File Upload

Remote code execution in Chamilo LMS versions prior to 1.11.38 allows authenticated users (including low-privilege students) to upload and execute arbitrary PHP code through the BigUpload endpoint. Attackers exploit insufficient file extension filtering by uploading .pht files containing malicious code, which Apache servers with default .pht handlers execute as PHP. The vulnerability enables authenticated attackers to achieve full server compromise through unrestricted arbitrary file write capabilities. No public exploit identified at time of analysis.

Remote code execution in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows authenticated teachers to upload PHP webshells through the exercise sound upload function by spoofing Content-Type headers to audio/mpeg. Uploaded malicious files retain their .php extensions and execute in web-accessible directories with web server privileges (www-data). Attack requires low-privilege teacher account but no user interaction. No public exploit identified at time of analysis.

Unauthenticated path traversal in FalkorDB Browser 1.9.3 file upload API enables remote attackers to write arbitrary files to the server filesystem and execute code without authentication. Attack vector is network-accessible with low complexity, requiring no user interaction. CVSS 9.8 critical severity reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.09%, 25th percentile).

Authenticated arbitrary file overwrite in Perfmatters WordPress plugin ≤2.5.9 allows low-privileged attackers (Subscriber-level and above) to corrupt critical server files via path traversal. The PMCS::action_handler() method processes bulk activate/deactivate actions without authorization checks or nonce verification, passing unsanitized $_GET['snippets'][] values through Snippet::activate()/deactivate() to file_put_contents(). Attackers can overwrite files like .htaccess or index.php with fixed PHP docblock content, causing denial of service. Exploitation requires authenticated access with minimal privileges. No public exploit identified at time of analysis.

Authenticated file overwrite vulnerability in Directus < 11.17.0 allows low-privileged users to corrupt arbitrary files by manipulating the filename_disk parameter in PATCH /files/{id} requests. Attackers can overwrite other users' file content and forge metadata fields (e.g., uploaded_by) to hide evidence of tampering. Requires authenticated access (PR:L). Scope change (S:C) indicates potential cross-tenant impact. No public exploit identified at time of analysis.

Information disclosure in code-projects Patient Record Management System 1.0 allows unauthenticated remote attackers to access sensitive patient data via manipulation of the SQL database backup file (/db/hcpms.sql), with publicly available exploit code and user interaction required. The vulnerability affects the SQL Database Backup File Handler component and has moderate CVSS impact (4.3) but is elevated by public exploit availability and the sensitivity of healthcare data exposure.

Remote code execution in Quick Playground plugin for WordPress (all versions through 1.3.1) allows unauthenticated attackers to execute arbitrary PHP code on the server. Vulnerability stems from insufficient authorization on REST API endpoints that expose a sync code and permit unrestricted file uploads. Attackers can retrieve the sync code via unsecured endpoints, upload malicious PHP files using path traversal techniques, and achieve full server compromise without authentication. CVSS 9.8 critical severity. No public exploit identified at time of analysis.

Arbitrary file manipulation in MW WP Form plugin (WordPress) versions ≤5.1.1 allows unauthenticated attackers to move sensitive server files into web-accessible directories, enabling remote code execution. The vulnerability stems from insufficient validation of upload field keys in generate_user_file_dirpath(), exploiting WordPress's path_join() behavior with absolute paths. Attackers inject malicious keys via mwf_upload_files[] POST parameter to relocate critical files like wp-config.php. Exploitation requires forms with enabled file upload fields and 'Saving inquiry data in database' option. No public exploit identified at time of analysis.

Unauthenticated arbitrary file upload in ProSolution WP Client plugin (≤1.9.9) enables attackers to upload executable files without validation via the 'proSol_fileUploadProcess' function, leading to remote code execution on WordPress servers. Critical severity (CVSS 9.8) with network-accessible attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis.

Arbitrary file upload in Gerador de Certificados - DevApps plugin for WordPress (all versions ≤1.3.6) enables authenticated administrators to upload files without type validation, creating remote code execution opportunities. The vulnerability stems from missing file type validation in the moveUploadedFile() function. CVSS 7.2 (High) reflects network-accessible attack requiring high privileges; EPSS data not provided, no public exploit identified at time of analysis, not listed in CISA KEV.

Remote code execution in DSGVO Google Web Fonts GDPR WordPress plugin (all versions ≤1.1) allows unauthenticated attackers to upload PHP webshells via arbitrary file upload. The DSGVOGWPdownloadGoogleFonts() function, exposed through wp_ajax_nopriv_ hooks, accepts user-supplied URLs without file type validation and writes content to publicly accessible directories. Exploitation requires the target site to use specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely). CVSS 9.8 Critical reflects network-accessible, unauthenticated attack vector with full system compromise potential. No public exploit identified at time of analysis, though the vulnerability class (CWE-434 unrestricted file upload) is well-understood and commonly weaponized.

