at time of analysis, but the vulnerability is reported by Wordfence with detailed root-cause analysis.

File Upload PHP WordPress RCE Offload Ai Optimize With Cloudflare Images +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-38717 CRITICAL Act Now

Unauthenticated remote command execution affects InHand Networks IR912 and IR915 industrial cellular routers running firmware V1.0.0.r20042 and earlier, where the file upload function fails to sanitize input and passes attacker-controlled data to a shell context. Successful exploitation yields code execution as root on the device. No public exploit identified at time of analysis, but the CVSS 9.8 rating and network-reachable file upload endpoint make this a high-priority patching target for any operator with these routers exposed to untrusted networks.

File Upload Command Injection N A
NVD VulDB
CVSS 3.1
9.8
EPSS
1.3%
CVE-2025-59872 CRITICAL Act Now

Unrestricted file upload in HCL ZIE for Web (Z and I Emulator) version 16.0 allows remote attackers to upload a web shell that can yield arbitrary command execution on the server, but only when the server is configured to execute uploaded code and the file lands inside the Webroot. The CVSS 3.1 base score is 9.8, yet CISA's SSVC framework rates exploitation as 'none' and not automatable with only partial technical impact, and EPSS sits at just 0.34% (26th percentile). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

File Upload Information Disclosure RCE Zie
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVSS 5.3
MEDIUM PATCH This Month

Remote code execution in the Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 is achievable by authenticated API users holding the api.media.write permission via a double-extension file upload bypass. The HandlesMediaUploads::validateFileExtension() method uses PHP's pathinfo() to inspect only the final file extension, meaning a file named shell.php.jpg passes the dangerous-extension blocklist while retaining a .php segment that certain web server configurations will execute as PHP. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique is well-understood and exploitation is low-complexity once permission prerequisites are met.

File Upload PHP RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Unauthenticated file upload to the WordPress Media Library is possible in Kali Forms - Contact Form & Drag-and-Drop Builder versions before 2.4.17, because the plugin's upload handler accepts file submissions without verifying that a corresponding form with a file-upload field actually exists on the site. Any unauthenticated remote attacker can directly invoke the upload endpoint and deposit files into the Media Library. Impact is bounded by WordPress's core MIME type allowlist, which prevents upload of executable files and thereby rules out code execution; a publicly available proof-of-concept is confirmed by WPScan, and no CISA KEV listing is present at time of analysis.

File Upload RCE WordPress +1
NVD WPScan VulDB
EPSS 28% CVSS 9.6
CRITICAL Act Now

Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file upload (CWE-434) that runs in the context of the current user, letting an attacker inject malicious scripts and hijack a victim's account or session. Exploitation is network-reachable and marked unauthenticated by the CVSS vector but requires the victim to visit a crafted URL or interact with a compromised page, and the scope is changed (impact extends beyond the vulnerable component). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; Adobe rates it CVSS 9.6 critical.

File Upload RCE Adobe +4
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unrestricted file upload in code-projects Online Job Portal 1.0 exposes unauthenticated remote attackers to arbitrary file upload via the txtFile parameter in /JobSeekerInsert.php, enabling likely webshell deployment and subsequent server-side code execution. A public proof-of-concept exploit exists (no KEV listing), substantially lowering the exploitation barrier for any internet-exposed instance. The CVSS 4.0 impact metrics are conservatively rated Low across C/I/A, which understates the realistic post-exploitation potential of an unrestricted PHP file upload - successful webshell placement typically yields full OS command execution in the web server process context.

PHP File Upload Online Job Portal
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by installing a plugin ZIP that contains a webshell. Because 'php' is explicitly whitelisted in ALLOWED_EXTENSIONS and the DENIED_EXTENSIONS denylist fails to catch standard .php files, any PHP file inside the archive is extracted directly under the web root and becomes immediately executable over HTTP without the plugin ever being enabled. The /plugins/install-url route additionally allows the archive to be sourced from any attacker-controlled HTTPS URL, validated only against an attacker-supplied SHA-256 hash. No public exploit identified at time of analysis and it is not on CISA KEV.

PHP File Upload RCE +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

PDF save functionality in Firefox for iOS allows maliciously crafted page titles to manipulate the output file path, enabling overwrites of existing PDF files or bundled application content within the Firefox iOS sandbox. All versions prior to 152.4 on Apple iOS devices are affected. An attacker operating a malicious website can lure a user into saving a page as PDF, causing the crafted title to resolve to an unintended file path within the app sandbox - potentially corrupting application state or stored documents. No public exploit has been identified at time of analysis, though SSVC classifies the vulnerability as automatable with partial technical impact.

Apple File Upload Mozilla +1
NVD VulDB
EPSS 1% CVSS 7.7
HIGH PATCH This Week

Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

PHP Nginx RCE +3
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote code execution in ThemisNETPanel (vendor 4real) allows unauthenticated network attackers to fully compromise the underlying server by abusing a file-upload endpoint that lacks any authentication check. An attacker submits a base64-encoded PHP payload, writes it as an arbitrary PHP file, and executes it in the web application's context. Reported by CERT-PL with a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass File Upload RCE +2
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Arbitrary file upload in CodeRevolution's Aimogen Pro WordPress plugin (versions up to and including 2.8.3) lets attackers upload files of dangerous types, typically enabling deployment of a PHP web shell and full remote code execution on the host. The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) rates it 10.0 critical, reflecting network-reachable, low-complexity, unauthenticated exploitation with a scope change. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

File Upload Aimogen Pro
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Arbitrary file upload in the WoowBot Pro Max WordPress plugin (quantumcloud) through version 14.1.7 allows an authenticated attacker to upload files of dangerous types, leading to remote code execution on the underlying WordPress host. The scope-change CVSS 9.9 reflects that a low-privileged account can pivot to full server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Patchstack has confirmed and cataloged the flaw.

