File Upload
Monthly
Unrestricted file upload in HCL ZIE for Web (Z and I Emulator) version 16.0 allows remote attackers to upload a web shell that can yield arbitrary command execution on the server, but only when the server is configured to execute uploaded code and the file lands inside the Webroot. The CVSS 3.1 base score is 9.8, yet CISA's SSVC framework rates exploitation as 'none' and not automatable with only partial technical impact, and EPSS sits at just 0.34% (26th percentile). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated arbitrary file upload in the SigmaForms Pro - AI Generated Forms WordPress plugin (versions <= 1.4.5) allows remote attackers to upload files of their choosing to the underlying web server, enabling webshell deployment and full site takeover. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 9.0 with scope change, indicating impact beyond the vulnerable component. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Arbitrary file upload in the Charity Zone WordPress theme (versions 1.1.1 and prior) allows authenticated users with only Subscriber-level privileges to upload files of attacker-chosen type, leading to remote code execution under the web server context. The flaw was disclosed via Patchstack and carries a CVSS 9.9 due to the scope change from a low-privileged WordPress role to full server compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary file upload in the Kids Gift Shop WordPress theme (versions 0.5.4 and earlier) allows authenticated users with Subscriber-level privileges to upload arbitrary files to the server. The CVSS 3.1 score of 9.9 with scope change reflects the potential for remote code execution leading to full site compromise, and no public exploit identified at time of analysis.
Arbitrary file upload in the Ecommerce Zone WordPress theme (versions <= 0.9.7) allows authenticated low-privileged users (Subscriber role) to upload files of attacker-chosen types, resulting in a CVSS 9.9 critical scoring with scope change. No public exploit identified at time of analysis, and the issue was reported by Patchstack via their WordPress vulnerability database. Successful exploitation typically leads to remote code execution on the underlying web server.
Arbitrary file upload in the Restaurant Zone WordPress theme through version 0.7.8 allows authenticated attackers with only Subscriber-level privileges to upload arbitrary files to the underlying server, leading to remote code execution and full site compromise. The CVSS 3.1 score of 9.9 reflects the scope-changing impact achievable from a minimally privileged account; no public exploit is identified at time of analysis and the issue is not currently listed in CISA KEV.
Arbitrary file upload in the Webenvo WordPress theme (versions <= 0.0.6) allows authenticated low-privilege users (Subscriber role) to upload arbitrary files, leading to remote code execution and full site compromise. The CVSS 9.9 score reflects scope change and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Arbitrary file upload in the Unlimited Elements for Elementor (Premium) WordPress plugin versions 2.0.6 and earlier allows authenticated users with Contributor-level privileges to upload arbitrary files, leading to remote code execution on the underlying WordPress host. Reported by Patchstack and rated CVSS 9.9 with a scope-changing impact, no public exploit identified at time of analysis but the low privilege bar makes this a high-priority issue for any site that permits Contributor accounts.
Arbitrary file upload in the WishList Member X WordPress plugin versions 3.29.0 and earlier allows authenticated subscriber-level users to upload malicious files, with a CVSS 9.9 score reflecting scope change and full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the low privilege requirement (subscriber is the lowest authenticated WordPress role) makes this trivially reachable on any site permitting user registration. The vulnerability was disclosed via Patchstack and is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).
Arbitrary file upload in the Restaurt WordPress theme versions 1.0.4 and earlier allows authenticated users with Subscriber-level privileges to upload arbitrary files, potentially leading to remote code execution on the WordPress host. The CVSS 9.9 score reflects scope-changed impact across confidentiality, integrity, and availability, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Unauthenticated arbitrary file upload in the Extendons 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' (versions <= 1.0.7) lets remote attackers upload arbitrary files, including PHP webshells, to vulnerable WordPress sites and gain code execution. The CVSS 10.0 score with Scope:Changed reflects that compromise of the plugin can escalate to full host takeover, though no public exploit was identified at time of analysis and the flaw is not listed in CISA KEV.
Arbitrary file upload in the PT Luxa Addons WordPress plugin (versions 1.2.2 and earlier) allows authenticated users with low-privilege Subscriber accounts to upload attacker-controlled files to a WordPress site, leading to remote code execution and full site compromise. The scope-changed CVSS 9.9 reflects that a minimally privileged WordPress user can pivot to code execution affecting the entire web server. No public exploit identified at time of analysis.
Subscriber Arbitrary File Upload in Grip <= 1.0.9 versions. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Arbitrary file upload in Kodezen Academy LMS Pro (WordPress plugin) versions prior to 3.5.2 allows authenticated attackers with high privileges to upload web shells to the underlying web server, leading to full site compromise. The flaw was reported by Patchstack and a vendor patch is available, but no public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.
Arbitrary file upload in the Kids Online Store WordPress theme (versions up to and including 0.8.9) by themagnifico52 allows authenticated attackers to upload web shells and achieve remote code execution on the underlying server. The flaw is reported by Patchstack and carries a CVSS 3.1 score of 9.9 due to the scope-changing impact on the WordPress host. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote code execution in the Premmerce Dev Tools WordPress plugin (versions ≤ 2.0) allows authenticated users with Subscriber-level access or higher to write arbitrary PHP files into wp-content/plugins/ by injecting payloads into the premmerce_plugin_namespace POST parameter. The flaw stems from a missing authorization check in generatePluginHandler combined with unsanitized string substitution in createFromStub, enabling attackers to escape the namespace context with a semicolon and execute arbitrary PHP on the host. No public exploit identified at time of analysis, but the low privilege barrier and the high-impact CVSS 8.8 score make this a serious risk on sites with open registration.
Unauthenticated reflected/stored cross-site scripting in the WordPress plugin Drag and Drop Multiple File Upload - Contact Form 7 versions 1.3.9.7 and earlier allows remote attackers to inject script that executes in a victim's browser after user interaction, leading to session theft, account takeover, or pivoting against authenticated administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. CVSS 3.1 base score is 7.1 with a changed scope reflecting impact across the WordPress admin trust boundary.
Unauthenticated arbitrary file upload in the GeekyBot WordPress plugin (versions 1.2.2 and earlier) allows remote attackers to upload arbitrary files, including PHP webshells, to the web server without any authentication. Reported by Patchstack and tracked as EUVD-2026-36981, this issue carries a maximum 10.0 CVSS due to network-reachable exploitation with no privileges, no user interaction, and a scope change leading to full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the CWE-434 class is heavily targeted on WordPress plugins and routinely leads to full site compromise once disclosed.
Unauthenticated arbitrary file deletion in the WordPress plugin Contact Form Extender for Divi (versions <= 1.0.6) allows remote attackers to delete arbitrary files on the host filesystem via a path traversal flaw. Deletion of critical files such as wp-config.php can force WordPress into setup mode, enabling site takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary file upload in the WP-BusinessDirectory WordPress plugin (versions through 4.0.0) allows authenticated users holding only the low-privilege Subscriber role to upload files of attacker-chosen types to the host site. The CVSS scope-changed 9.9 rating reflects that a successful upload of executable content (e.g., a PHP webshell) yields code execution under the WordPress process and pivots impact beyond the plugin into the wider site and host. No public exploit identified at time of analysis, but Subscriber-level file upload bugs are routinely weaponised against WordPress sites that allow open registration.
Unrestricted file upload in the WpStream WordPress plugin (versions before 4.11.2) permits subscriber-level authenticated users to upload arbitrary files to the server, resulting in integrity and availability impacts. The vulnerability, tracked under CWE-434 and reported by Patchstack, targets sites where user registration is enabled, making any subscriber account a viable attack surface. No public exploit code or active exploitation has been identified at time of analysis, and a vendor-released patch is available at version 4.11.2.
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a path traversal flaw in the plugin import routine with file upload functionality to run arbitrary PHP as the web server user. Publicly available exploit code exists (published by Karma Insecurity / VulnCheck) demonstrating a race-condition-assisted bypass of sanitization, but the issue is not listed in CISA KEV and no public EPSS signal was provided. The high PR:H requirement limits attackers to those already holding administrator credentials or able to obtain them.
Arbitrary file write via path traversal in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated low-privileged attacker to create or overwrite any file on the underlying operating system by sending crafted HTTP requests to affected API endpoints. The vulnerability stems from insufficient validation of user-supplied input during the file upload process (CWE-22), and a successful exploit can serve as a reliable stepping stone to root-level privilege escalation on the management host. No public exploit has been identified at time of analysis, and the vulnerability is not currently listed in CISA KEV; however, the integrity impact combined with root escalation potential elevates real-world risk above the CVSS 6.5 Medium baseline.
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Unrestricted file upload in Responsive FileManager 9.14.0 (and likely earlier) allows remote unauthenticated attackers to upload arbitrary files - including PHP scripts - via the dialog.php endpoint, leading directly to remote code execution on the hosting web server. The project is unmaintained at the time of CVE assignment, so no vendor patch is forthcoming, and while no public exploit is identified at time of analysis the trivial nature of unrestricted file upload makes weaponization straightforward.