Remote code execution in MATCHA INVOICE 2.6.6 and earlier allows authenticated administrators to upload arbitrary files with dangerous types, enabling arbitrary code execution on the affected server. The vulnerability affects ICZ Corporation's MATCHA INVOICE product across all versions up to and including 2.6.6. While CVSS 4.7 reflects the requirement for administrative authentication, the RCE impact and file upload mechanism present a significant post-authentication risk in environments where administrative accounts may be compromised or insider threats exist. No public exploit code or CISA KEV confirmation identified at time of analysis.

Unauthenticated arbitrary file upload in Ninja Forms - File Uploads plugin for WordPress (versions ≤3.3.26) enables remote code execution through missing file type validation in the upload handler. Attackers can upload malicious PHP files without authentication, achieving complete server compromise. CVSS 9.8 (Critical) with CVSS:3.1/AV:N/AC:L/PR:N/UI:N indicates network-based exploitation requiring no privileges or user interaction. Fully patched in version 3.3.27 following a partial fix in 3.3.25. No public exploit identified at time of analysis, though the vulnerability class (CWE-434: Unrestricted Upload of File with Dangerous Type) is well-understood and readily exploitable.

Remote code execution in Brave CMS versions prior to 2.0.6 allows authenticated users to upload and execute arbitrary PHP scripts through the CKEditor upload functionality. The vulnerability stems from unrestricted file upload in the ckupload method of CkEditorController.php, which fails to validate uploaded file types. No public exploit identified at time of analysis, though the attack requires only low-privilege authentication (PR:L) with low complexity (AC:L). CVSS 8.8 High severity reflects the complete system compromise possible post-authentication.

Unrestricted file upload in BraveCMS 2.0 (prior to 2.0.6) enables remote attackers to execute arbitrary code on the server without authentication. The CKEditor endpoint accepts malicious file uploads including executable scripts, leading to full remote code execution with CVSS 9.3 severity. EPSS data unavailable, no confirmed active exploitation (not in CISA KEV), but upstream fix is available via GitHub commit and version 2.0.6 release. Attack complexity is low with network-accessible vector requiring no privileges or user interaction, making this a critical exposure for internet-facing BraveCMS installations.

Unrestricted file upload in Cyber-III Student-Management-System allows authenticated remote attackers to upload arbitrary files via manipulation of the File parameter in /AssignmentSection/submission/upload.php, leading to potential remote code execution or data exfiltration. The vulnerability affects the move_uploaded_file function and has publicly available exploit code; the vendor has not responded to early disclosure notification. CVSS 5.3 reflects low confidentiality and integrity impact within an authenticated context, though real-world risk depends on file execution permissions and web server configuration.

Tar archive extraction allows hidden file injection by local authenticated users through crafted malicious archives, bypassing pre-extraction inspection mechanisms and enabling introduction of attacker-controlled files. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10, requires local access and user interaction (extraction action), and presents a moderate integrity risk (CVSS 5.0) with no confirmed active exploitation or public proof-of-concept at time of analysis.

Cross-site request forgery (CSRF) in ProjectSend r2002 allows unauthenticated remote attackers to perform unauthorized file upload operations via the upload.php endpoint with user interaction (UI:R). The vulnerability has been publicly disclosed with exploit code available, and ProjectSend has released patched version r2029 with commit 2c0d25824ab571b6c219ac1a188ad9350149661b to remediate the issue. While the CVSS score of 4.3 indicates low-to-moderate severity, the presence of public exploit code and lack of authentication requirements elevates the real-world risk for unpatched instances.

Cross-site scripting (XSS) in givanz Vvvebjs file upload endpoint allows unauthenticated remote attackers to inject malicious scripts via the uploadAllowExtensions parameter in upload.php. The vulnerability affects Vvvebjs versions up to 2.0.5 and requires user interaction (UI:R). A publicly available exploit exists and a patch (commit 8cac22cff99b8bc701c408aa8e887fa702755336) has been released by the vendor; EPSS exploitation likelihood is indicated as probable (E:P) with a CVSS score of 4.3.

Unrestricted file upload in SourceCodester/jkev Record Management System 1.0 allows authenticated remote attackers to upload arbitrary files via the save_emp.php Add Employee Page component, potentially enabling remote code execution. The vulnerability requires high-privilege authentication and has publicly available exploit code, though real-world risk remains limited by the authentication barrier and moderate CVSS score of 4.7.

Unrestricted file upload in Technostrobe HI-LED-WR120-G2 firmware version 5.5.0.1R6.03.30 allows remote unauthenticated attackers to upload arbitrary files by manipulating the cwd argument in the /fs endpoint. CVSS 6.9 reflects moderate confidentiality, integrity, and availability impact across local and remote boundaries. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts.