File Upload Woowbot Pro Max
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Unrestricted file upload in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers with administrative access to upload arbitrary PHP files via the Book Image Upload feature at /admin/index.php?page=books, enabling remote code execution on the host server. A public exploit proof-of-concept has been disclosed on Medium under the title 'Critical Authenticated Remote Code Execution via Unrestricted File Upload,' confirming practical exploitability. While PR:H limits exposure to actors holding admin credentials, successful exploitation yields full server-side code execution, making this a high-impact finding within its threat model.

PHP File Upload Online Book Store System
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Unrestricted file upload in Ragic Enterprise Cloud Database exposes all versions to unauthenticated remote exploitation, allowing attackers to plant malicious files that are subsequently served to authenticated platform users for download. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the application performs no meaningful validation of file type, content, or extension before persisting uploads. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the zero-authentication requirement and network-accessible attack vector make this a low-barrier, high-supply-chain-risk issue in environments where Ragic is used for file collaboration.

File Upload Enterprise Cloud Database
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Unrestricted file upload in AREA 17 Twill CMS (versions up to 3.6.0) allows authenticated admin users to upload arbitrary file types via the `qqfilename` parameter in the Media Library Insert Page, creating a direct path to remote code execution on the underlying server. A public proof-of-concept documenting the full exploitation chain from file upload to RCE has been published by Bytium. No vendor patch exists - the vendor was contacted during responsible disclosure and did not respond, leaving all installations on affected versions without an official remediation path.

PHP File Upload Twill Cms
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Unrestricted file upload in shiroiAdmin versions 1.1 and 1.3 (PHP admin panel by hcr707305003) exposes the `FileController::upload` function to unauthenticated remote exploitation, enabling attackers to upload arbitrary files - including PHP webshells - to the server without authentication. A public exploit has been disclosed (CVSS 4.0 E:P), and the vendor did not respond to coordinated disclosure. Exploitation conditions are severe: the CVSS 4.0 vector confirms network-accessible, zero-authentication, low-complexity exploitation with no user interaction required.

Authentication Bypass File Upload PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Stored XSS execution in Parse Server (versions 9.0.0 through pre-9.10.0-alpha.2 and all 8.x releases through 8.6.83) allows authenticated users with file-upload permissions to inject persistent JavaScript that executes in the application's origin against other users, but only when a cloud-based storage adapter is configured. By crafting a deliberately malformed Content-Type header - such as 'image' or 'image/' - an attacker exploits a gap in the mime-package lookup path that renders the fileUpload.fileExtensions blocklist ineffective, causing the malformed value to be stored verbatim in Amazon S3, Google Cloud Storage, or Azure Blob Storage. Browsers receiving a syntactically invalid Content-Type fall back to MIME sniffing and render HTML file bodies as web pages in the application's origin; no public exploit has been identified and the vulnerability is absent from CISA KEV, but the stored nature means a single successful upload persists as a live threat until patched or the file is removed.

XSS Google Microsoft +2
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unauthenticated arbitrary file upload in the RSFiles download-manager extension for Joomla (by RSJoomla) lets remote attackers upload executable files (e.g. PHP web shells) and achieve full remote code execution on the hosting server. The CVSS 4.0 threat metrics flag exploitation as active (E:A) and automatable (AU:Y), and NVD/ADP assigns maximum urgency, but no CISA KEV listing was provided in this data. A vendor product page and a third-party technical writeup are referenced; standalone public exploit code was not confirmed in the supplied sources.

File Upload Rsjoomla Com Rsfiles Extension For Joomla
NVD VulDB
EPSS 0% CVSS 9.0
CRITICAL Act Now

Arbitrary file upload in the Phoca Download extension for Joomla lets any authenticated registered user upload executable files (e.g. PHP) that the server will run, yielding full remote code execution. The flaw is scored 9.0 (CVSS 4.0) and is exploitable over the network by low-privilege accounts, so any site permitting self-registration is directly at risk. A public technical write-up describing the RCE technique exists, though no active exploitation has been confirmed by CISA KEV.

File Upload Phoca Cz Phoca Download Extension For Joomla
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary file upload in the Swiss Toolkit For WP WordPress plugin (versions ≤ 1.4.6) lets authenticated Author-level (and higher) users bypass file-type validation and upload executable PHP, potentially achieving remote code execution on the host. The flaw stems from the upload_extension_files() function using a substring match instead of a real extension check when the optional 'Enhanced Multi-Format Image Support' feature is enabled. Reported by Wordfence with a CVSS of 8.8; no public exploit identified at time of analysis.

WordPress RCE File Upload +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Disk space exhaustion in n8n's data-table file upload endpoint allows an authenticated user to progressively fill the host's disk by repeatedly uploading files whose cumulative size is never checked against what already exists in the shared temporary directory. Affected versions span all n8n releases before 2.28.0 on the 2.x branch and before 1.123.58 on the 1.x branch. The flaw is rooted in a stateless per-request quota that ignores previously written files, enabling a low-privileged user to loop uploads between periodic cleanup cycles until disk space is exhausted, potentially disrupting the host and all co-resident services. No public exploit code or CISA KEV listing has been identified at time of analysis.

Denial Of Service File Upload N8n
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored XSS in R-SOFT DMS file upload functionality allows authenticated attackers to embed arbitrary HTML and JavaScript within uploaded filenames, which subsequently execute in the browsers of any user viewing the file list or upload status pages. The vulnerability affects the document management system's filename rendering pipeline, which fails to sanitize input before output into HTML context. Fixed versions are available (v3.19-2832 and v3.17-2580); no public exploit identified at time of analysis, and the product is not listed in the CISA KEV catalog.