Unrestricted file upload in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows any authenticated user, regardless of role or permission level, to bypass server-side file type controls at the /safe/contract/uploadcustomdocuments endpoint by spoofing the HTTP Content-Type header with a value containing allowed substrings such as 'pdf', 'jpeg', 'tiff', or 'png'. Because validation relies entirely on a client-supplied header rather than inspecting actual file content or magic bytes, arbitrary file content can be written to the server. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Arbitrary code execution in flatnotes v5.5.4 is achievable by uploading crafted HTML or SVG files through the attachment handling component, enabling remote attackers to run code in the context of the application. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact on confidentiality, integrity, and availability. Publicly available exploit code exists via a referenced GitHub gist, though there is no public exploit identified as actively exploited in the CISA KEV catalog at time of analysis.
Iptanus File Upload WordPress plugin before version 5.1.7 allows authenticated low-privilege users to overwrite other users' uploaded files by exploiting a Time-of-Check to Time-of-Use (TOCTOU) race condition in the plugin's file deduplication logic. The flaw is conditional on the `duplicatepolicy` setting being configured to 'maintain both,' and requires winning a precise timing race between the file existence check and the write operation. No active exploitation is confirmed by CISA KEV; however, a publicly available exploit exists via WPScan, and EPSS remains negligible at 0.01%, consistent with the high attack complexity required.
Stored XSS in Parse Server is achievable by authenticated users who bypass the file upload extension blocklist by appending a trailing dot to a blocked filename (e.g., `poc.svg.`), causing the extension parser to return an empty string and skip the block check. The attacker-supplied Content-Type is forwarded unchanged to cloud storage adapters (S3, GCS), which persist and serve the file under that active MIME type - enabling script execution in a victim's browser when the file URL is opened. No active exploitation is confirmed (not in CISA KEV, EPSS 0.05% at 15th percentile), but the attack mechanism is low-complexity and fully documented in the vendor's fix PRs. Patches are available in versions 8.6.79 and 9.9.1-alpha.4.
Unrestricted file upload in Global IT Informatics Services WEOLL versions 2.0.9 through 3.2.45.32 allows authenticated low-privilege users to upload files of dangerous types and bypass ACL-protected functionality. With CVSS 8.7 (scope-changed, confidentiality and integrity high) and TR-CERT advisory publication, the flaw enables impact beyond the vulnerable component, though no public exploit identified at time of analysis and KEV/EPSS signals are not provided.
Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop arbitrary files into the store's media directory without authentication, session validation, or cart context. Where the media directory permits PHP execution, this escalates to unauthenticated remote code execution; otherwise it enables stored XSS via HTML/SVG, malware hosting, and path-traversal writes outside the intended directory. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and trivial preconditions make this a high-priority issue for any Magento 2 store running the extension.
Arbitrary file upload leading to remote code execution in CodeIgniter4 framework versions prior to 4.7.3 occurs because the `ext_in` validation rule inspects the MIME-derived guessed extension rather than the client-supplied filename extension. Applications that accept user uploads, rely on `ext_in` for extension allow-listing, persist files under their original client filename inside a web-accessible directory, and permit PHP execution in that directory can be coerced into writing and executing attacker-controlled PHP. No public exploit identified at time of analysis, though the patch commit and tests publicly demonstrate the bypass technique (a polyglot file named `shell.php` carrying GIF magic bytes).
Remote code execution in Başarsoft Rotaban versions V2026.06.002 through V2026.06.003 (exclusive) allows authenticated attackers to upload arbitrary files including web shells, leading to full server compromise. The flaw stems from missing validation of uploaded file types (CWE-434) and was reported by TR-CERT; no public exploit identified at time of analysis, but the CVSS 9.9 score and scope-change indicator make this a high-priority patch target for any Rotaban deployment.
Remote code execution in Limatek System Inc. LimRAD NAC versions prior to 5.5.7.3.9 allows unauthenticated remote attackers to upload dangerous file types and achieve Remote Code Inclusion. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects an internet-reachable, no-interaction exploitation path against a network access control appliance, though no public exploit identified at time of analysis. The vulnerability was disclosed by TR-CERT and tracked in Turkish national vulnerability advisory TR-26-0366.
Uncontrolled resource consumption in GitLab CE/EE's file upload processing pipeline enables any authenticated user to trigger denial of service by submitting a specially crafted file. All self-managed GitLab instances running versions from 17.10 up through the patched releases (18.10.8, 18.11.5, 19.0.2) are affected across both Community and Enterprise Editions. A publicly available exploit exists on HackerOne (report #3517331), though no active exploitation has been confirmed by CISA KEV.
Unauthenticated arbitrary file upload in the Schema & Structured Data for WP & AMP WordPress plugin before version 1.60 allows remote attackers to upload any file type accepted by WordPress's media library through frontend AJAX handlers intended for images and videos only. The plugin fails to perform user capability checks and does not validate uploaded file content against the endpoint's declared media type. Publicly available exploit code exists via WPScan, increasing the urgency for immediate patching despite no confirmed in-the-wild exploitation.
Unrestricted file upload via the DIGSI 5 engineering protocol in Siemens SIPROTEC 5 protective relays enables authenticated, high-privileged users on an adjacent network to upload malicious configuration files, causing denial of service or potentially achieving code execution on the affected device. All hardware variants (CP050/CP100/CP150/CP200/CP300) across more than 60 distinct SIPROTEC 5 model lines are affected, with no patched firmware version available. No public exploit identified at time of analysis, but the presence of RCE and DoS tags alongside a confirmed CWE-434 root cause makes this a meaningful operational technology (OT) risk in poorly segmented substation environments.
Denial-of-service via crafted TIFF image upload in Apache Answer through 2.0.0 allows an authenticated user to crash the server process by triggering excessive memory allocation during image decoding. The vulnerability stems from improper handling of specially crafted TIFF files in the file upload feature, where no bounds are placed on memory consumed during the decode phase. No public exploit code or active exploitation has been identified at time of analysis; however, the low technical barrier to trigger the crash once authenticated elevates its operational risk for community and enterprise deployments.
Insufficient validation of user-supplied avatar image URLs in Apache Answer through 2.0.0 allows authenticated users to set arbitrary external URLs as profile images, causing the platform or clients to issue outbound HTTP requests to attacker-controlled servers on page load. This exposes user IP addresses, HTTP headers, and browsing activity to third-party infrastructure whenever affected profiles are viewed. Rated moderate severity by Apache; no public exploit identified at time of analysis and not listed in CISA KEV.
Unrestricted file upload in Dcat-Admin up to 2.2.3-beta allows remote attackers with high privileges - or potentially with authentication bypass - to upload arbitrary files via the editorMDUpload function at the /admin/dcat-api/editor-md/upload endpoint on the User Setting Page. The vulnerability stems from improper access control (CWE-284) on the editormd-image-file parameter, enabling upload of potentially malicious file types. Publicly available exploit code exists (CVSS E:P confirmed), though no active exploitation is listed in CISA KEV. The low CVSS 4.0 base score of 2.0 reflects constrained impact scope, but the 'Authentication Bypass' tag warrants additional scrutiny of the effective privilege requirement.
Arbitrary file upload via the /api/create-car-image endpoint in bookcars v8.3 enables server-side code execution by uploading a crafted file (e.g., a web shell). The vulnerability targets an image upload API that fails to restrict file types per CWE-434. No public exploit identified at time of analysis, and EPSS sits at 0.02% (6th percentile), indicating negligible observed exploitation pressure - however, two data conflicts significantly affect confidence: the description asserts an authenticated attacker is required while the CVSS vector records PR:N (no privileges required), and the CVSS impact scores of C:L/I:L are inconsistent with the claimed remote code execution outcome.
WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Unrestricted file upload in Kushan2k's student-management-system exposes the registration endpoint to unauthenticated remote attackers who can upload arbitrary files - including PHP webshells - by manipulating the `stimg` argument in `service/RegisterService.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no complexity, and no user interaction are required, making this trivially exploitable by any network-reachable attacker. Publicly available exploit code exists (E:P confirmed), and the vendor has not responded to responsible disclosure as of analysis time, leaving all installations unpatched.
Path traversal in hsweb-framework up to version 5.0.1 allows authenticated remote attackers to write files outside the intended upload directory by manipulating the filename argument in the file upload component. The root cause is insufficient sanitization of path sequences — including URL-encoded variants (`..%2F`) and Windows-style backslashes (`..\`) — in the `denied` function of `FileUploadProperties.java`. A public exploit has been disclosed via GitHub issue #344, and a patch commit is available; no KEV listing indicates opportunistic rather than confirmed mass exploitation.
Remote code execution in the MDJM Event Management WordPress plugin (versions through 1.7.8.3) allows authenticated administrators to upload arbitrary files, including executable PHP, via the mdjm_send_comm_email function which performs no file type, extension, or MIME validation. The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS 3.1 score of 7.2, with publicly available exploit code existing on GitHub and a detailed write-up published by the researcher. No public exploit identified in CISA KEV, and exploitation requires administrator-level privileges, limiting realistic impact to post-compromise or insider scenarios.