Unrestricted file upload in Campcodes Complete Online Learning Management System 1.0 allows authenticated remote attackers to upload arbitrary files via the add_lesson function in /application/models/Crud_model.php, enabling potential remote code execution or malware deployment. The vulnerability requires low-privilege authentication, carries a CVSS score of 6.3 (medium), and publicly available exploit code exists.

Unauthenticated arbitrary media upload in Listeo Core plugin for WordPress (versions up to 2.0.27) allows remote attackers to upload arbitrary files to the site's media library via the unprotected listeo_core_handle_dropped_media AJAX endpoint. The vulnerability stems from missing authorization checks and does not directly enable code execution, but significantly degrades site integrity by enabling malicious file storage and potential downstream attacks.

Arbitrary file overwrite in Directus TUS resumable upload endpoint allows authenticated users to replace any existing file by UUID, bypassing row-level access controls. The vulnerability affects the npm package directus, where the /files/tus controller validates only collection-level permissions but skips item-level authorization checks. Attackers with basic file upload permissions can permanently overwrite victim files with malicious content, potentially escalating privileges by replacing admin-owned assets. EPSS data not available, but the moderate complexity (CVSS AC:L, PR:L) and specific bypass mechanism suggest focused targeting risk. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Parse Server file upload handler fails to validate Content-Type headers against filename extensions, allowing attackers to upload files with benign extensions (e.g., .txt) but malicious MIME types (e.g., text/html) that are served with the user-supplied Content-Type by cloud storage adapters like S3 and GCS. This enables content-type confusion attacks such as reflected XSS when files are served through CDNs or web servers that trust the stored Content-Type header. The default GridFS adapter is unaffected due to its filename-based Content-Type derivation at serving time.

Unrestricted file upload in ProjectsAndPrograms School Management System up to commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59 allows authenticated users to upload arbitrary files via the Profile Picture Handler in /admin_panel/settings.php, enabling remote code execution. The vulnerability affects the File parameter with low attack complexity and has publicly available exploit code; while CVSS 5.3 reflects moderate integrity and confidentiality impact, the low authentication requirement and network accessibility make this a practical privilege escalation and code execution vector for authenticated attackers.

Path traversal in Budibase plugin upload endpoint allows Global Builders to delete arbitrary directories and write files to any accessible filesystem path. Affecting all versions prior to 3.33.4, attackers with high privileges (Global Builder role) can exploit unsanitized filename handling in POST /api/plugin/upload to execute directory traversal attacks remotely with low complexity. CVSS 8.7 (High) with scope change indicates potential container escape or cross-tenant impact. No public exploit identified at time of analysis, though the attack vector is straightforward given the documented path traversal mechanism.

Remote code execution in BizTalk360 before version 11.5 allows any authenticated user to upload a malicious DLL and trigger its execution on the server through an unprotected DLL-loading endpoint. The vulnerability stems from missing access controls on a method that loads and executes DLL files, enabling attackers with valid domain credentials to achieve arbitrary code execution without requiring elevated privileges.

Remote code execution in Hytale Modding Wiki version 1.2.0 and earlier allows authenticated users to upload malicious PHP files through a MIME type validation bypass. The quickUpload() endpoint performs independent validation of file content (via MIME type) and filename extension, enabling attackers to craft files with benign content signatures but executable .php extensions. Uploaded files are stored in a publicly accessible location, allowing direct URL access for server-side code execution. EPSS data unavailable; publicly available exploit code exists per SSVC assessment. No vendor-released patch identified at time of analysis.

Unbounded disk consumption in Rack's multipart parser allows remote denial of service when HTTP requests lack Content-Length headers. Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 fail to enforce size limits on multipart/form-data uploads sent via chunked transfer encoding, enabling unauthenticated attackers to exhaust disk space by streaming arbitrarily large file uploads. CVSS 7.5 (High) reflects the network-accessible, low-complexity attack requiring no privileges. No public exploit identified at time of analysis, though the attack technique is well-understood.

Remote code execution in Progress ShareFile Storage Zones Controller allows authenticated administrators to upload and execute malicious files on the server. This vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, and carries a 9.1 CVSS score due to scope change enabling post-compromise lateral movement. The attack requires high privileges but no user interaction, making it a priority target for attackers who have compromised admin credentials through phishing or credential theft.

Arbitrary file movement in MW WP Form plugin for WordPress (all versions ≤5.1.0) allows unauthenticated remote attackers to relocate server files and achieve remote code execution by moving critical files like wp-config.php. Exploitation requires a form with file upload capability and database inquiry storage enabled. CVSS 8.1 with network attack vector and high attack complexity. EPSS data not provided; no public exploit or CISA KEV status identified at time of analysis, though Wordfence threat intelligence has documented the vulnerability with source code references.