XSS File Upload
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated arbitrary file upload in the Instant Appointment WordPress plugin (all versions ≤ 1.2) lets remote attackers upload files of any type through the 'insapp_upload_image_as_attachment' function, which lacks file-type validation, potentially enabling remote code execution by planting a PHP webshell. Any WordPress site running the plugin is exploitable without authentication or user interaction, matching its 9.8 CVSS rating. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

WordPress RCE File Upload
NVD
EPSS 1% CVSS 7.2
HIGH This Week

Remote code execution in the Post Export Import with Media WordPress plugin (all versions ≤ 1.13.1) is possible because a trailing-dot filename bypass (e.g. 'shell.php.') defeats the extension allow-list in ajax_import_media_start(), letting an administrator-level user smuggle an executable PHP file into the uploads directory during a media import. Reported by Wordfence, the flaw carries CVSS 7.2 and has no public exploit identified at time of analysis; exploitation requires existing administrator (PR:H) access, making it primarily a hardening/defense-in-depth bypass rather than a mass-exploitable entry point.

WordPress PHP RCE +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote code execution in the Super Forms - Drag & Drop Form Builder WordPress plugin (all versions through 6.3.313) allows attackers to upload executable files via the nopriv submit_form AJAX handler, which lacks both file-type validation (CWE-434) and any capability check. The plugin's only guardrail is a session nonce, but the companion super_create_nonce nopriv action lets any visitor mint a valid sf_nonce and session cookie on demand, collapsing the attack to two unauthenticated HTTP requests. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivial exploitability make this a high-priority patch item.

WordPress RCE File Upload +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Authenticated remote code execution in docuForm GmbH Client v11.11c lets low-privileged users abuse the report.php file-upload component to run arbitrary code on the server. The flaw combines an authorization-bypass weakness (CWE-639) with unrestricted file upload, so an attacker with any valid account can escalate to full server compromise. No public exploit identified at time of analysis, though a third-party gist referenced in NVD may contain technical write-up material; EPSS is low (0.24%, 15th percentile) and the CVE is not in CISA KEV.

Authentication Bypass File Upload RCE +1
NVD GitHub
CVSS 6.5
MEDIUM POC PATCH This Month

{FIELD_ID}? or update? policy checks - even when both explicitly return false for the requesting user. Primarily impacts Avo Pro/Advanced multi-role deployments where non-administrator operators are expected to be constrained by per-field authorization policies. A PoC request spec confirms exploitation on Avo 3.31.2; no CISA KEV listing, so no confirmed active exploitation at time of analysis.

Authentication Bypass File Upload
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Arbitrary code execution on the host operating system is achievable by an authenticated FileMaker Server administrator via a malicious file upload through the Open Source LLM setup feature - specifically the Miniforge installer upload path - in the Admin Console. All FileMaker Server versions prior to 26.0.1 are affected; the flaw is classified as CWE-434 (unrestricted upload of a dangerous file type) and was reported directly by Apple/Claris product security. No public exploit code or CISA KEV listing exists at time of analysis, and SSVC rates exploitation as none with no automation feasibility, substantially limiting real-world risk despite the RCE classification.

RCE File Upload Filemaker Server
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

File upload authorization bypass in Open WebUI before 0.10.0 allows authenticated users with read-only knowledge base access to inject arbitrary files into restricted knowledge bases by supplying a crafted metadata.knowledge_id parameter. The upload endpoint omits the write-access check enforced by the dedicated /api/v1/knowledge/<id>/file/add route (CWE-862), creating a privilege escalation path for any authenticated platform user. No public exploit code or CISA KEV listing exists at time of analysis, but the impact extends beyond the low CVSS integrity score - injected content directly influences LLM responses for all users of the affected knowledge base, enabling indirect prompt injection.

Authentication Bypass File Upload Open Webui
NVD GitHub VulDB
EPSS 0% 5.0 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Unauthenticated arbitrary file upload in the Balbooa Forms extension for Joomla lets remote attackers upload executable server-side scripts and achieve full remote code execution. The flaw carries a maximum CVSS 4.0 base score of 10.0 with a scope change, meaning a successful upload compromises the underlying host beyond the vulnerable extension. No public exploit identified at time of analysis, though a third-party write-up (mysites.guru) documents the flaw and the supplied CVSS metadata asserts observed attack activity.

File Upload Balbooa Com Balbooa Forms Extension For Joomla
NVD VulDB GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Arbitrary file upload leading to remote code execution affects the premium Blocksy Companion Pro plugin for WordPress in all versions through 2.1.46, where the Custom Fonts extension's flawed MIME validation lets unauthenticated attackers upload executable PHP files disguised as fonts. The Custom Fonts extension registers a wp_check_filetype_and_ext filter that uses strpos() to approve any filename merely containing '.woff2' or '.ttf' anywhere in the string, so a double-extension payload like shell.woff2.php passes as a legitimate font. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress PHP RCE +2
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Path-equivalence weakness in Progress MOVEit Transfer's File Upload modules lets remote attackers bypass path-normalization checks to reach or place files outside their intended scope, carrying an NVD CVSS of 9.8. It affects MOVEit Transfer before 2025.0.8 and the 2025.1.x line before 2025.1.4, and a vendor patch is available. There is no public exploit identified at time of analysis and EPSS is low (0.25%), while CISA SSVC rates exploitation as none and technical impact as only partial.

File Upload Moveit Transfer
NVD
EPSS 2% CVSS 7.7
HIGH PATCH This Week

OS command injection in the Horde_Vfs_Smb driver of the Horde Virtual File System (VFS) API before 3.0.1 lets authenticated users execute arbitrary shell commands on the server. The flawed _escapeShellCommand() method fails to neutralize shell command-substitution sequences, so attacker-controlled filenames passed through routine file operations are interpolated into a double-quoted /bin/sh -c context and executed via proc_open() before smbclient runs. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch (v3.0.1) exists and the CVSS 4.0 base score is 7.7 (High).