Stored Cross-Site Scripting in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (all versions through 1.3.9.7) allows authenticated administrators to persist malicious JavaScript via the 'drag_n_drop_text' and 'drag_n_drop_browse_text' plugin settings fields, which subsequently execute in the browsers of any site visitor accessing a page containing an affected CF7 upload form. The CVSS Scope:Changed designation reflects this cross-user impact - a compromised or rogue admin can silently weaponize public-facing forms without further interaction. No public exploit or CISA KEV listing exists at time of analysis, and the CVSS score of 4.4 reflects the high privilege and high complexity prerequisites that substantially limit opportunistic exploitation.
Arbitrary file upload in HAX CMS (PHP backend) versions 11.0.6 through 24.x allows authenticated remote attackers to upload PHP webshells disguised as images by abusing a regex-only extension check that ignores MIME type and content inspection, leading to remote code execution on the web server. CVSS v4.0 scores this 8.7 (High) with PR:L indicating low-privilege authentication is required, and no public exploit was identified at time of analysis although the underlying CWE-434 pattern is highly automatable.
Remote code execution in WP Captcha PRO (premium version of the Advanced Google reCAPTCHA WordPress plugin) through version 5.38 allows authenticated Subscriber-level attackers to upload arbitrary files, including PHP webshells, by abusing the licensing module's save_ajax() capability check and the unrestricted archive extraction in sync_cloud_protection(). No public exploit identified at time of analysis, but the CVSS 8.8 rating and trivial Subscriber-level prerequisite - common on sites with open registration - make this a high-priority WordPress ecosystem flaw. Wordfence is the original reporter and primary intelligence source.
Unrestricted file upload in code-projects Vehicle Management System 1.0 allows remote unauthenticated attackers to upload arbitrary files via the photo parameter of the New Driver Registration Form (newdriver.php), enabling remote code execution. Publicly available exploit code exists on GitHub, increasing the likelihood of opportunistic abuse against exposed instances despite no CISA KEV listing.
Unrestricted file upload in tittuvarghese CollegeManagementSystem exposes the Student Data Upload endpoint (`dashboard_page/forms/upload_student_data.php`) to remote exploitation by authenticated low-privilege users, allowing arbitrary file types - including PHP web shells - to be uploaded to the server by manipulating the Student-Data-CSV argument. All deployed instances across all commits are affected given the project's rolling release model, and no vendor-released patch exists as the maintainer has not responded to responsible disclosure. Publicly available exploit code exists, raising real-world risk above what the CVSS 6.3 score alone implies.
Unrestricted file upload in Stumasy (mjperpinosa) allows a low-privileged authenticated attacker to upload arbitrary files through the profile image change endpoint, potentially enabling server-side code execution. The vulnerable parameter `pr_profile_image` in `application/PHP/objects/profiles/change_profile_image.php` performs no meaningful file type validation, making it trivial to submit non-image payloads including PHP webshells. A publicly available exploit exists via the project GitHub issue tracker; the vendor has not responded to the disclosure, and no patch has been released. No CISA KEV listing at time of analysis.
Unrestricted file upload in mjperpinosa's stumasy PHP application allows authenticated remote attackers to upload arbitrary and potentially dangerous file types via the up_file_to_post parameter in add_post.php, enabling likely remote code execution through web shell deployment. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-reachable exploitation requiring only low-privilege authentication with no user interaction. A publicly available proof-of-concept exploit exists (disclosed via GitHub issue), and the vendor has not responded to the responsible disclosure - no patch is available at time of analysis.
Stored or reflected Cross-Site Scripting in MaxSite CMS v.109.2 allows a remote attacker with low-privilege authenticated access to inject malicious scripts via the Backend page file upload endpoint (admin_page), which execute in the browsers of other users - including administrators - to exfiltrate sensitive information such as session tokens. The CVSS vector (S:C) confirms the attack crosses a security scope boundary, amplifying impact beyond the attacker's own session. A researcher-published proof-of-concept is publicly available on GitHub, though EPSS remains very low at 0.05% (17th percentile) and no active exploitation has been confirmed by CISA KEV.
Stored Cross-Site Scripting in Koha 25.11 and earlier allows a remote authenticated attacker to inject and execute arbitrary JavaScript in victim browsers via the file upload function within the Invoice features module. The CVSS Scope:Changed designation indicates the injected script executes in a security context beyond the attacker's own session - targeting higher-privileged users (e.g., acquisitions staff or administrators) who subsequently view the affected invoice. A researcher blog post at g03m0n.github.io documents this vulnerability, suggesting public technical details are available. No public exploit identified at time of analysis, and EPSS at 0.05% (16th percentile) indicates low observed exploitation probability.
Unrestricted file upload in SOPlanning's backup import functionality (versions 1.55 and below) allows an authenticated high-privilege attacker to smuggle a malicious PHP script inside a crafted ZIP archive alongside a legitimate user.csv file, bypassing extension validation entirely. This vulnerability is materially escalated when chained with CVE-2026-40547 (Path Traversal in the same product), which redirects extraction to a web-accessible directory, converting an upload flaw into full server-side remote code execution. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the exploitation chain is technically straightforward once administrative credentials are held.
Unrestricted file upload in Metasoft MetaCRM 6.4.0 allows low-privileged authenticated remote attackers to upload arbitrary files via the softlogo upload endpoint at develop/systparam/softlogo/upload.jsp, potentially enabling server-side code execution or persistent backdoor installation. A publicly available proof-of-concept exploit exists, referenced via a Feishu document, and the vendor did not respond to coordinated disclosure. No KEV listing at time of analysis, but the combination of a public POC, low attack complexity, and an unresponsive vendor elevates practical risk beyond what the 6.3 CVSS score alone suggests.
Unrestricted file upload in Bdtask Multi-Store Inventory Management System 1.0 enables authenticated remote attackers to upload arbitrary file types - including PHP webshells - through the Component Module's Upload function, leading to potential remote code execution on the host server. The vulnerability resides in application/modules/dashboard/controllers/Module.php where the Upload function performs insufficient file type validation. A public proof-of-concept exploit has been released on GitHub, elevating the practical risk beyond the moderate CVSS 6.3 score. No vendor patch has been identified at time of analysis.
Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
File upload restriction bypass in Spatie Laravel Media Library prior to 11.23.0 allows authenticated remote attackers to upload files with double extensions (e.g., shell.php.jpg) or executable extensions missing from the blocklist (.php6, .shtml, .htaccess) due to a flawed sanitizer in FileAdder::defaultSanitizer() that only inspects the final filename suffix. Successful exploitation can lead to arbitrary PHP code execution when the application is deployed behind a legacy Apache AddHandler configuration, with no public exploit identified at time of analysis. The flaw carries a CVSS 4.0 score of 8.7 (high) reflecting high confidentiality, integrity, and availability impact.
Command injection in Dokploy 0.29.1 and earlier allows authenticated users to execute arbitrary OS commands on the host by abusing the Docker file upload feature's unsanitized destinationPath parameter. The CVSS 9.9 score reflects scope change to the underlying host from a containerized context, and no public exploit identified at time of analysis though the GHSA advisory provides sufficient technical detail to reconstruct one.
HaPe PKH 1.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by bypassing file type validation. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Arbitrary file upload in Interinfo DreamMaker allows authenticated high-privilege remote attackers to upload web shell backdoors and achieve arbitrary code execution on the underlying server. The flaw carries a CVSS 4.0 score of 8.6 and was reported via TWCERT, with no public exploit identified at time of analysis. Despite the high privilege requirement, the network-reachable vector and full CIA impact on the host make this a meaningful post-authentication compromise primitive.
Unauthenticated arbitrary file upload in Interinfo DreamMaker allows remote attackers to upload web shell backdoors and execute arbitrary code on the server, scoring CVSS 4.0 9.3 (Critical). No public exploit identified at time of analysis, but the combination of no authentication, low attack complexity, and complete CIA impact makes this a high-priority issue. TWCERT (Taiwan's national CERT) is the reporting source, indicating regional advisory coordination.
Remote code execution in Falco Solutions PHPageBuilder v0.31.0 is possible through an unrestricted file upload flaw in the pagemanager/pagebuilder module, enabling unauthenticated remote attackers to upload arbitrary executable files (typically PHP webshells) and run code on the underlying web server. Publicly available exploit code exists in a dedicated GitHub repository, though EPSS scoring (0.06%, 18th percentile) and SSVC indicate no observed in-the-wild exploitation despite the attack being fully automatable.
Arbitrary file upload leading to remote code execution affects the GutenBee – Gutenberg Blocks WordPress plugin in all versions through 2.20.1, enabling authenticated users with Author role or higher to upload PHP files disguised with double extensions such as shell.json.php. The flaw stems from a permissive strpos() substring check in gutenbee_file_and_ext_json that allows attackers to bypass WordPress filetype validation and execute arbitrary PHP on the server. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in the Crawlomatic Multipage Scraper Post Generator plugin for WordPress (versions up to and including 2.7.2) allows authenticated users with author-level privileges to execute arbitrary PHP code on the server by abusing the 'callback_raw' or 'callback' shortcode attributes processed by the filter_content function. The flaw stems from passing attacker-controlled input directly to call_user_func() guarded only by is_callable(), which still permits dangerous PHP built-ins like system, shell_exec, exec, passthru, and assert. No public exploit identified at time of analysis, but Wordfence has published a detailed advisory and the shortcode sink is trivially reachable for any author-level account.