Unrestricted file upload in Harvard IQSS Dataverse versions up to 6.8 allows authenticated users to bypass theme customization controls via manipulation of the uploadLogo parameter in /ThemeAndWidgets.xhtml, enabling arbitrary file upload with low confidentiality, integrity, and availability impact. The vulnerability is publicly exploitable with proof-of-concept code available; CVSS 5.3 reflects the authenticated attack vector and limited scope, though the ease of exploitation (Attack Complexity Low, Exploitation proven) combined with public POC increases practical risk. Vendor released patched version 6.10 and responded swiftly to early disclosure.

Unrestricted file upload in Shandong Hoteam InforCenter PLM versions up to 8.3.8 allows remote unauthenticated attackers to upload arbitrary files via the uploadFileToIIS function in /Base/BaseHandler.ashx, with a CVSS score of 6.9 and publicly available exploit code. The vendor did not respond to early disclosure notification, leaving all affected versions unpatched and at active risk.

Unrestricted file upload in SourceCodester Simple Doctors Appointment System up to version 1.0 allows authenticated remote attackers to upload arbitrary files via the img parameter in /doctors_appointment/admin/ajax.php?action=save_category, potentially leading to remote code execution. The vulnerability has publicly available exploit code and carries a CVSS score of 5.3 with limited impact scope, though it requires valid login credentials to exploit.

Arbitrary code execution in baserCMS versions before 5.2.3 allows authenticated administrators to achieve remote code execution via malicious PHP files embedded in backup restore archives. The vulnerability exploits unsafe file inclusion during ZIP extraction in the restore function, where uploaded PHP files are executed via require_once without filename validation. No public exploit identified at time of analysis, though EPSS score of 0.00043 (0.043%) and CVSS 8.7 indicate moderate theoretical risk mitigated by high privilege requirements (PR:H).

Arbitrary file overwrite vulnerability in RAREPROB SOLUTIONS PRIVATE LIMITED Video player Play All Videos v1.0.135 enables remote attackers to overwrite critical internal files during the file import process, resulting in arbitrary code execution or information disclosure. No CVSS score, exploitation data, or vendor patch information is currently available; the vulnerability was disclosed via academic research channels rather than coordinated vendor notification.

Grav CMS versions 1.7.x and earlier allow XML External Entity (XXE) injection through SVG file uploads in the administrative panel and File Manager plugin, potentially enabling remote code execution or information disclosure to authenticated administrators. No CVSS score, CVSS vector, or CWE classification has been assigned; exploitation status and patch availability cannot be confirmed from available data.

Unrestricted file upload in PromtEngineer localGPT allows remote attackers to upload arbitrary files via the do_POST function in backend/server.py, enabling potential remote code execution or system compromise. The vulnerability affects all versions up to commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054, impacts unauthenticated remote users, and publicly available exploit code exists. The vendor has not responded to early disclosure attempts, leaving the product unpatched.

Remote code execution in Bludit CMS versions prior to 3.18.4 allows authenticated attackers holding valid API tokens to upload and execute arbitrary files through the API plugin's unrestricted file upload mechanism. The vulnerability has a CVSS 4.0 score of 8.7 with network attack vector and low complexity, requires authenticated access (PR:L), and was reported by CERT-PL. No public exploit identified at time of analysis, though the technical details are publicly disclosed.

Stored XSS in Uploady file uploader (farisc0de/Uploady versions prior to 3.1.2) allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by uploading files with malicious filenames that are rendered without proper escaping in file list and details pages. The vulnerability requires user interaction (viewing the affected page) and authenticated access, resulting in confidentiality and integrity impact with a CVSS score of 4.6. Vendor-released patch version 3.1.2 is available.

FileRise versions 2.3.7 through 3.10.0 suffer from improper access control in the file snippet endpoint, allowing authenticated users with read-only access to retrieve file content uploaded by other users in shared folders. An attacker with limited folder permissions can exploit this authorization bypass to view sensitive files beyond their intended access scope. The vulnerability affects FileRise running on PHP and is resolved in version 3.11.0.

Mattermost server versions 10.11.x through 11.4.x fail to validate decompressed archive entry sizes during ZIP file extraction, allowing authenticated users with file upload permissions to trigger denial of service by uploading crafted zip bombs that exhaust server memory. The vulnerability affects Mattermost 10.11.0-10.11.11, 11.2.0-11.2.3, 11.3.0-11.3.1, and 11.4.0, with CVSS 6.5 (medium) reflecting the requirement for prior authentication and limited scope (availability impact only). No public exploit identified at time of analysis, though the attack vector is network-accessible and requires low complexity once an attacker has valid upload credentials.

HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434) that enables authenticated remote attackers to upload and execute arbitrary scripts on the affected server, potentially achieving full system compromise. The attack requires user interaction and low-privilege authentication but carries high integrity impact. No public exploit code or active exploitation has been confirmed; however, the vulnerability's straightforward exploitation mechanics and authenticated attack vector make it a moderate-priority issue for organizations deploying this software.

Free Hotel Reservation System 1.0 permits unrestricted file uploads via the image parameter in the /admin/mod_amenities/index.php?view=add endpoint, allowing remote attackers with high privileges to upload arbitrary files. The vulnerability (CWE-434: Unrestricted Upload of File with Dangerous Type) affects the amenities management module and has publicly available exploit code. With a CVSS v4.0 score of 5.1 and network-accessible attack vector requiring high administrative privileges, this poses a moderate risk primarily to authenticated administrators or systems where authentication has been compromised.

Remote code execution in plank/laravel-mediable PHP package through version 6.4.0 allows unauthenticated attackers to upload executable PHP files disguised with benign MIME types, achieving arbitrary code execution when files land in web-accessible directories. EPSS score of 0.39% (60th percentile) indicates low observed exploitation probability, though SSVC analysis confirms the vulnerability is automatable with total technical impact. No vendor-released patch identified at time of analysis despite coordinated disclosure attempts.

An unrestricted file upload vulnerability exists in Kalcaddle Kodbox 1.64 within the Public Share Handler component's userShare.class.php file. This allows unauthenticated remote attackers to upload arbitrary files by manipulating the Add function, potentially leading to remote code execution and system compromise. A publicly available proof-of-concept exists, and the vendor has not responded to early disclosure attempts, increasing the likelihood of active exploitation.

The code16/sharp Laravel admin panel package contains a critical file upload vulnerability that allows authenticated users to bypass all file type restrictions by manipulating client-controlled validation rules. Affected versions prior to 9.20.0 accept a user-supplied validation_rule parameter that is passed directly to Laravel's validator, enabling attackers to upload arbitrary files including PHP webshells. With a CVSS score of 8.8, this vulnerability can lead to Remote Code Execution when the storage disk is publicly accessible, though default configurations provide some protection against direct execution.

Kiteworks Secure Data Forms contains an unrestricted file upload vulnerability (CWE-434) that allows form managers to upload files with dangerous types due to missing input validation. An authenticated attacker with manager privileges can exploit this to upload malicious files, potentially leading to code execution or system compromise. The vulnerability affects all versions prior to 9.2.1, and a patch is available; no public exploit code has been confirmed, but the moderate CVSS score of 5.5 reflects the high integrity impact combined with the requirement for elevated privileges.

The halfdata Green Downloads plugin for WordPress contains an unrestricted file upload vulnerability (CWE-434) that permits attackers to upload malicious files to affected systems. This vulnerability affects Green Downloads versions up to and including 2.08, as confirmed by Patchstack and ENISA. An unauthenticated or low-privileged attacker can exploit this to upload dangerous file types, potentially leading to remote code execution, website defacement, or malware distribution.

An unrestricted file upload vulnerability (CWE-434) exists in Jordy Meow's Photo Engine WordPress plugin versions up to and including 6.4.9, allowing attackers to upload malicious web shells to compromised servers. The vulnerability affects the wplr-sync component and permits arbitrary file uploads with dangerous types, potentially leading to remote code execution. No CVSS score, EPSS probability, or KEV status information is currently available, but the ability to upload executable web shells represents a critical exploitation path.

WPJAM Basic, a WordPress plugin, contains an unrestricted file upload vulnerability (CWE-434) that allows attackers to upload malicious files without proper validation. All versions through 6.9.2 are affected, potentially enabling remote code execution or other attacks depending on server configuration. While CVSS and EPSS scores are unavailable, the nature of arbitrary file upload vulnerabilities in WordPress plugins typically carries high real-world risk due to ease of exploitation and severe impact.

An unrestricted file upload vulnerability exists in the deothemes Ona WordPress theme that allows attackers to upload web shells to affected servers. All versions of Ona prior to 1.24 are vulnerable, enabling remote code execution through malicious file uploads. This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and represents a critical risk for any WordPress installation using the affected theme versions.

WPBookit Pro through version 1.6.18 contains an unrestricted file upload vulnerability (CWE-434) that allows attackers to upload malicious files to affected WordPress installations. This arbitrary file upload flaw enables remote code execution and complete site compromise without requiring authentication or special privileges. The vulnerability affects all versions of the iqonicdesign WPBookit Pro plugin up to and including 1.6.18, making it a critical risk for WordPress administrators using this booking plugin.

A remote code execution vulnerability in add-ons (CVSS 6.8). Remediation should follow standard vulnerability management procedures.