Command Injection File Upload Vfs
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unrestricted file upload in Grav API Plugin 1.0.0 allows authenticated users to store arbitrary content - including PHP scripts, SVG with embedded JavaScript, and polyglot payloads - via the avatar upload endpoint by supplying a forged client-declared MIME type beginning with 'image/'. The endpoint performs no server-side content inspection and imposes no extension restriction, so malicious files are written to user/accounts/avatars/ with predictable filenames. Immediate exploitation is partially mitigated by an .htaccess rule that returns HTTP 403 on direct access, but the files persist on disk and represent a latent RCE or stored XSS vector if a co-resident path traversal flaw or server misconfiguration bypasses that control. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal XSS PHP +2
NVD GitHub
EPSS 1% CVSS 9.2
CRITICAL PATCH Act Now

Remote code execution in the Blocksy Companion Pro WordPress plugin (all versions before 2.1.47) lets unauthenticated attackers upload executable PHP files through the Advanced Reviews feature, taking over the site. The save_attachments function relies on a flawed strpos() substring check inherited from the Custom Fonts extension, so a double-extension filename like shell.woff2.php passes validation while the server executes it as PHP. No public exploit has been identified at time of analysis, but a vendor patch (2.1.47) is available and the flaw was reported by VulnCheck.

WordPress PHP RCE +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Arbitrary file upload in the WHMCS Bridge plugin for WordPress (all versions through 6.9) lets authenticated users with Custom-level access or above upload files of any type via the unvalidated connect() function, potentially achieving remote code execution on the host. Reported by Wordfence and tracked as CWE-434, the flaw carries a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The impact hinges on the plugin's failure to enforce file-type checks before writing uploaded content to disk.

WordPress RCE File Upload +1
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in the Widget Logic Visual WordPress plugin (all versions through 1.52) lets low-privileged authenticated users run arbitrary PHP on the server. The flaw stems from the widget-logic-update-conditional-tags AJAX action lacking a capability check and nonce verification, allowing any subscriber-and-above account to store attacker-controlled data in the 'nwlv[cod-tag]' parameter that is later passed to an eval() call by widget_logic_visual_check_visibility. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

WordPress RCE File Upload +1
NVD VulDB
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Remote code execution in DataEase before 2.10.24 allows an authenticated attacker to bypass the prior H2 zip-protocol and file-dropper hardening by uploading a ZIP archive masquerading as a font file (.ttf) via the FontManage.saveFile endpoint, then invoking the H2 database zip protocol against it to execute arbitrary code on the server. The flaw is a regression that defeats an earlier fix, and carries a CVSS 4.0 score of 8.7 (High). No public exploit has been identified at time of analysis, but the vendor GitHub Security Advisory (GHSA-8x36-774q-pwqg) and two remediation commits are published.

RCE File Upload Dataease
NVD GitHub
EPSS 1% CVSS 8.7
HIGH POC This Week

Remote code execution in Vtiger CRM before 8.4.0 lets an authenticated low-privileged user upload a malicious .phar file through the Documents module and execute arbitrary PHP. The extension denylist in config.inc.php omits .phar, and a stale Apache 2.2-syntax .htaccess is silently ignored on Apache 2.4, so the payload lands in a web-accessible directory reachable by unauthenticated HTTP - the attack begins authenticated but the final execution step is unauthenticated. Publicly available exploit code exists (published by VulnCheck/Jiva Security); no CISA KEV listing and no EPSS score were provided.

PHP Apache RCE +2
NVD VulDB
EPSS 1% CVSS 8.6
HIGH POC This Week

Authenticated remote code execution in Vtiger CRM through version 8.4.0 lets an administrator upload a crafted ZIP archive through the ModuleManager import feature and drop executable PHP files directly into the web-root modules/ directory, yielding a persistent web shell. Because Apache resolves and executes those PHP files before Vtiger's routing layer runs, the resulting shell bypasses the application's authentication entirely and survives independently of the attacker's login session. Publicly available exploit code exists (VulnCheck / Jiva Security), though there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

PHP Apache RCE +2
NVD VulDB
CRITICAL PATCH Act Now

Remote code execution in EGroupware lets an attacker chain a broken authorization check with an arbitrary file write and an arbitrary file read to fully compromise the server. An authenticated user can forge the participant_role field in a SmallPartMediaRecorder::ajax_upload() request to impersonate a course teacher, then use path traversal to read and overwrite header.inc.php with valid but attacker-controlled PHP, yielding code execution after OPcache refresh or a setup-password change. Where self-registration is enabled the entire chain becomes reachable pre-authentication. No public exploit has been identified, but the advisory documents a complete, reproducible technique.

File Upload Path Traversal RCE +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Relative path traversal in the MicroRealEstate file upload functionality lets an authenticated low-privilege user supply crafted filenames containing directory-traversal sequences to write outside the intended upload directory and potentially overwrite system files. All releases through 1.0.0-alpha3 are affected. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 7.1, driven primarily by high availability impact.

Path Traversal File Upload
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution in the WPFunnels (Funnel Builder for WooCommerce) WordPress plugin versions up to and including 3.12.7 lets attackers write attacker-controlled 'postData' into a PHP-includeable .log file that wpfnl_show_log later renders with include_once, yielding server-side code execution. The initial injection is fully unauthenticated because the nonce guarding the optin endpoint is publicly emitted on every funnel step page, though execution only fires once an administrator opens the poisoned log via the Log Settings View while the 'Enable Logs' toggle is active. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the pre-auth injection combined with a maximal 9.8 CVSS score makes it a high-priority patch for any exposed WooCommerce funnel deployment.

WordPress RCE File Upload
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Coolify's database backup restore file upload endpoint accepts uploads without enforcing any file type or size constraints, enabling an authenticated user to degrade service availability by uploading oversized or unexpected files. All releases prior to 4.0.0-beta.474 are affected per CPE cpe:2.3:a:coollabsio:coolify. No public exploit code exists and the vulnerability is not listed in CISA KEV; with a CVSS score of 3.1 and availability-only impact, this represents a low-priority issue for most operators, especially given the authenticated access requirement.

PHP File Upload Coolify
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unrestricted file upload in Esri ArcGIS Server (all versions through 12.0) lets a remote, unauthenticated attacker push arbitrary files to an exposed administrative/upload endpoint, per CVSS PR:N. Esri self-reported the flaw (CWE-434) and rates it critical (CVSS 9.8), and successful upload of an executable payload can lead to full server compromise. There is no public exploit identified at time of analysis, and EPSS is low (0.22%, 13th percentile), indicating it is not yet a mass-exploitation target.