Arbitrary file upload in SourceBans Material Admin v1.1.6 allows remote unauthenticated attackers to achieve code execution by uploading a crafted image file to the pages/admin.uploadmapimg.php endpoint. The flaw is tagged as a PHP RCE vector and has public proof-of-concept gists referenced on GitHub, though it is not listed in CISA KEV and carries a very low EPSS exploitation probability (0.02%, 5th percentile).
Excessive data exposure in DFIR-IRIS before version 2.4.28 enables authenticated low-privileged users to retrieve sensitive information from API responses that should be restricted or filtered server-side. The flaw (CWE-201) is part of a coordinated multi-vulnerability disclosure by SBA Research (SBA-ADV-20260126-04), which also identified an Open Redirect (CVE-2026-42329), Insecure File Upload (CVE-2026-42538), and Mass Assignment (CVE-2026-42540) in the same product version. No public exploit identified at time of analysis and no CISA KEV listing; however, the target platform stores highly sensitive digital forensics and incident response case data, elevating the practical impact of any confidentiality breach.
Mass assignment vulnerability in DFIR-IRIS before 2.4.28 enables authenticated low-privileged users to modify object attributes that the application should restrict from client control. Exploitable remotely with no complexity or user interaction required (AV:N/AC:L/PR:L/UI:N), the flaw can allow unauthorized modification of case data, ownership fields, or other model attributes beyond what the interface intentionally exposes. No public exploit code identified at time of analysis, and the CVE is not listed in CISA KEV; however, it was disclosed as part of a coordinated multi-CVE advisory by SBA Research covering five distinct vulnerabilities in the same product version.
Open redirect in DFIR-IRIS before version 2.4.28 allows unauthenticated remote attackers to craft URLs that silently redirect authenticated users to arbitrary external domains. The CVSS Scope:Changed (S:C) component confirms the vulnerability crosses the application's trust boundary, making it a viable vector for phishing and credential harvesting campaigns targeting incident responders and forensic analysts who use the platform. No public exploit code or active exploitation has been identified at time of analysis, and no CISA KEV listing is present.
Insecure file upload in DFIR-IRIS before version 2.4.28 allows a low-privileged remote attacker to upload files of dangerous types, resulting in high confidentiality impact and limited integrity compromise when a victim user interacts with the uploaded content. Disclosed by SBA Research in advisory SBA-ADV-20260126-03, this is one of three CVEs (CVE-2026-42329, CVE-2026-42538, CVE-2026-42539) patched simultaneously in the 2.4.28 release. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Two-factor authentication bypass via TOTP secret disclosure affects FileRise self-hosted file manager before 3.12.0, where the /api/totp_setup.php endpoint can be reached from the intermediate 'pending_login_user' session state that exists after a correct password but before the TOTP check. For accounts that already have TOTP enabled, the endpoint decrypts and returns the existing TOTP secret inside the enrollment QR PNG rather than refusing, so an attacker who already holds the victim's password can extract the seed, compute a valid one-time code, and complete login without the victim's authenticator. No public exploit has been identified at time of analysis and no EPSS score is provided, but the issue fully defeats the second authentication factor.
Arbitrary file upload in the WPify Woo Czech WordPress/WooCommerce plugin (versions through 5.4.1) lets a low-privileged authenticated user upload a dangerous file type - i.e., a PHP web shell - to the web server, leading to remote code execution. The CVSS 3.1 vector (PR:L, S:C, C:H/I:H/A:H) reflects a scope-changing critical-severity flaw scored 9.9 that compromises the entire host once exploited. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS score is very low (0.04%, 13th percentile), indicating little observed exploitation pressure despite the high CVSS.
Unrestricted file upload in SourceCodester Simple POS and Inventory System 1.0 allows authenticated remote attackers to upload arbitrary files through the image argument of /admin/addproduct.php, potentially enabling web shell deployment and remote code execution. A publicly available proof-of-concept exploit exists (GitHub gist), and SSVC confirms exploitation: poc status. Despite the severe nature of CWE-434 unrestricted upload flaws, EPSS sits at 0.04% (11th percentile) and CISA has not added this to KEV, indicating limited observed exploitation in the wild at time of analysis.
Unrestricted file upload in KLiK SocialMediaWebsite 1.0 exposes the application to unauthenticated remote exploitation via the `uniqid` function in `upload.inc.php`. The File Handler component fails to validate uploaded file types (CWE-434), allowing an attacker to upload PHP webshells or other executable files without any authentication - confirmed by the CVSS 4.0 vector PR:N/UI:N. Exploit code has been publicly disclosed (CVSS E:P, referenced via VulDB), though EPSS remains low at 0.04% and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.
Unrestricted file upload in RuoYi-Vue (versions 3.9.0-3.9.2) exposes the FileUploadUtils.upload function at the /common/upload endpoint to arbitrary file upload by authenticated remote attackers, potentially enabling server-side code execution if the uploaded file is accessible and executed by the web server. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) scores 5.3 Medium, reflecting low-privilege authentication as the primary barrier; no compensating controls enforce file-type validation at the endpoint. No public exploit code has been identified and no active exploitation is confirmed, though the vendor did not respond to responsible disclosure, leaving the fix status unresolved.
Redaxo CMS Mediapool Addon 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous file types and execute arbitrary code, earning a maximum CVSS 10.0 score with scope change (S:C). Per Microsoft's MSRC advisory, a vendor patch is available, though no public exploit has been identified at time of analysis and the EPSS score was not provided in the source data.
Uncontrolled memory allocation in Mattermost's TIFF image processing allows authenticated users to trigger server-side out-of-memory (OOM) conditions, effectively taking down the collaboration platform. Affected are all Mattermost deployments running versions 10.11.x through 11.6.0. Any account holding file upload or URL-posting permissions can exploit this remotely without elevated privileges, making it a realistic insider or compromised-account threat. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and broad authentication base increase practical risk.
File disclosure via malicious HTML file upload default values in Mothra, the web browser bundled with the 9front Plan 9 fork, allows a remote unauthenticated attacker to exfiltrate arbitrary local files from a victim's filesystem. By crafting a webpage containing a hidden file input element with a pre-set malicious default path, the attacker can cause Mothra to silently submit a targeted local file to an attacker-controlled server upon user interaction. The CVSS 4.0 E:P supplemental metric indicates publicly available proof-of-concept exploit code exists; no CISA KEV listing is present, suggesting exploitation is not yet confirmed at scale.
Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execution by abusing missing file type validation in the bookingpress_validate_submitted_booking_form_func function. Exploitation requires the booking form to include a signature custom field, but otherwise needs no authentication or user interaction. No public exploit identified at time of analysis, though Wordfence's disclosure and the CWE-434 pattern make weaponization straightforward.
Unrestricted file upload in Gmission Web Fax versions 3.0 up to (but not including) 3.1 allows attackers to upload files of dangerous types and trigger remote code inclusion, leading to full confidentiality, integrity, and availability impact on the host. The flaw was reported by FSI and a vendor patch is available, though no public exploit code has been identified at time of analysis. Note that the CVSS 4.0 vector advertises a local attack vector (AV:L) which conflicts with the description's 'Remote Code Inclusion' wording - this discrepancy should be verified.
Unrestricted file upload in WP Swings Gift Cards For WooCommerce Pro plugin (versions up to and including 4.2.6) allows remote unauthenticated attackers to upload malicious files of dangerous types to vulnerable WordPress sites. With a maximum CVSS score of 10.0 and a scope-changed vector, successful exploitation typically leads to remote code execution and full site compromise. No public exploit identified at time of analysis, though the high severity and ease of exploitation make this a priority concern for any WooCommerce site using this plugin.
Arbitrary file write in Altium Enterprise Server ComparisonService allows authenticated workspace users to escape the temporary upload directory and plant files anywhere on the host filesystem via crafted multipart Content-Disposition headers in the Gerber upload APIs. The flaw (CVSS 4.0 score 9.4, CWE-22) escalates to remote code execution by dropping payloads into web-accessible paths or overwriting service binaries, and a vendor patch is available. No public exploit identified at time of analysis.
Unauthenticated remote code execution in the ProSolution WP Client WordPress plugin (versions ≤ 2.0.0) allows attackers to upload malicious PHP files to a web-accessible directory by abusing an array validation mismatch in its upload handler. Because only the first file in a multi-file upload array is checked for extension and MIME type while the remaining files are processed unchecked, attackers can pair a benign first file with a PHP webshell to achieve full code execution on the host. No public exploit identified at time of analysis, but the high CVSS 9.8 score and trivially scriptable nature place this in the realistic mass-exploitation tier for WordPress plugins.
Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.
Unrestricted file upload in HCL ZIE for Web (Z and I Emulator) version 16.0 allows remote attackers to upload a web shell that can yield arbitrary command execution on the server, but only when the server is configured to execute uploaded code and the file lands inside the Webroot. The CVSS 3.1 base score is 9.8, yet CISA's SSVC framework rates exploitation as 'none' and not automatable with only partial technical impact, and EPSS sits at just 0.34% (26th percentile). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated arbitrary file upload in the SigmaForms Pro - AI Generated Forms WordPress plugin (versions <= 1.4.5) allows remote attackers to upload files of their choosing to the underlying web server, enabling webshell deployment and full site takeover. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 9.0 with scope change, indicating impact beyond the vulnerable component. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Arbitrary file upload in the Charity Zone WordPress theme (versions 1.1.1 and prior) allows authenticated users with only Subscriber-level privileges to upload files of attacker-chosen type, leading to remote code execution under the web server context. The flaw was disclosed via Patchstack and carries a CVSS 9.9 due to the scope change from a low-privileged WordPress role to full server compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary file upload in the Kids Gift Shop WordPress theme (versions 0.5.4 and earlier) allows authenticated users with Subscriber-level privileges to upload arbitrary files to the server. The CVSS 3.1 score of 9.9 with scope change reflects the potential for remote code execution leading to full site compromise, and no public exploit identified at time of analysis.
Arbitrary file upload in the Ecommerce Zone WordPress theme (versions <= 0.9.7) allows authenticated low-privileged users (Subscriber role) to upload files of attacker-chosen types, resulting in a CVSS 9.9 critical scoring with scope change. No public exploit identified at time of analysis, and the issue was reported by Patchstack via their WordPress vulnerability database. Successful exploitation typically leads to remote code execution on the underlying web server.
Arbitrary file upload in the Restaurant Zone WordPress theme through version 0.7.8 allows authenticated attackers with only Subscriber-level privileges to upload arbitrary files to the underlying server, leading to remote code execution and full site compromise. The CVSS 3.1 score of 9.9 reflects the scope-changing impact achievable from a minimally privileged account; no public exploit is identified at time of analysis and the issue is not currently listed in CISA KEV.
Arbitrary file upload in the Webenvo WordPress theme (versions <= 0.0.6) allows authenticated low-privilege users (Subscriber role) to upload arbitrary files, leading to remote code execution and full site compromise. The CVSS 9.9 score reflects scope change and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Arbitrary file upload in the Unlimited Elements for Elementor (Premium) WordPress plugin versions 2.0.6 and earlier allows authenticated users with Contributor-level privileges to upload arbitrary files, leading to remote code execution on the underlying WordPress host. Reported by Patchstack and rated CVSS 9.9 with a scope-changing impact, no public exploit identified at time of analysis but the low privilege bar makes this a high-priority issue for any site that permits Contributor accounts.
Arbitrary file upload in the WishList Member X WordPress plugin versions 3.29.0 and earlier allows authenticated subscriber-level users to upload malicious files, with a CVSS 9.9 score reflecting scope change and full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the low privilege requirement (subscriber is the lowest authenticated WordPress role) makes this trivially reachable on any site permitting user registration. The vulnerability was disclosed via Patchstack and is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).
Arbitrary file upload in the Restaurt WordPress theme versions 1.0.4 and earlier allows authenticated users with Subscriber-level privileges to upload arbitrary files, potentially leading to remote code execution on the WordPress host. The CVSS 9.9 score reflects scope-changed impact across confidentiality, integrity, and availability, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Unauthenticated arbitrary file upload in the Extendons 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' (versions <= 1.0.7) lets remote attackers upload arbitrary files, including PHP webshells, to vulnerable WordPress sites and gain code execution. The CVSS 10.0 score with Scope:Changed reflects that compromise of the plugin can escalate to full host takeover, though no public exploit was identified at time of analysis and the flaw is not listed in CISA KEV.
Arbitrary file upload in the PT Luxa Addons WordPress plugin (versions 1.2.2 and earlier) allows authenticated users with low-privilege Subscriber accounts to upload attacker-controlled files to a WordPress site, leading to remote code execution and full site compromise. The scope-changed CVSS 9.9 reflects that a minimally privileged WordPress user can pivot to code execution affecting the entire web server. No public exploit identified at time of analysis.
Subscriber Arbitrary File Upload in Grip <= 1.0.9 versions. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Arbitrary file upload in Kodezen Academy LMS Pro (WordPress plugin) versions prior to 3.5.2 allows authenticated attackers with high privileges to upload web shells to the underlying web server, leading to full site compromise. The flaw was reported by Patchstack and a vendor patch is available, but no public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.
Arbitrary file upload in the Kids Online Store WordPress theme (versions up to and including 0.8.9) by themagnifico52 allows authenticated attackers to upload web shells and achieve remote code execution on the underlying server. The flaw is reported by Patchstack and carries a CVSS 3.1 score of 9.9 due to the scope-changing impact on the WordPress host. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote code execution in the Premmerce Dev Tools WordPress plugin (versions ≤ 2.0) allows authenticated users with Subscriber-level access or higher to write arbitrary PHP files into wp-content/plugins/ by injecting payloads into the premmerce_plugin_namespace POST parameter. The flaw stems from a missing authorization check in generatePluginHandler combined with unsanitized string substitution in createFromStub, enabling attackers to escape the namespace context with a semicolon and execute arbitrary PHP on the host. No public exploit identified at time of analysis, but the low privilege barrier and the high-impact CVSS 8.8 score make this a serious risk on sites with open registration.
Unauthenticated reflected/stored cross-site scripting in the WordPress plugin Drag and Drop Multiple File Upload - Contact Form 7 versions 1.3.9.7 and earlier allows remote attackers to inject script that executes in a victim's browser after user interaction, leading to session theft, account takeover, or pivoting against authenticated administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. CVSS 3.1 base score is 7.1 with a changed scope reflecting impact across the WordPress admin trust boundary.
Unauthenticated arbitrary file upload in the GeekyBot WordPress plugin (versions 1.2.2 and earlier) allows remote attackers to upload arbitrary files, including PHP webshells, to the web server without any authentication. Reported by Patchstack and tracked as EUVD-2026-36981, this issue carries a maximum 10.0 CVSS due to network-reachable exploitation with no privileges, no user interaction, and a scope change leading to full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the CWE-434 class is heavily targeted on WordPress plugins and routinely leads to full site compromise once disclosed.
Unauthenticated arbitrary file deletion in the WordPress plugin Contact Form Extender for Divi (versions <= 1.0.6) allows remote attackers to delete arbitrary files on the host filesystem via a path traversal flaw. Deletion of critical files such as wp-config.php can force WordPress into setup mode, enabling site takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary file upload in the WP-BusinessDirectory WordPress plugin (versions through 4.0.0) allows authenticated users holding only the low-privilege Subscriber role to upload files of attacker-chosen types to the host site. The CVSS scope-changed 9.9 rating reflects that a successful upload of executable content (e.g., a PHP webshell) yields code execution under the WordPress process and pivots impact beyond the plugin into the wider site and host. No public exploit identified at time of analysis, but Subscriber-level file upload bugs are routinely weaponised against WordPress sites that allow open registration.
Unrestricted file upload in the WpStream WordPress plugin (versions before 4.11.2) permits subscriber-level authenticated users to upload arbitrary files to the server, resulting in integrity and availability impacts. The vulnerability, tracked under CWE-434 and reported by Patchstack, targets sites where user registration is enabled, making any subscriber account a viable attack surface. No public exploit code or active exploitation has been identified at time of analysis, and a vendor-released patch is available at version 4.11.2.
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a path traversal flaw in the plugin import routine with file upload functionality to run arbitrary PHP as the web server user. Publicly available exploit code exists (published by Karma Insecurity / VulnCheck) demonstrating a race-condition-assisted bypass of sanitization, but the issue is not listed in CISA KEV and no public EPSS signal was provided. The high PR:H requirement limits attackers to those already holding administrator credentials or able to obtain them.
Arbitrary file write via path traversal in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated low-privileged attacker to create or overwrite any file on the underlying operating system by sending crafted HTTP requests to affected API endpoints. The vulnerability stems from insufficient validation of user-supplied input during the file upload process (CWE-22), and a successful exploit can serve as a reliable stepping stone to root-level privilege escalation on the management host. No public exploit has been identified at time of analysis, and the vulnerability is not currently listed in CISA KEV; however, the integrity impact combined with root escalation potential elevates real-world risk above the CVSS 6.5 Medium baseline.
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Unrestricted file upload in Responsive FileManager 9.14.0 (and likely earlier) allows remote unauthenticated attackers to upload arbitrary files - including PHP scripts - via the dialog.php endpoint, leading directly to remote code execution on the hosting web server. The project is unmaintained at the time of CVE assignment, so no vendor patch is forthcoming, and while no public exploit is identified at time of analysis the trivial nature of unrestricted file upload makes weaponization straightforward.
Unrestricted file upload in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows any authenticated user, regardless of role or permission level, to bypass server-side file type controls at the /safe/contract/uploadcustomdocuments endpoint by spoofing the HTTP Content-Type header with a value containing allowed substrings such as 'pdf', 'jpeg', 'tiff', or 'png'. Because validation relies entirely on a client-supplied header rather than inspecting actual file content or magic bytes, arbitrary file content can be written to the server. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Arbitrary code execution in flatnotes v5.5.4 is achievable by uploading crafted HTML or SVG files through the attachment handling component, enabling remote attackers to run code in the context of the application. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact on confidentiality, integrity, and availability. Publicly available exploit code exists via a referenced GitHub gist, though there is no public exploit identified as actively exploited in the CISA KEV catalog at time of analysis.
Iptanus File Upload WordPress plugin before version 5.1.7 allows authenticated low-privilege users to overwrite other users' uploaded files by exploiting a Time-of-Check to Time-of-Use (TOCTOU) race condition in the plugin's file deduplication logic. The flaw is conditional on the `duplicatepolicy` setting being configured to 'maintain both,' and requires winning a precise timing race between the file existence check and the write operation. No active exploitation is confirmed by CISA KEV; however, a publicly available exploit exists via WPScan, and EPSS remains negligible at 0.01%, consistent with the high attack complexity required.
Stored XSS in Parse Server is achievable by authenticated users who bypass the file upload extension blocklist by appending a trailing dot to a blocked filename (e.g., `poc.svg.`), causing the extension parser to return an empty string and skip the block check. The attacker-supplied Content-Type is forwarded unchanged to cloud storage adapters (S3, GCS), which persist and serve the file under that active MIME type - enabling script execution in a victim's browser when the file URL is opened. No active exploitation is confirmed (not in CISA KEV, EPSS 0.05% at 15th percentile), but the attack mechanism is low-complexity and fully documented in the vendor's fix PRs. Patches are available in versions 8.6.79 and 9.9.1-alpha.4.
Unrestricted file upload in Global IT Informatics Services WEOLL versions 2.0.9 through 3.2.45.32 allows authenticated low-privilege users to upload files of dangerous types and bypass ACL-protected functionality. With CVSS 8.7 (scope-changed, confidentiality and integrity high) and TR-CERT advisory publication, the flaw enables impact beyond the vulnerable component, though no public exploit identified at time of analysis and KEV/EPSS signals are not provided.
Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop arbitrary files into the store's media directory without authentication, session validation, or cart context. Where the media directory permits PHP execution, this escalates to unauthenticated remote code execution; otherwise it enables stored XSS via HTML/SVG, malware hosting, and path-traversal writes outside the intended directory. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and trivial preconditions make this a high-priority issue for any Magento 2 store running the extension.
Arbitrary file upload leading to remote code execution in CodeIgniter4 framework versions prior to 4.7.3 occurs because the `ext_in` validation rule inspects the MIME-derived guessed extension rather than the client-supplied filename extension. Applications that accept user uploads, rely on `ext_in` for extension allow-listing, persist files under their original client filename inside a web-accessible directory, and permit PHP execution in that directory can be coerced into writing and executing attacker-controlled PHP. No public exploit identified at time of analysis, though the patch commit and tests publicly demonstrate the bypass technique (a polyglot file named `shell.php` carrying GIF magic bytes).
Remote code execution in Başarsoft Rotaban versions V2026.06.002 through V2026.06.003 (exclusive) allows authenticated attackers to upload arbitrary files including web shells, leading to full server compromise. The flaw stems from missing validation of uploaded file types (CWE-434) and was reported by TR-CERT; no public exploit identified at time of analysis, but the CVSS 9.9 score and scope-change indicator make this a high-priority patch target for any Rotaban deployment.
Remote code execution in Limatek System Inc. LimRAD NAC versions prior to 5.5.7.3.9 allows unauthenticated remote attackers to upload dangerous file types and achieve Remote Code Inclusion. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects an internet-reachable, no-interaction exploitation path against a network access control appliance, though no public exploit identified at time of analysis. The vulnerability was disclosed by TR-CERT and tracked in Turkish national vulnerability advisory TR-26-0366.
Uncontrolled resource consumption in GitLab CE/EE's file upload processing pipeline enables any authenticated user to trigger denial of service by submitting a specially crafted file. All self-managed GitLab instances running versions from 17.10 up through the patched releases (18.10.8, 18.11.5, 19.0.2) are affected across both Community and Enterprise Editions. A publicly available exploit exists on HackerOne (report #3517331), though no active exploitation has been confirmed by CISA KEV.
Unauthenticated arbitrary file upload in the Schema & Structured Data for WP & AMP WordPress plugin before version 1.60 allows remote attackers to upload any file type accepted by WordPress's media library through frontend AJAX handlers intended for images and videos only. The plugin fails to perform user capability checks and does not validate uploaded file content against the endpoint's declared media type. Publicly available exploit code exists via WPScan, increasing the urgency for immediate patching despite no confirmed in-the-wild exploitation.
Unrestricted file upload via the DIGSI 5 engineering protocol in Siemens SIPROTEC 5 protective relays enables authenticated, high-privileged users on an adjacent network to upload malicious configuration files, causing denial of service or potentially achieving code execution on the affected device. All hardware variants (CP050/CP100/CP150/CP200/CP300) across more than 60 distinct SIPROTEC 5 model lines are affected, with no patched firmware version available. No public exploit identified at time of analysis, but the presence of RCE and DoS tags alongside a confirmed CWE-434 root cause makes this a meaningful operational technology (OT) risk in poorly segmented substation environments.
Denial-of-service via crafted TIFF image upload in Apache Answer through 2.0.0 allows an authenticated user to crash the server process by triggering excessive memory allocation during image decoding. The vulnerability stems from improper handling of specially crafted TIFF files in the file upload feature, where no bounds are placed on memory consumed during the decode phase. No public exploit code or active exploitation has been identified at time of analysis; however, the low technical barrier to trigger the crash once authenticated elevates its operational risk for community and enterprise deployments.
Insufficient validation of user-supplied avatar image URLs in Apache Answer through 2.0.0 allows authenticated users to set arbitrary external URLs as profile images, causing the platform or clients to issue outbound HTTP requests to attacker-controlled servers on page load. This exposes user IP addresses, HTTP headers, and browsing activity to third-party infrastructure whenever affected profiles are viewed. Rated moderate severity by Apache; no public exploit identified at time of analysis and not listed in CISA KEV.
Unrestricted file upload in Dcat-Admin up to 2.2.3-beta allows remote attackers with high privileges - or potentially with authentication bypass - to upload arbitrary files via the editorMDUpload function at the /admin/dcat-api/editor-md/upload endpoint on the User Setting Page. The vulnerability stems from improper access control (CWE-284) on the editormd-image-file parameter, enabling upload of potentially malicious file types. Publicly available exploit code exists (CVSS E:P confirmed), though no active exploitation is listed in CISA KEV. The low CVSS 4.0 base score of 2.0 reflects constrained impact scope, but the 'Authentication Bypass' tag warrants additional scrutiny of the effective privilege requirement.
Arbitrary file upload via the /api/create-car-image endpoint in bookcars v8.3 enables server-side code execution by uploading a crafted file (e.g., a web shell). The vulnerability targets an image upload API that fails to restrict file types per CWE-434. No public exploit identified at time of analysis, and EPSS sits at 0.02% (6th percentile), indicating negligible observed exploitation pressure - however, two data conflicts significantly affect confidence: the description asserts an authenticated attacker is required while the CVSS vector records PR:N (no privileges required), and the CVSS impact scores of C:L/I:L are inconsistent with the claimed remote code execution outcome.
WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Unrestricted file upload in Kushan2k's student-management-system exposes the registration endpoint to unauthenticated remote attackers who can upload arbitrary files - including PHP webshells - by manipulating the `stimg` argument in `service/RegisterService.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no complexity, and no user interaction are required, making this trivially exploitable by any network-reachable attacker. Publicly available exploit code exists (E:P confirmed), and the vendor has not responded to responsible disclosure as of analysis time, leaving all installations unpatched.
Path traversal in hsweb-framework up to version 5.0.1 allows authenticated remote attackers to write files outside the intended upload directory by manipulating the filename argument in the file upload component. The root cause is insufficient sanitization of path sequences — including URL-encoded variants (`..%2F`) and Windows-style backslashes (`..\`) — in the `denied` function of `FileUploadProperties.java`. A public exploit has been disclosed via GitHub issue #344, and a patch commit is available; no KEV listing indicates opportunistic rather than confirmed mass exploitation.
Remote code execution in the MDJM Event Management WordPress plugin (versions through 1.7.8.3) allows authenticated administrators to upload arbitrary files, including executable PHP, via the mdjm_send_comm_email function which performs no file type, extension, or MIME validation. The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS 3.1 score of 7.2, with publicly available exploit code existing on GitHub and a detailed write-up published by the researcher. No public exploit identified in CISA KEV, and exploitation requires administrator-level privileges, limiting realistic impact to post-compromise or insider scenarios.