Path traversal in JoyConDroid through version 1.0.93 allows unauthenticated remote attackers to access arbitrary files on affected systems through improper pathname validation in the UnzipUtil module. An attacker can exploit this vulnerability to read sensitive data and potentially modify files, achieving high integrity and availability impact. A patch is available for this high-severity vulnerability affecting Java and Joycondroid users.

The Jupiter X Core plugin for WordPress contains an unrestricted file upload vulnerability allowing authenticated users with Subscriber-level privileges or higher to upload dangerous file types including .phar, .svg, .dfxp, and .xhtml files. This stems from missing authorization checks in the import_popup_templates() function and insufficient file type validation in the upload_files() function. Successful exploitation leads to Remote Code Execution on Apache servers with mod_php configured to execute .phar files, or Stored Cross-Site Scripting attacks via malicious SVG and other file types on any server configuration.

Census CSWeb 8.0.1 contains an arbitrary file upload vulnerability allowing authenticated remote attackers to upload malicious files and achieve remote code execution. A public proof-of-concept exploit is available on GitHub (hx381/cspro-exploits), significantly increasing the risk of exploitation. The vulnerability affects the Census CSWeb data dissemination platform used for hosting census and survey data online.

A Stored Cross-Site Scripting (XSS) vulnerability exists in the file field component of the Form Plugin within Connect-CMS. The vulnerability affects Connect-CMS versions 1.41.0 and earlier in the 1.x series, and versions 2.41.0 and earlier in the 2.x series. If exploited, an attacker can inject malicious scripts that execute in an administrator's browser, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. The vulnerability has been patched and a fix is available from the vendor.

WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability (CWE-434) that allows authenticated attackers to upload and execute arbitrary PHP code on the server. The vulnerability exists in the downloadVideoFromDownloadURL() function which saves remote content with its original filename and extension to a web-accessible directory; by providing an invalid resolution parameter, attackers can bypass cleanup mechanisms, leaving executable PHP files persistent under the web root. With a CVSS score of 8.8, this represents a high-severity remote code execution risk for authenticated users.

WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability in the ImageGallery::saveFile() method that allows authenticated attackers to upload polyglot files (JPEG with embedded PHP code) and achieve Remote Code Execution. The vulnerability exploits a mismatch between MIME type validation (which checks file content) and filename extension handling (which trusts user input), allowing attackers to bypass security controls and execute arbitrary code on the server. A patch is available in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae, and the issue has been publicly disclosed via GitHub Security Advisory GHSA-wxjw-phj6-g75w.

An unrestricted file upload vulnerability exists in CodePhiliaX Chat2DB versions up to 0.3.7 in the JDBC Driver Upload functionality, allowing authenticated attackers to upload arbitrary files to the server. The vulnerability affects the JdbcDriverController.java component and has a CVSS score of 6.3 (medium severity) with a public proof-of-concept exploit available, though the vendor has not responded to disclosure attempts.

The trx_addons WordPress plugin before version 2.38.5 contains an arbitrary file upload vulnerability in an AJAX action that fails to properly validate file types, allowing unauthenticated attackers to upload malicious files. This vulnerability represents an incomplete remediation of the previously disclosed CVE-2024-13448, meaning the original patch was insufficient. A public proof-of-concept exploit is available, and the vulnerability can lead to remote code execution or information disclosure depending on server configuration and file placement.

An unrestricted file upload vulnerability exists in Acrel Environmental Monitoring Cloud Platform version 1.1.0, allowing unauthenticated remote attackers to upload arbitrary files to the system. The vendor was notified but did not respond, and a public proof-of-concept exploit is available on GitHub. With a CVSS score of 7.3 and public exploit code, this presents an elevated risk for organizations using the affected platform.

PbootCMS versions up to 3.2.12 contain an incomplete blacklist bypass vulnerability in the file upload functionality (core/function/file.php) that allows authenticated attackers to upload dangerous files by manipulating the blacklist parameter. An attacker with login credentials can bypass file type restrictions to upload arbitrary files, potentially achieving remote code execution or other malicious outcomes. A public proof-of-concept exploit is available on GitHub, increasing the practical risk of exploitation.

An unrestricted file upload vulnerability exists in eosphoros-ai DB-GPT versions up to 0.7.5 within the module_plugin.refresh_plugins function of the FastAPI endpoint located at packages/dbgpt-serve/src/dbgpt_serve/agent/hub/controller.py. An authenticated attacker can remotely upload arbitrary files to the system, potentially achieving remote code execution or system compromise. A public proof-of-concept exploit is available on GitHub, and the vendor has not responded to early disclosure attempts, indicating patches may not be forthcoming.