File Upload Arcgis Server
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in SourceCodester's "Onlne Examination & Learning Management System" 1.0 (note: product name contains a known typo per CVE data) exposes the /announcements.php endpoint to arbitrary file upload by low-privileged authenticated users. A publicly available proof-of-concept, referenced under the title 'OE-LMS-RCE-3-announcements.md', demonstrates that the flaw can be leveraged for remote code execution - a significantly more severe real-world impact than the low CIA metrics in the provided CVSS 4.0 score suggest. No active exploitation (CISA KEV) has been confirmed, but the combination of low-complexity exploitation, a network-accessible vector, and a public POC elevates practical risk well above the 5.3 base score.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in SourceCodester Onlne Examination & Learning Management System 1.0 (a PHP-based web application whose product name contains a documented typo - 'Onlne' rather than 'Online') permits remote low-privileged authenticated users to upload arbitrary files, including PHP webshells, via the /upload_files.php endpoint by exploiting inadequate extension validation in the pathinfo() function. Publicly available exploit code exists on GitHub, with the exploit document explicitly titled to reference remote code execution against this specific upload handler. No vendor-released patch has been identified, and the vulnerability is not listed in the CISA KEV catalog, though the public exploit materially lowers the barrier to exploitation.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in SourceCodester Onlne Examination & Learning Management System 1.0 allows network-accessible, low-privilege attackers to upload arbitrary file types - including executable PHP webshells - via the `user_id` parameter in `/process_lesson.php`, with the publicly available proof-of-concept explicitly framed as a remote code execution chain. No CISA KEV listing exists, but a working exploit is publicly available on GitHub under the title 'OE-LMS-RCE-1'. The assigned CVSS 4.0 score of 2.1 with low-impact metrics materially understates the realistic impact; CWE-434 in PHP environments routinely enables full server compromise when uploads land in web-executable directories.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated NoSQL operation hijacking in Apache Camel's camel-mongodb-gridfs component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) lets a remote HTTP client override the intended GridFS operation and inject MongoDB query documents. When a route bridges an HTTP consumer such as platform-http into a mongodb-gridfs: producer that has no explicit operation set (the default), the raw gridfs.operation, gridfs.objectid and gridfs.metadata headers pass through the HTTP header filter because they lack the Camel/camel prefix, allowing an attacker to turn an intended upload into remove, listAll, or findOne and to inject NoSQL operators. There is no public exploit identified at time of analysis and EPSS is low (0.16%), but CVSS is 9.8 and SSVC rates technical impact as total and automatable.

Microsoft Apache File Upload +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Unrestricted file upload in Ruijie RG-UAC unified access controller appliances (all versions through 1.0-R1.8.2.p5) allows unauthenticated remote attackers to upload arbitrary files via the upload_image parameter in user_auth_commit.php. The combination of an authentication bypass (CWE-284) and unrestricted file type acceptance creates a pathway to persistent server-side code execution if uploaded content reaches an executable web path. A public proof-of-concept exploit exists, elevating the urgency of remediation despite the absence of a CISA KEV listing.

Authentication Bypass File Upload PHP
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in SourceCodester Syllabus-Aligned Learning Management and Examination System 1.0 allows low-privileged remote attackers to upload arbitrary file types via the upload_files.php endpoint, with potential for remote code execution through PHP webshell deployment given the application's PHP runtime environment. The vulnerability is rooted in CWE-434 and carries a network-accessible attack vector with no special configuration required beyond a valid user account. A public proof-of-concept exploit is confirmed available on Pastebin; no CISA KEV listing has been identified at time of analysis.

PHP File Upload Syllabus Aligned Learning Management And Examination System
NVD VulDB
EPSS 1% CVSS 9.3
CRITICAL HOSTED Monitor

Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading malicious files through the PtFjk.mob servlet. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload RCE
NVD
EPSS 1% CVSS 9.3
CRITICAL Act Now

Yonyou KSOA 9.0 contains an unauthenticated arbitrary file upload vulnerability in the com.sksoft.bill.ImageUpload servlet that allows unauthenticated attackers to upload arbitrary files by. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload RCE
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Arbitrary file upload leading to remote code execution in the Divi Form Builder WordPress plugin (versions through 5.1.8) lets unauthenticated attackers upload executable PHP files and run arbitrary code on the server. Attacker-controlled input from the acceptFileTypes POST parameter is interpolated directly into the file-validation regex in do_image_upload(), allowing alternate PHP extensions (.phtml, .phar, .php5, .php7) that evade the plugin's .php-only .htaccess block - and on Nginx the .htaccess protection does not apply at all. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 9.8 rating and Wordfence's technical disclosure make this a high-priority patching target.

WordPress Nginx PHP +3
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Arbitrary file upload in the Zegen WordPress theme (versions 1.1.9 and earlier) lets a low-privileged authenticated user (Subscriber role) upload files without adequate type validation, enabling upload of executable PHP and full site compromise. The CVSS 3.1 base score is 9.9 with a scope change, reflecting that a minimally-privileged account can escalate to server-level code execution. Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.