Stored Cross-Site Scripting in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (all versions through 1.3.9.7) allows authenticated administrators to persist malicious JavaScript via the 'drag_n_drop_text' and 'drag_n_drop_browse_text' plugin settings fields, which subsequently execute in the browsers of any site visitor accessing a page containing an affected CF7 upload form. The CVSS Scope:Changed designation reflects this cross-user impact - a compromised or rogue admin can silently weaponize public-facing forms without further interaction. No public exploit or CISA KEV listing exists at time of analysis, and the CVSS score of 4.4 reflects the high privilege and high complexity prerequisites that substantially limit opportunistic exploitation.
Arbitrary file upload in HAX CMS (PHP backend) versions 11.0.6 through 24.x allows authenticated remote attackers to upload PHP webshells disguised as images by abusing a regex-only extension check that ignores MIME type and content inspection, leading to remote code execution on the web server. CVSS v4.0 scores this 8.7 (High) with PR:L indicating low-privilege authentication is required, and no public exploit was identified at time of analysis although the underlying CWE-434 pattern is highly automatable.
Remote code execution in WP Captcha PRO (premium version of the Advanced Google reCAPTCHA WordPress plugin) through version 5.38 allows authenticated Subscriber-level attackers to upload arbitrary files, including PHP webshells, by abusing the licensing module's save_ajax() capability check and the unrestricted archive extraction in sync_cloud_protection(). No public exploit identified at time of analysis, but the CVSS 8.8 rating and trivial Subscriber-level prerequisite - common on sites with open registration - make this a high-priority WordPress ecosystem flaw. Wordfence is the original reporter and primary intelligence source.
Unrestricted file upload in code-projects Vehicle Management System 1.0 allows remote unauthenticated attackers to upload arbitrary files via the photo parameter of the New Driver Registration Form (newdriver.php), enabling remote code execution. Publicly available exploit code exists on GitHub, increasing the likelihood of opportunistic abuse against exposed instances despite no CISA KEV listing.
Unrestricted file upload in tittuvarghese CollegeManagementSystem exposes the Student Data Upload endpoint (`dashboard_page/forms/upload_student_data.php`) to remote exploitation by authenticated low-privilege users, allowing arbitrary file types - including PHP web shells - to be uploaded to the server by manipulating the Student-Data-CSV argument. All deployed instances across all commits are affected given the project's rolling release model, and no vendor-released patch exists as the maintainer has not responded to responsible disclosure. Publicly available exploit code exists, raising real-world risk above what the CVSS 6.3 score alone implies.
Unrestricted file upload in Stumasy (mjperpinosa) allows a low-privileged authenticated attacker to upload arbitrary files through the profile image change endpoint, potentially enabling server-side code execution. The vulnerable parameter `pr_profile_image` in `application/PHP/objects/profiles/change_profile_image.php` performs no meaningful file type validation, making it trivial to submit non-image payloads including PHP webshells. A publicly available exploit exists via the project GitHub issue tracker; the vendor has not responded to the disclosure, and no patch has been released. No CISA KEV listing at time of analysis.
Unrestricted file upload in mjperpinosa's stumasy PHP application allows authenticated remote attackers to upload arbitrary and potentially dangerous file types via the up_file_to_post parameter in add_post.php, enabling likely remote code execution through web shell deployment. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-reachable exploitation requiring only low-privilege authentication with no user interaction. A publicly available proof-of-concept exploit exists (disclosed via GitHub issue), and the vendor has not responded to the responsible disclosure - no patch is available at time of analysis.
Stored or reflected Cross-Site Scripting in MaxSite CMS v.109.2 allows a remote attacker with low-privilege authenticated access to inject malicious scripts via the Backend page file upload endpoint (admin_page), which execute in the browsers of other users - including administrators - to exfiltrate sensitive information such as session tokens. The CVSS vector (S:C) confirms the attack crosses a security scope boundary, amplifying impact beyond the attacker's own session. A researcher-published proof-of-concept is publicly available on GitHub, though EPSS remains very low at 0.05% (17th percentile) and no active exploitation has been confirmed by CISA KEV.
Stored Cross-Site Scripting in Koha 25.11 and earlier allows a remote authenticated attacker to inject and execute arbitrary JavaScript in victim browsers via the file upload function within the Invoice features module. The CVSS Scope:Changed designation indicates the injected script executes in a security context beyond the attacker's own session - targeting higher-privileged users (e.g., acquisitions staff or administrators) who subsequently view the affected invoice. A researcher blog post at g03m0n.github.io documents this vulnerability, suggesting public technical details are available. No public exploit identified at time of analysis, and EPSS at 0.05% (16th percentile) indicates low observed exploitation probability.
Unrestricted file upload in SOPlanning's backup import functionality (versions 1.55 and below) allows an authenticated high-privilege attacker to smuggle a malicious PHP script inside a crafted ZIP archive alongside a legitimate user.csv file, bypassing extension validation entirely. This vulnerability is materially escalated when chained with CVE-2026-40547 (Path Traversal in the same product), which redirects extraction to a web-accessible directory, converting an upload flaw into full server-side remote code execution. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the exploitation chain is technically straightforward once administrative credentials are held.
Unrestricted file upload in Metasoft MetaCRM 6.4.0 allows low-privileged authenticated remote attackers to upload arbitrary files via the softlogo upload endpoint at develop/systparam/softlogo/upload.jsp, potentially enabling server-side code execution or persistent backdoor installation. A publicly available proof-of-concept exploit exists, referenced via a Feishu document, and the vendor did not respond to coordinated disclosure. No KEV listing at time of analysis, but the combination of a public POC, low attack complexity, and an unresponsive vendor elevates practical risk beyond what the 6.3 CVSS score alone suggests.
Unrestricted file upload in Bdtask Multi-Store Inventory Management System 1.0 enables authenticated remote attackers to upload arbitrary file types - including PHP webshells - through the Component Module's Upload function, leading to potential remote code execution on the host server. The vulnerability resides in application/modules/dashboard/controllers/Module.php where the Upload function performs insufficient file type validation. A public proof-of-concept exploit has been released on GitHub, elevating the practical risk beyond the moderate CVSS 6.3 score. No vendor patch has been identified at time of analysis.
Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
File upload restriction bypass in Spatie Laravel Media Library prior to 11.23.0 allows authenticated remote attackers to upload files with double extensions (e.g., shell.php.jpg) or executable extensions missing from the blocklist (.php6, .shtml, .htaccess) due to a flawed sanitizer in FileAdder::defaultSanitizer() that only inspects the final filename suffix. Successful exploitation can lead to arbitrary PHP code execution when the application is deployed behind a legacy Apache AddHandler configuration, with no public exploit identified at time of analysis. The flaw carries a CVSS 4.0 score of 8.7 (high) reflecting high confidentiality, integrity, and availability impact.
Command injection in Dokploy 0.29.1 and earlier allows authenticated users to execute arbitrary OS commands on the host by abusing the Docker file upload feature's unsanitized destinationPath parameter. The CVSS 9.9 score reflects scope change to the underlying host from a containerized context, and no public exploit identified at time of analysis though the GHSA advisory provides sufficient technical detail to reconstruct one.
HaPe PKH 1.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by bypassing file type validation. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Arbitrary file upload in Interinfo DreamMaker allows authenticated high-privilege remote attackers to upload web shell backdoors and achieve arbitrary code execution on the underlying server. The flaw carries a CVSS 4.0 score of 8.6 and was reported via TWCERT, with no public exploit identified at time of analysis. Despite the high privilege requirement, the network-reachable vector and full CIA impact on the host make this a meaningful post-authentication compromise primitive.
Unauthenticated arbitrary file upload in Interinfo DreamMaker allows remote attackers to upload web shell backdoors and execute arbitrary code on the server, scoring CVSS 4.0 9.3 (Critical). No public exploit identified at time of analysis, but the combination of no authentication, low attack complexity, and complete CIA impact makes this a high-priority issue. TWCERT (Taiwan's national CERT) is the reporting source, indicating regional advisory coordination.
Remote code execution in Falco Solutions PHPageBuilder v0.31.0 is possible through an unrestricted file upload flaw in the pagemanager/pagebuilder module, enabling unauthenticated remote attackers to upload arbitrary executable files (typically PHP webshells) and run code on the underlying web server. Publicly available exploit code exists in a dedicated GitHub repository, though EPSS scoring (0.06%, 18th percentile) and SSVC indicate no observed in-the-wild exploitation despite the attack being fully automatable.
Arbitrary file upload leading to remote code execution affects the GutenBee – Gutenberg Blocks WordPress plugin in all versions through 2.20.1, enabling authenticated users with Author role or higher to upload PHP files disguised with double extensions such as shell.json.php. The flaw stems from a permissive strpos() substring check in gutenbee_file_and_ext_json that allows attackers to bypass WordPress filetype validation and execute arbitrary PHP on the server. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in the Crawlomatic Multipage Scraper Post Generator plugin for WordPress (versions up to and including 2.7.2) allows authenticated users with author-level privileges to execute arbitrary PHP code on the server by abusing the 'callback_raw' or 'callback' shortcode attributes processed by the filter_content function. The flaw stems from passing attacker-controlled input directly to call_user_func() guarded only by is_callable(), which still permits dangerous PHP built-ins like system, shell_exec, exec, passthru, and assert. No public exploit identified at time of analysis, but Wordfence has published a detailed advisory and the shortcode sink is trivially reachable for any author-level account.