FileRise, a self-hosted web file manager and WebDAV server, contains a critical hardcoded encryption key vulnerability in versions prior to 3.9.0. The default key 'default_please_change_this_key' is used for all cryptographic operations including HMAC token generation, AES configuration encryption, and session tokens, allowing unauthenticated attackers to forge upload tokens for arbitrary file upload and decrypt sensitive admin configuration data such as OIDC client secrets and SMTP passwords. No evidence of active exploitation (not in CISA KEV) is currently available, though the vulnerability is straightforward to exploit given the hardcoded nature of the default key.

FileRise, a self-hosted web file manager and WebDAV server, contains an unrestricted file upload vulnerability in its WebDAV endpoint that bypasses filename validation controls present in the regular upload path, allowing authenticated attackers to upload executable file types such as .phtml, .php5, and .htaccess. In non-default Apache configurations lacking LocationMatch protection, this enables remote code execution on the underlying web server. The vulnerability affects FileRise versions prior to 3.8.0 and has been patched; no public exploit code or active KEV listing is currently confirmed, but the presence of a GitHub security advisory indicates vendor acknowledgment of the threat.

Xerte Online Toolkits 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability allowing remote code execution with a CVSS score of 9.8. The template import functionality at /website_code/php/import/import.php lacks authentication checks, enabling attackers to upload ZIP archives containing malicious PHP files that are extracted to web-accessible directories. This is a critical severity issue with network-based attack vector requiring no privileges or user interaction, and a proof-of-concept has been published by VulnCheck.

A file upload vulnerability exists in multiple Terrapack software components from ASTER TEC / ASTER S.p.A. that permits remote code execution when attackers upload malicious files. The affected products include Terrapack TkWebCoreNG version 1.0.20200914, Terrapack TKServerCGI version 2.5.4.150, and Terrapack TpkWebGIS Client version 1.0.0. Proof-of-concept code is available in public repositories, and the vulnerability enables arbitrary code execution on affected systems.

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application.

The ThemeGoods Photography WordPress theme through version 7.7.5 permits authenticated administrators to upload arbitrary files with path traversal capabilities, enabling remote code execution and complete site compromise. While the CVSS score of 7.2 indicates high severity, the requirement for high-privileged admin credentials (PR:H) significantly constrains real-world exploitability. The EPSS score of 0.04% (12th percentile) suggests minimal likelihood of active exploitation, with no public exploit code identified at time of analysis.

Salvo web framework's form data parsing functions fail to enforce payload size limits before loading request bodies into memory, allowing attackers to trigger Out-of-Memory crashes by sending extremely large form payloads. This affects the Rust package salvo (pkg:rust/salvo) through multiple attack vectors including URL-encoded and multipart form data handling. A proof-of-concept demonstrates successful denial-of-service against containerized deployments with limited memory, and the vulnerability is publicly documented in GitHub security advisories GHSA-pp9r-xg4c-8j4x.

The Mobile App Editor WordPress plugin contains an unrestricted file upload vulnerability that allows authenticated administrators to upload malicious web shells to the web server. This affects all versions through 1.3.1 and carries a critical CVSS score of 9.1 due to the potential for complete system compromise with changed scope. While requiring high privileges (administrator access), successful exploitation enables full server control including data theft, integrity compromise, and service disruption.

An unrestricted file upload vulnerability exists in the Woocommerce Wholesale Lead Capture plugin for WordPress, allowing remote attackers to upload and execute malicious files without authentication. The vulnerability affects all versions through 2.0.3.1 of the plugin developed by Rymera Web Co Pty Ltd. With a CVSS score of 9.0 (Critical), this vulnerability enables attackers to achieve complete system compromise through arbitrary file upload, though the attack complexity is rated as high.

A security vulnerability in version 5.1.1 and (CVSS 2.3) that allows users. Remediation should follow standard vulnerability management procedures.

The Nhost storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection, allowing attackers to upload files with spoofed MIME types that bypass bucket-level MIME restrictions. This affects the Go module github.com/nhost/nhost and could cause downstream systems (browsers, CDNs, applications) to mishandle files based on false type metadata. While the CVSS vector indicates low immediate severity due to requiring user interaction and lacking direct confidentiality or availability impact, the metadata corruption poses integrity risks for systems relying on accurate file type information.

xiaoheiFS, a self-hosted financial and operational system for cloud service businesses, contains a critical authenticated remote code execution vulnerability in versions up to 0.3.15. An attacker who knows the hardcoded password 'qweasd123456' can upload arbitrary executable files through the AdminPaymentPluginUpload endpoint, which are then automatically executed by a background watcher service every 5 seconds. While EPSS data is not provided, the combination of hardcoded credentials (CWE-434, Authentication Bypass tag) and automatic execution significantly elevates real-world risk despite requiring high privileges (PR:H) in the CVSS vector.

aaPanel v7.57.0 contains an arbitrary file upload vulnerability that allows unauthenticated or low-privileged attackers to upload malicious files and achieve remote code execution on affected systems. The vulnerability exists in the file upload functionality of the web-based server management panel, enabling attackers to bypass file type validation and execute arbitrary code with the privileges of the aaPanel process. While no CVSS score or EPSS probability is available in current sources, the Remote Code Execution impact combined with file upload attack vectors suggests critical severity; exploitation feasibility is indicated by the existence of public vulnerability research repositories.