File Upload Zegen
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unrestricted file upload in MyComplianceOffice MCO version 25.3.3.1 allows an authenticated low-privileged attacker to upload files of arbitrary types by bypassing client-side-only validation controls. The CVSS 4.0 vector confirms network-accessible exploitation with low complexity, requiring only a valid low-privileged account and a web proxy to intercept and modify upload requests. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

File Upload Mco
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary Python via the flow `tool_code` mechanism, gaining full control of the Langflow process. Because the scope changes (S:C), the attacker can read every process secret, read and tamper with all flows, conversations, messages, uploads and saved components in the database, reach internal services and cloud metadata endpoints, and pivot across tenants on the same instance. This is a maximum-severity (CVSS 10.0) flaw, though no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Code Injection IBM File Upload +2
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Trading mandate forgery in HKUDS Vibe-Trading before 0.1.10 lets an admitted (low-privileged) caller supply a proposal identifier containing path traversal sequences so the application loads an attacker-controlled JSON file as an authoritative live trading mandate. Because ceiling/limit validation is skipped when ceilings are absent, the attacker fully controls the committed mandate, enabling unauthorized live trades. A vendor patch exists and the issue was reported by VulnCheck, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal File Upload Vibe Trading
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Arbitrary file write and delete in OpenBMB ChatDev through 2.2.0 lets unauthenticated remote attackers control destination paths on the server by abusing the multipart filename in the upload session endpoint. Because save_upload_file joins the attacker-supplied filename onto the temp directory without sanitization, a traversal or absolute-path filename redirects both the write and the subsequent cleanup unlink to arbitrary host locations. Publicly available exploit code exists and a vendor fix is available (commit 4fd4da6); there is no public exploit identified as actively exploited in CISA KEV at time of analysis.

Path Traversal File Upload Chatdev
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL POC Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets a remote attacker upload a file of a dangerous type (e.g., a CFML/JSP payload) and execute it in the context of the current user, with no user interaction required. The CVSS 3.1 base score is the maximum 10.0 with a changed scope, reflecting that successful exploitation breaches the ColdFusion process boundary. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but ColdFusion's history of weaponized file-upload/RCE bugs makes this a high-priority patch.

RCE File Upload Coldfusion
NVD VulDB GitHub
EPSS 1% CVSS 10.0
CRITICAL Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases stems from an unrestricted dangerous-file-type upload (CWE-434) that lets a remote attacker drop and execute a malicious payload, such as a CFM/CFML webshell, in the context of the running ColdFusion user. Rated CVSS 10.0 with a changed scope, it requires no user interaction and, per the provided vector, no authentication. No public exploit identified at time of analysis, though ColdFusion's history of weaponized upload bugs makes this a high-priority patch.

RCE File Upload Coldfusion
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Remote code execution in Redeight CMS 1.0 lets an authenticated attacker upload arbitrary PHP scripts through the admin Pages module's FileAdd endpoint, which performs no extension or MIME-type validation. The uploaded file lands in the web-accessible /uploads/files/ directory and is executed directly by the web server, yielding full server-side code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

PHP RCE File Upload +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Arbitrary file upload in Nokia MantaRay NM (network management) prior to 25R2-NM allows an authenticated, low-privileged attacker to bypass insufficient file-type validation and place malicious files on the host, leading to full compromise of confidentiality, integrity, and availability (CVSS 7.8). The flaw is a CWE-434 unrestricted upload; the CVSS vector specifies a local attack vector (AV:L) rather than remote network exploitation. No public exploit identified at time of analysis, and the EPSS score is very low (0.18%, 7th percentile).

Nokia File Upload Mantaray Nm
NVD VulDB
EPSS 0% 5.0 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Unauthenticated arbitrary file upload in the Joomlack Page Builder CK extension for Joomla allows remote attackers to upload executable (PHP) files and achieve full remote code execution on the host. Any Joomla site running this extension is exposed to complete compromise without credentials. No public exploit identified at time of analysis, though the CVSS 4.0 threat metric (E:A) supplied by the scoring source signals observed exploitation activity, and the maximum 10.0 score plus AU:Y (automatable) indicate this is highly attractive for mass scanning.

Authentication Bypass File Upload Joomlack Fr Page Builder Ck Extension For Joomla
NVD VulDB GitHub Exploit-DB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Remote code execution in SzafirHost (KIR's Szafir electronic-signature host application) arises from a ZIP/JAR parser-confusion flaw: signature verification reads the archive's Central Directory while extraction reads local file headers sequentially, letting an attacker who controls the served native-library archive smuggle an unsigned malicious DLL/SO/DYLIB past the signature check. Versions prior to 1.2.2 are affected; the injected library is written to the native temp directory and loaded, yielding code execution on the victim's machine. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

RCE File Upload Szafirhost
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Unrestricted file upload in itsourcecode Online Hotel Management System 1.0 allows remote attackers to upload arbitrary files - including PHP webshells - via the `image` parameter of `/admin/mod_amenities/controller.php?action=add`. The CVSS 4.0 vector assigns PR:N (no privileges required), corroborated by the 'Authentication Bypass' tag, indicating the admin-facing endpoint is reachable without credentials. A published proof-of-concept exploit exists; no patch has been identified at time of analysis.

Authentication Bypass File Upload PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unrestricted file upload in Hanwang e-Face General Management Platform 6.3.5.4 exposes unauthenticated remote attackers to arbitrary file upload via the /manage/resourceUpload/upload.do endpoint, with no input validation on file type or content per CWE-434. The CVSS 4.0 vector (PR:N, AC:L, AT:N) confirms the endpoint requires no authentication and is reachable over the network without special conditions. A publicly available proof-of-concept exploit has been disclosed via a Feishu wiki document, meaning exploitation tooling is accessible to low-skilled actors; this CVE is not yet listed in the CISA KEV catalog at time of analysis.

File Upload E Face General Management Platform
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Path traversal in the ruoyi-vue-pro file upload endpoint exposes unauthenticated remote attackers to arbitrary file read and write operations via the `generateUploadPath` function in `FileServiceImpl.java`. All versions up to 2026.04-jdk8-SNAPSHOT are confirmed affected across both the YunaiV (GitHub) and zhijiantianya (Gitee) vendor distributions. Publicly available exploit code exists via GitHub issue #1146; no CISA KEV listing is present, but the unauthenticated network vector combined with a public proof-of-concept materially elevates operational risk above the CVSS 4.0 base score of 6.9 alone.

Java Path Traversal File Upload +1
NVD VulDB GitHub
EPSS 0% CVSS 8.6
HIGH Act Now

Arbitrary file upload in H.View HV-500S6 IP cameras lets an authenticated, high-privilege user (per CVSS PR:H) write unvalidated content to fixed, persistent filesystem paths reserved for trusted TLS certificate material, with no checks on file type, structure, or size. Because the planted data survives reboot, an attacker can corrupt or replace certificate stores to undermine device integrity, availability, and trust. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but it is the subject of a CISA ICS advisory (ICSA-26-176-05).