Arbitrary file upload in SourceBans Material Admin v1.1.6 allows remote unauthenticated attackers to achieve code execution by uploading a crafted image file to the pages/admin.uploadmapimg.php endpoint. The flaw is tagged as a PHP RCE vector and has public proof-of-concept gists referenced on GitHub, though it is not listed in CISA KEV and carries a very low EPSS exploitation probability (0.02%, 5th percentile).
Excessive data exposure in DFIR-IRIS before version 2.4.28 enables authenticated low-privileged users to retrieve sensitive information from API responses that should be restricted or filtered server-side. The flaw (CWE-201) is part of a coordinated multi-vulnerability disclosure by SBA Research (SBA-ADV-20260126-04), which also identified an Open Redirect (CVE-2026-42329), Insecure File Upload (CVE-2026-42538), and Mass Assignment (CVE-2026-42540) in the same product version. No public exploit identified at time of analysis and no CISA KEV listing; however, the target platform stores highly sensitive digital forensics and incident response case data, elevating the practical impact of any confidentiality breach.
Mass assignment vulnerability in DFIR-IRIS before 2.4.28 enables authenticated low-privileged users to modify object attributes that the application should restrict from client control. Exploitable remotely with no complexity or user interaction required (AV:N/AC:L/PR:L/UI:N), the flaw can allow unauthorized modification of case data, ownership fields, or other model attributes beyond what the interface intentionally exposes. No public exploit code identified at time of analysis, and the CVE is not listed in CISA KEV; however, it was disclosed as part of a coordinated multi-CVE advisory by SBA Research covering five distinct vulnerabilities in the same product version.
Open redirect in DFIR-IRIS before version 2.4.28 allows unauthenticated remote attackers to craft URLs that silently redirect authenticated users to arbitrary external domains. The CVSS Scope:Changed (S:C) component confirms the vulnerability crosses the application's trust boundary, making it a viable vector for phishing and credential harvesting campaigns targeting incident responders and forensic analysts who use the platform. No public exploit code or active exploitation has been identified at time of analysis, and no CISA KEV listing is present.
Insecure file upload in DFIR-IRIS before version 2.4.28 allows a low-privileged remote attacker to upload files of dangerous types, resulting in high confidentiality impact and limited integrity compromise when a victim user interacts with the uploaded content. Disclosed by SBA Research in advisory SBA-ADV-20260126-03, this is one of three CVEs (CVE-2026-42329, CVE-2026-42538, CVE-2026-42539) patched simultaneously in the 2.4.28 release. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Two-factor authentication bypass via TOTP secret disclosure affects FileRise self-hosted file manager before 3.12.0, where the /api/totp_setup.php endpoint can be reached from the intermediate 'pending_login_user' session state that exists after a correct password but before the TOTP check. For accounts that already have TOTP enabled, the endpoint decrypts and returns the existing TOTP secret inside the enrollment QR PNG rather than refusing, so an attacker who already holds the victim's password can extract the seed, compute a valid one-time code, and complete login without the victim's authenticator. No public exploit has been identified at time of analysis and no EPSS score is provided, but the issue fully defeats the second authentication factor.
Arbitrary file upload in the WPify Woo Czech WordPress/WooCommerce plugin (versions through 5.4.1) lets a low-privileged authenticated user upload a dangerous file type - i.e., a PHP web shell - to the web server, leading to remote code execution. The CVSS 3.1 vector (PR:L, S:C, C:H/I:H/A:H) reflects a scope-changing critical-severity flaw scored 9.9 that compromises the entire host once exploited. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS score is very low (0.04%, 13th percentile), indicating little observed exploitation pressure despite the high CVSS.
Unrestricted file upload in SourceCodester Simple POS and Inventory System 1.0 allows authenticated remote attackers to upload arbitrary files through the image argument of /admin/addproduct.php, potentially enabling web shell deployment and remote code execution. A publicly available proof-of-concept exploit exists (GitHub gist), and SSVC confirms exploitation: poc status. Despite the severe nature of CWE-434 unrestricted upload flaws, EPSS sits at 0.04% (11th percentile) and CISA has not added this to KEV, indicating limited observed exploitation in the wild at time of analysis.
Unrestricted file upload in KLiK SocialMediaWebsite 1.0 exposes the application to unauthenticated remote exploitation via the `uniqid` function in `upload.inc.php`. The File Handler component fails to validate uploaded file types (CWE-434), allowing an attacker to upload PHP webshells or other executable files without any authentication - confirmed by the CVSS 4.0 vector PR:N/UI:N. Exploit code has been publicly disclosed (CVSS E:P, referenced via VulDB), though EPSS remains low at 0.04% and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.
Unrestricted file upload in RuoYi-Vue (versions 3.9.0-3.9.2) exposes the FileUploadUtils.upload function at the /common/upload endpoint to arbitrary file upload by authenticated remote attackers, potentially enabling server-side code execution if the uploaded file is accessible and executed by the web server. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) scores 5.3 Medium, reflecting low-privilege authentication as the primary barrier; no compensating controls enforce file-type validation at the endpoint. No public exploit code has been identified and no active exploitation is confirmed, though the vendor did not respond to responsible disclosure, leaving the fix status unresolved.
Redaxo CMS Mediapool Addon 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous file types and execute arbitrary code, earning a maximum CVSS 10.0 score with scope change (S:C). Per Microsoft's MSRC advisory, a vendor patch is available, though no public exploit has been identified at time of analysis and the EPSS score was not provided in the source data.
Uncontrolled memory allocation in Mattermost's TIFF image processing allows authenticated users to trigger server-side out-of-memory (OOM) conditions, effectively taking down the collaboration platform. Affected are all Mattermost deployments running versions 10.11.x through 11.6.0. Any account holding file upload or URL-posting permissions can exploit this remotely without elevated privileges, making it a realistic insider or compromised-account threat. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and broad authentication base increase practical risk.
File disclosure via malicious HTML file upload default values in Mothra, the web browser bundled with the 9front Plan 9 fork, allows a remote unauthenticated attacker to exfiltrate arbitrary local files from a victim's filesystem. By crafting a webpage containing a hidden file input element with a pre-set malicious default path, the attacker can cause Mothra to silently submit a targeted local file to an attacker-controlled server upon user interaction. The CVSS 4.0 E:P supplemental metric indicates publicly available proof-of-concept exploit code exists; no CISA KEV listing is present, suggesting exploitation is not yet confirmed at scale.
Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execution by abusing missing file type validation in the bookingpress_validate_submitted_booking_form_func function. Exploitation requires the booking form to include a signature custom field, but otherwise needs no authentication or user interaction. No public exploit identified at time of analysis, though Wordfence's disclosure and the CWE-434 pattern make weaponization straightforward.
Unrestricted file upload in Gmission Web Fax versions 3.0 up to (but not including) 3.1 allows attackers to upload files of dangerous types and trigger remote code inclusion, leading to full confidentiality, integrity, and availability impact on the host. The flaw was reported by FSI and a vendor patch is available, though no public exploit code has been identified at time of analysis. Note that the CVSS 4.0 vector advertises a local attack vector (AV:L) which conflicts with the description's 'Remote Code Inclusion' wording - this discrepancy should be verified.
Unrestricted file upload in WP Swings Gift Cards For WooCommerce Pro plugin (versions up to and including 4.2.6) allows remote unauthenticated attackers to upload malicious files of dangerous types to vulnerable WordPress sites. With a maximum CVSS score of 10.0 and a scope-changed vector, successful exploitation typically leads to remote code execution and full site compromise. No public exploit identified at time of analysis, though the high severity and ease of exploitation make this a priority concern for any WooCommerce site using this plugin.
Arbitrary file write in Altium Enterprise Server ComparisonService allows authenticated workspace users to escape the temporary upload directory and plant files anywhere on the host filesystem via crafted multipart Content-Disposition headers in the Gerber upload APIs. The flaw (CVSS 4.0 score 9.4, CWE-22) escalates to remote code execution by dropping payloads into web-accessible paths or overwriting service binaries, and a vendor patch is available. No public exploit identified at time of analysis.
Unauthenticated remote code execution in the ProSolution WP Client WordPress plugin (versions ≤ 2.0.0) allows attackers to upload malicious PHP files to a web-accessible directory by abusing an array validation mismatch in its upload handler. Because only the first file in a multi-file upload array is checked for extension and MIME type while the remaining files are processed unchecked, attackers can pair a benign first file with a PHP webshell to achieve full code execution on the host. No public exploit identified at time of analysis, but the high CVSS 9.8 score and trivially scriptable nature place this in the realistic mass-exploitation tier for WordPress plugins.
Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.