MuraCMS versions through 10.1.10 contain a Cross-Site Request Forgery (CSRF) vulnerability in the cForm.importform function that lacks proper token validation, allowing attackers to deceive authenticated administrators into uploading and installing malicious form definitions. An attacker can craft a malicious webpage that, when visited by an authenticated MuraCMS administrator, automatically generates and submits a forged file upload request containing a ZIP archive with attacker-controlled form definitions. Successful exploitation results in the installation of data-harvesting forms on the target website that can steal sensitive user information collected through legitimate-appearing web forms. No active exploitation in the wild has been documented (KEV status unknown), and no formal CVSS score has been assigned, though the vulnerability requires user interaction (administrator must visit the malicious page) which moderates the overall risk profile.

A critical unrestricted file upload vulnerability in Admidio's Documents & Files module allows authenticated users with upload permissions to bypass file extension restrictions by submitting an invalid CSRF token, enabling upload of PHP scripts that lead to Remote Code Execution. The vulnerability affects Admidio versions prior to the patch and has a published proof-of-concept demonstrating webshell upload and command execution. With a CVSS score of 8.8 and detailed exploitation steps available, this represents a high-priority risk for organizations using Admidio for document management.

An arbitrary file upload vulnerability in Chamilo LMS allows authenticated users with Teacher role to achieve Remote Code Execution by uploading malicious H5P packages. The flaw affects versions prior to 1.11.36 and stems from inadequate validation of H5P package contents, which only checks for h5p.json existence but fails to block .htaccess or PHP files with alternative extensions. With a CVSS score of 8.8 and high exploitation potential, attackers can upload webshells disguised as text files along with .htaccess configurations to bypass security controls.

An unrestricted file upload vulnerability exists in the Tiandy Easy7 Integrated Management Platform version 7.17.0, specifically in the /rest/file/uploadLedImage endpoint. This vulnerability allows remote attackers without authentication to upload arbitrary files, potentially leading to remote code execution. A proof-of-concept exploit has been publicly released and the vendor has not responded to disclosure attempts, leaving this vulnerability unpatched and actively exploitable.

An unrestricted file upload vulnerability exists in Technologies Integrated Management Platform version 7.17.0 that allows remote attackers to upload malicious files without authentication through the /SetWebpagePic.jsp endpoint by manipulating the targetPath/Suffix parameters. A public proof-of-concept exploit is available, though the vulnerability is not currently in CISA's Known Exploited Vulnerabilities catalog, making this a confirmed exploitable vulnerability with demonstrated attack code that could lead to unauthorized file uploads and potential remote code execution.

An unauthenticated arbitrary file upload vulnerability in Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 allows remote attackers to upload malicious files and execute code through improperly enabled WebDAV HTTP methods. Attackers can achieve remote code execution or denial of service without any authentication, making this a critical risk for exposed devices. Multiple proof-of-concept exploits are publicly available through security research publications.

An unrestricted file upload vulnerability exists in the glowxq-oj online judge system that allows remote attackers without authentication to upload malicious files through the SysFileController Upload function. A proof-of-concept exploit is publicly available, and while not currently in CISA's KEV catalog, the vulnerability poses moderate risk with a CVSS score of 7.3 and publicly disclosed exploitation code.

An authenticated arbitrary file upload vulnerability in the Courses/Work Assignments module of gunet Open eClass v3.11, and fixed in v3.13, allows attackers to execute arbitrary code via uploading a crafted SVG file.

A critical unrestricted file upload vulnerability exists in the Profile Picture Handler component of JawherKl's node-api-postgres library (versions up to 2.5), where improper validation in the path.extname function of index.js allows attackers to upload malicious files remotely without authentication. A proof-of-concept exploit is publicly available, making this vulnerability actively exploitable, though it is not currently listed in CISA's KEV catalog and no EPSS score is provided.

Arbitrary file upload in Pix for WooCommerce WordPress plugin.

Arbitrary file upload in Budibase 3.24.0 and earlier allows authenticated attackers to bypass UI-level file extension restrictions and upload malicious files by directly manipulating requests. An attacker with valid credentials can circumvent the intended upload controls to potentially execute arbitrary code or compromise system integrity. No patch is currently available for this vulnerability.