File Upload Hv 500S6 Ip Camera
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH Act Now

Arbitrary file upload in the Daktronics DMP-5000 (and related VFC-DMP-5000 and DMP-8000) media player file service lets authenticated users write files of any type - including executable binaries and scripts - directly to the server with no extension filtering or content inspection. This unrestricted upload (CWE-434) gives a low-privileged operator a path to plant and potentially execute malicious code on these OT digital-media/scoreboard controllers. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

File Upload Vfc Dmp 5000 Dmp 5000 +1
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Arbitrary file upload in the TemplateSpare WordPress plugin (versions 4.2.0 and earlier) allows an authenticated administrator-level user to upload files of dangerous types, enabling deployment of a PHP web shell and full server compromise. The flaw was reported by Patchstack and carries a CVSS of 9.1, but exploitation requires existing high-privilege (Administrator) access. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

File Upload
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Arbitrary file upload in the Travel Booking WordPress theme (versions <= 2.2.5) lets an authenticated low-privileged Subscriber upload files of dangerous types, enabling web shell deployment and remote code execution. The CVSS 3.1 base score is 9.9 with a scope change (S:C), reflecting that a minimally-privileged account can fully compromise the underlying host. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

File Upload
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Arbitrary file upload in the Quform WordPress plugin (versions <= 2.23.0) lets authenticated users with only Subscriber-level privileges upload files of attacker-controlled type, enabling web shell deployment and full site takeover. The CVSS:3.1 vector (PR:L, S:C) reflects a low privilege bar combined with a scope change, which drives the 9.9 score. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

File Upload
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Arbitrary file upload in Booster for WooCommerce (plugin slug woocommerce-jetpack) versions <= 8.0.1 lets an authenticated customer-level user upload arbitrary files to the WordPress server, enabling web shell deployment and remote code execution. The CVSS 3.1 score of 9.9 reflects a scope change (S:C) where a low-privilege shop customer can fully compromise the underlying host. No public exploit identified at time of analysis; the issue was reported by Patchstack's audit team.

WordPress File Upload
NVD
EPSS 1% CVSS 9.3
CRITICAL Act Now

Unauthenticated arbitrary file upload in Flowise (versions through 2.2.7) lets remote attackers write malicious files to arbitrary locations on the server via the whitelisted /api/v1/attachments endpoint when storageType is set to local (the default). Because the chatId and chatflowId parameters are vulnerable to path traversal, an attacker can escape the intended upload directory and drop a webshell or other executable payload, leading to remote code execution and full server compromise. No public exploit identified at time of analysis, but the flaw is trivially reachable (CVSS 4.0 9.3) and was reported by VulnCheck with a vendor security advisory.

File Upload Path Traversal RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Arbitrary file upload in Daan.Dev's OMGF Pro WordPress plugin (versions through 5.2.6) lets remote attackers upload files of dangerous types, enabling webshell deployment and full site/server takeover. The CVSS 3.1 base score is 10.0 with a scope-changed vector, and the vector's PR:N indicates the flaw is reachable without authentication. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

File Upload Omgf Pro
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unrestricted file upload to the POST /api/convos/import endpoint in LibreChat prior to 0.8.4-rc1 allows any authenticated user to exhaust server disk space and memory, causing a denial of service. The root cause is an incomplete remediation of CVE-2024-11171: while file size limits were added to the shared multer factory, the import endpoint's independent multer instance was never updated, and the application-level fallback guard (CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES) is commented out in .env.example by default. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low exploitation complexity for any authenticated user makes this a meaningful operational risk for public-facing or open-registration deployments.

Denial Of Service File Upload Librechat
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Unrestricted file upload in K2 Extension for Joomla (versions 1.0 through 2.26) permits attackers to embed PHP scripts inside zip or tar archives uploaded via the article gallery feature, which are then extracted as-is into the publicly accessible `/media/k2/galleries/<id>/` directory and remain directly executable via HTTP. The extension applies renaming sanitization only to recognized image types, leaving PHP, shell, and other dangerous file types completely unfiltered post-extraction - a textbook CWE-434 flaw. No public exploit has been identified at time of analysis, but the reported CVSS base vector (AV:N/AC:L/PR:N/UI:N) and the nature of the flaw indicate trivial exploitability; notably, the reported CVSS impact metrics (C:L/I:N/A:N) appear to significantly understate the actual consequence of achieving arbitrary PHP code execution on the server.

PHP File Upload K2 Extension For Joomla
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Unrestricted PHP file upload in K2 extension for Joomla (versions 1.0–2.26) enables any authenticated K2 Author to achieve remote code execution by uploading a PHP webshell via the frontend article-attachment upload endpoint and executing it through Apache mod_php. Because the upload handler performs no extension filtering, a `.php` file is written to `/media/k2/attachments/` and served by Apache's standard `\.php$` handler, executing arbitrary code as the web server process user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the attack path is elementary once Author-level access is obtained.

PHP Apache File Upload +1
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in Ghost CMS (versions 6.19.4 through 6.21.0) is enabled by the Admin API file upload endpoint accepting and preserving attacker-supplied Content-Type headers without server-side validation. When Ghost is configured with S3 or GCS storage backends that serve uploaded files from the same origin as the site, an authenticated attacker can upload a file with a crafted Content-Type (e.g., text/html) that causes browsers to execute it as HTML or JavaScript, enabling stored XSS against visitors and staff. No public exploit code has been identified at time of analysis, and the vulnerability is fixed in Ghost 6.21.1.

Node.js XSS File Upload +1
NVD GitHub
HIGH PATCH This Week

Arbitrary file exfiltration in OctoPrint versions through 1.11.7 and 2.0.0rc1-rc2 allows authenticated users with the FILE_UPLOAD permission to move any host file readable by the OctoPrint process into the upload folder, where it can then be downloaded. This is an incomplete-fix recurrence of CVE-2025-48067; reserved internal form fields can still be smuggled to Flask via query parameters or Tornado/Werkzeug parser differentials. No public exploit identified at time of analysis, and patches are available in 1.11.8 and 2.0.0rc3.

File Upload Python
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file disclosure in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated admin-panel users to read sensitive server files via XML External Entity (XXE) injection in SVG upload processing. The flaw stems from simplexml_load_string() being called without entity-loader protections, enabling exfiltration of credentials, configuration, and environment secrets. No public exploit identified at time of analysis, though the GHSA advisory includes a working proof-of-concept payload.

XXE File Upload Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Unauthenticated arbitrary file upload in Filament (Laravel component framework) versions 3.0.0 through 3.3.51, 4.x through 4.11.4, and 5.x through 5.6.4 allows remote attackers without any credentials to write files to the application's temporary storage. Filament indiscriminately applies Livewire's WithFileUploads trait to every Livewire component embedding a schema - including the panel login form, which has no legitimate file upload need - exposing the upload endpoint publicly. The practical impact is storage exhaustion or inflated cloud storage costs; no public exploit has been identified at time of analysis.

File Upload Authentication Bypass Filament
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL Act Now

Authorization bypass in AVideo's Meet plugin (versions through 29.0) lets remote attackers hijack arbitrary user sessions, including admin, by abusing the uploadRecordedVideo.json.php endpoint which derives the target users_id from a caller-controlled filename and then invokes the passwordless User->login() path. Exploitation requires the Meet shared secret, but that secret is a deterministic MD5 of values from configuration.php and is recoverable via known path-traversal flaws or timing attacks against checkToken.json.php. No public exploit identified at time of analysis, though the VulnCheck and GHSA advisories document the attack with code-level precision.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated denial-of-service in Langflow versions prior to 1.0.19 allows remote attackers to render the application unusable for all users indefinitely by sending a single crafted POST to /api/v1/files/upload/ with a malformed multipart boundary containing a very large run of hyphens. The upload endpoint processes the multipart body before performing authentication or flow-ID validation, so no token, cookie, or valid flow UUID is required. A public proof-of-concept is included in the GitHub Security Advisory GHSA-qwqc-p3q8-wcg9, though there is no public exploit identified beyond the PoC at time of analysis and the issue is not listed in CISA KEV.

Python Microsoft Apple +4
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Stored XSS in Parse Server's file upload handler enables authenticated users to bypass the `fileUpload.fileExtensions` blocklist by pairing a non-standard or compound filename extension (e.g., `malicious.svg~`, `malicious.html.bak`) with a dangerous Content-Type header such as `image/svg+xml` or `text/html`. On S3 and GCS storage adapters, which persist and serve the client-supplied Content-Type, the uploaded file is subsequently delivered to browsers with attacker-controlled content, executing arbitrary JavaScript against any victim who opens the file URL. This is the third incomplete-fix iteration of the same vulnerability class (following GHSA-vr5f-2r24-w5hc and GHSA-7wqv-xjf3-x35v), with patches confirmed in versions 8.6.81 and 9.9.1-alpha.11 and no public exploit or CISA KEV listing identified at time of analysis.

File Upload XSS
NVD GitHub VulDB
EPSS 1% CVSS 8.7
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload +1
NVD Exploit-DB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Stored cross-site scripting in Kirby CMS (getkirby/cms) lets an authenticated Panel editor inject markup that survives Dom::sanitize() and executes as JavaScript when content is rendered in the Panel or on the site frontend. The flaw affects the writer and list fields plus the Sane HTML/SVG/XML sanitization API, and versions ≤ 4.9.3 and 5.0.0-alpha.1 through 5.4.3 are vulnerable. No public exploit identified at time of analysis, and this is not in CISA KEV, but the vendor rates it high severity because a low-privileged editor can escalate to an admin session.

File Upload XSS
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

Cross-Site Request Forgery in the Personal File Storage (PFS) module of Cotonti 1.0.0 (commit f43f1fc3) allows remote attackers to upload arbitrary files into an authenticated victim's storage by luring them to a malicious page. The 'a=upload' action in modules/pfs/inc/pfs.main.php omits the cot_check_xg() anti-CSRF token check that sibling actions like 'delete' enforce. No public exploit identified at time of analysis, though the root cause is documented in the public source code reference.

File Upload CSRF PHP +1
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in the Offload, AI & Optimize with Cloudflare Images WordPress plugin (versions ≤1.10.2) allows authenticated Author-level users to inject PHP into wp-config.php via the 'account-id' or 'api-key' parameters of the cf_images_do_setup AJAX handler. The handler enforces only the upload_files capability instead of manage_options, and a single-quote escape flaw lets attackers break out of a PHP string literal during the define() write. No public exploit is identified at time of analysis, but the vulnerability is reported by Wordfence with detailed root-cause analysis.

File Upload PHP WordPress +3
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote command execution affects InHand Networks IR912 and IR915 industrial cellular routers running firmware V1.0.0.r20042 and earlier, where the file upload function fails to sanitize input and passes attacker-controlled data to a shell context. Successful exploitation yields code execution as root on the device. No public exploit identified at time of analysis, but the CVSS 9.8 rating and network-reachable file upload endpoint make this a high-priority patching target for any operator with these routers exposed to untrusted networks.

File Upload Command Injection N A
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unrestricted file upload in HCL ZIE for Web (Z and I Emulator) version 16.0 allows remote attackers to upload a web shell that can yield arbitrary command execution on the server, but only when the server is configured to execute uploaded code and the file lands inside the Webroot. The CVSS 3.1 base score is 9.8, yet CISA's SSVC framework rates exploitation as 'none' and not automatable with only partial technical impact, and EPSS sits at just 0.34% (26th percentile). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

File Upload Information Disclosure RCE +1
NVD VulDB
Page 1 of 45 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy