Malicious File Upload

Path traversal in Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions ≤1.3.9.6) allows unauthenticated remote attackers to read arbitrary files within wp-content/ directory and exfiltrate them via email attachments. The plugin accepts client-supplied mfile[] POST parameters without server-side validation, directly converting user-controlled filenames to filesystem paths. CVSS 7.5 (High) reflects network attack vector with no authentication required. SSVC marks this as automatable with partial technical impact. No active exploitation confirmed (SSVC: exploitation=none), but the attack complexity is low and requires no user interaction, making this a realistic pre-authentication data exposure risk for sites using this plugin.

Server-side request forgery (SSRF) in TinyFileManager file upload handler (versions up to 2.6) allows authenticated remote attackers to manipulate the uploadurl parameter and forge requests to arbitrary servers. The vulnerability affects the /filemanager.php?p=&ajax=true&type=upload endpoint and has publicly available exploit code; the vendor has not responded to disclosure attempts.

Unrestricted file upload vulnerability in QueryMine SMS admin panel allows authenticated remote attackers to upload arbitrary files via the image parameter in admin/addteacher.php, potentially enabling remote code execution. Affects all versions up to commit 7ab5a9ea196209611134525ffc18de25c57d9593. Public exploit code exists and the vendor has not responded to disclosure attempts.

Kubio page builder plugin for WordPress allows authenticated attackers with Contributor-level access to upload arbitrary files from external URLs by bypassing capability checks in the REST API post creation handler. The kubio_rest_pre_insert_import_assets() function automatically imports remote files referenced in block attributes without verifying the user possesses the upload_files capability, violating WordPress's normal media upload restrictions. Affected versions are up to and including 2.7.2; no public exploit code has been identified at the time of analysis.

JetBackup plugin for WordPress versions up to 3.1.19.8 allows authenticated administrators to delete arbitrary directories via path traversal in the file upload handler. The vulnerability stems from insufficient input validation on the fileName parameter, which is sanitized using sanitize_text_field() but still permits path traversal sequences like '../'. When combined with the recursive directory deletion logic in the cleanup routine, attackers can traverse outside the intended upload directory and delete critical WordPress directories such as wp-content/plugins, completely disabling all plugins and severely disrupting the WordPress installation.

Unrestricted file upload in WebStack WordPress theme allows unauthenticated remote code execution. The io_img_upload() function in all versions through 1.2024 lacks file type validation, enabling unauthenticated attackers to upload malicious files (e.g., PHP shells) directly to the server. No public exploit identified at time of analysis, but EPSS score and attack complexity (CVSS AC:L) indicate straightforward exploitation. Critical severity (CVSS 9.8) warranted due to complete system compromise potential with zero authentication barriers.

Local File Inclusion in BoidCMS versions prior to 2.1.3 enables authenticated administrators to execute arbitrary PHP code via path traversal in the tpl parameter combined with file upload. The vulnerability chains unsanitized require_once() inclusion with media upload functionality, allowing attackers to upload malicious files and force their execution with web server privileges. Vendor-released patch available in version 2.1.3. CVSS 7.2 reflects high-privilege requirement (administrator access), but exploitation complexity is low once authenticated. No CISA KEV listing or public exploit code identified at time of analysis.

Authenticated SFTP users in goshs (a Go-based HTTP/SFTP file server) can read and write files outside the configured SFTP root directory via a path validation bypass. The vulnerability affects the SFTP subsystem in goshs beta.4 and earlier v2.x versions, exploiting a flawed string-prefix check that treats sibling directories (e.g., /tmp/goshsroot_evil) as valid when the configured root is /tmp/goshsroot. Public exploit code exists with video demonstrations showing complete jail escape, allowing authenticated attackers to list directories, download sensitive files, create arbitrary directories, and upload malicious content outside the intended boundary. Fix released in goshs v2.0.0 per vendor advisory GHSA-5h6h-7rc9-3824.

Remote code execution in Webkul Krayin CRM v2.2.x allows authenticated attackers with low-level privileges to upload and execute malicious PHP files through an unrestricted file upload vulnerability in the /admin/tinymce/upload endpoint. The scope change (CVSS S:C) indicates potential container escape or cross-tenant impact. Authentication requirement confirmed (CVSS PR:L). No public exploit identified at time of analysis, though technical details are available in security advisory references.

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload, milestone editing, and administrative functions to force logout, create accounts, modify roles, inject comments, or upload files when authenticated users visit attacker-controlled websites.

Remote code execution in Pachno 1.0.6 allows authenticated users to upload and execute PHP5 scripts via the /uploadfile endpoint due to ineffective extension filtering. The vulnerability bypasses file type restrictions, enabling attackers to place executable code in web-accessible directories. With a low attack complexity (AC:L) and requiring only low-level authentication (PR:L), this is exploitable by any user with basic credentials. EPSS probability is relatively low (0.10%, 27th percentile), and no active exploitation is confirmed via CISA KEV status, though the attack technique is well-understood and documented in public advisories.

Remote code execution in Pandora FMS versions 777 through 800 enables authenticated administrators to upload malicious files and execute arbitrary code on the server. The vulnerability stems from inadequate file type validation during upload operations, allowing attackers with high-privilege credentials to bypass security controls. With a CVSS 4.0 score of 8.6 and attack complexity rated as low, this represents a significant risk for organizations using affected versions, though exploitation requires prior administrative access to the monitoring platform.

In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page.

Remote code execution in Chamilo LMS versions prior to 1.11.38 allows authenticated users (including low-privilege students) to upload and execute arbitrary PHP code through the BigUpload endpoint. Attackers exploit insufficient file extension filtering by uploading .pht files containing malicious code, which Apache servers with default .pht handlers execute as PHP. The vulnerability enables authenticated attackers to achieve full server compromise through unrestricted arbitrary file write capabilities. No public exploit identified at time of analysis.

Remote code execution in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows authenticated teachers to upload PHP webshells through the exercise sound upload function by spoofing Content-Type headers to audio/mpeg. Uploaded malicious files retain their .php extensions and execute in web-accessible directories with web server privileges (www-data). Attack requires low-privilege teacher account but no user interaction. No public exploit identified at time of analysis.

Unauthenticated path traversal in FalkorDB Browser 1.9.3 file upload API enables remote attackers to write arbitrary files to the server filesystem and execute code without authentication. Attack vector is network-accessible with low complexity, requiring no user interaction. CVSS 9.8 critical severity reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.09%, 25th percentile).

Arbitrary file manipulation in MW WP Form plugin (WordPress) versions ≤5.1.1 allows unauthenticated attackers to move sensitive server files into web-accessible directories, enabling remote code execution. The vulnerability stems from insufficient validation of upload field keys in generate_user_file_dirpath(), exploiting WordPress's path_join() behavior with absolute paths. Attackers inject malicious keys via mwf_upload_files[] POST parameter to relocate critical files like wp-config.php. Exploitation requires forms with enabled file upload fields and 'Saving inquiry data in database' option. No public exploit identified at time of analysis.

Unauthenticated arbitrary file upload in ProSolution WP Client plugin (≤1.9.9) enables attackers to upload executable files without validation via the 'proSol_fileUploadProcess' function, leading to remote code execution on WordPress servers. Critical severity (CVSS 9.8) with network-accessible attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis.

Arbitrary file upload in Gerador de Certificados - DevApps plugin for WordPress (all versions ≤1.3.6) enables authenticated administrators to upload files without type validation, creating remote code execution opportunities. The vulnerability stems from missing file type validation in the moveUploadedFile() function. CVSS 7.2 (High) reflects network-accessible attack requiring high privileges; EPSS data not provided, no public exploit identified at time of analysis, not listed in CISA KEV.

Remote code execution in DSGVO Google Web Fonts GDPR WordPress plugin (all versions ≤1.1) allows unauthenticated attackers to upload PHP webshells via arbitrary file upload. The DSGVOGWPdownloadGoogleFonts() function, exposed through wp_ajax_nopriv_ hooks, accepts user-supplied URLs without file type validation and writes content to publicly accessible directories. Exploitation requires the target site to use specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely). CVSS 9.8 Critical reflects network-accessible, unauthenticated attack vector with full system compromise potential. No public exploit identified at time of analysis, though the vulnerability class (CWE-434 unrestricted file upload) is well-understood and commonly weaponized.

Remote code execution in MATCHA INVOICE 2.6.6 and earlier allows authenticated administrators to upload arbitrary files with dangerous types, enabling arbitrary code execution on the affected server. The vulnerability affects ICZ Corporation's MATCHA INVOICE product across all versions up to and including 2.6.6. While CVSS 4.7 reflects the requirement for administrative authentication, the RCE impact and file upload mechanism present a significant post-authentication risk in environments where administrative accounts may be compromised or insider threats exist. No public exploit code or CISA KEV confirmation identified at time of analysis.

Unauthenticated arbitrary file upload in Ninja Forms - File Uploads plugin for WordPress (versions ≤3.3.26) enables remote code execution through missing file type validation in the upload handler. Attackers can upload malicious PHP files without authentication, achieving complete server compromise. CVSS 9.8 (Critical) with CVSS:3.1/AV:N/AC:L/PR:N/UI:N indicates network-based exploitation requiring no privileges or user interaction. Fully patched in version 3.3.27 following a partial fix in 3.3.25. No public exploit identified at time of analysis, though the vulnerability class (CWE-434: Unrestricted Upload of File with Dangerous Type) is well-understood and readily exploitable.

Remote code execution in Brave CMS versions prior to 2.0.6 allows authenticated users to upload and execute arbitrary PHP scripts through the CKEditor upload functionality. The vulnerability stems from unrestricted file upload in the ckupload method of CkEditorController.php, which fails to validate uploaded file types. No public exploit identified at time of analysis, though the attack requires only low-privilege authentication (PR:L) with low complexity (AC:L). CVSS 8.8 High severity reflects the complete system compromise possible post-authentication.

Unrestricted file upload in BraveCMS 2.0 (prior to 2.0.6) enables remote attackers to execute arbitrary code on the server without authentication. The CKEditor endpoint accepts malicious file uploads including executable scripts, leading to full remote code execution with CVSS 9.3 severity. EPSS data unavailable, no confirmed active exploitation (not in CISA KEV), but upstream fix is available via GitHub commit and version 2.0.6 release. Attack complexity is low with network-accessible vector requiring no privileges or user interaction, making this a critical exposure for internet-facing BraveCMS installations.

Unrestricted file upload in Cyber-III Student-Management-System allows authenticated remote attackers to upload arbitrary files via manipulation of the File parameter in /AssignmentSection/submission/upload.php, leading to potential remote code execution or data exfiltration. The vulnerability affects the move_uploaded_file function and has publicly available exploit code; the vendor has not responded to early disclosure notification. CVSS 5.3 reflects low confidentiality and integrity impact within an authenticated context, though real-world risk depends on file execution permissions and web server configuration.

Tar archive extraction allows hidden file injection by local authenticated users through crafted malicious archives, bypassing pre-extraction inspection mechanisms and enabling introduction of attacker-controlled files. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10, requires local access and user interaction (extraction action), and presents a moderate integrity risk (CVSS 5.0) with no confirmed active exploitation or public proof-of-concept at time of analysis.

Cross-site request forgery (CSRF) in ProjectSend r2002 allows unauthenticated remote attackers to perform unauthorized file upload operations via the upload.php endpoint with user interaction (UI:R). The vulnerability has been publicly disclosed with exploit code available, and ProjectSend has released patched version r2029 with commit 2c0d25824ab571b6c219ac1a188ad9350149661b to remediate the issue. While the CVSS score of 4.3 indicates low-to-moderate severity, the presence of public exploit code and lack of authentication requirements elevates the real-world risk for unpatched instances.

Cross-site scripting (XSS) in givanz Vvvebjs file upload endpoint allows unauthenticated remote attackers to inject malicious scripts via the uploadAllowExtensions parameter in upload.php. The vulnerability affects Vvvebjs versions up to 2.0.5 and requires user interaction (UI:R). A publicly available exploit exists and a patch (commit 8cac22cff99b8bc701c408aa8e887fa702755336) has been released by the vendor; EPSS exploitation likelihood is indicated as probable (E:P) with a CVSS score of 4.3.

Unrestricted file upload in SourceCodester/jkev Record Management System 1.0 allows authenticated remote attackers to upload arbitrary files via the save_emp.php Add Employee Page component, potentially enabling remote code execution. The vulnerability requires high-privilege authentication and has publicly available exploit code, though real-world risk remains limited by the authentication barrier and moderate CVSS score of 4.7.

Unrestricted file upload in Technostrobe HI-LED-WR120-G2 firmware version 5.5.0.1R6.03.30 allows remote unauthenticated attackers to upload arbitrary files by manipulating the cwd argument in the /fs endpoint. CVSS 6.9 reflects moderate confidentiality, integrity, and availability impact across local and remote boundaries. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts.

Unrestricted file upload in Campcodes Complete Online Learning Management System 1.0 allows authenticated remote attackers to upload arbitrary files via the add_lesson function in /application/models/Crud_model.php, enabling potential remote code execution or malware deployment. The vulnerability requires low-privilege authentication, carries a CVSS score of 6.3 (medium), and publicly available exploit code exists.

Unauthenticated arbitrary media upload in Listeo Core plugin for WordPress (versions up to 2.0.27) allows remote attackers to upload arbitrary files to the site's media library via the unprotected listeo_core_handle_dropped_media AJAX endpoint. The vulnerability stems from missing authorization checks and does not directly enable code execution, but significantly degrades site integrity by enabling malicious file storage and potential downstream attacks.

Arbitrary file overwrite in Directus TUS resumable upload endpoint allows authenticated users to replace any existing file by UUID, bypassing row-level access controls. The vulnerability affects the npm package directus, where the /files/tus controller validates only collection-level permissions but skips item-level authorization checks. Attackers with basic file upload permissions can permanently overwrite victim files with malicious content, potentially escalating privileges by replacing admin-owned assets. EPSS data not available, but the moderate complexity (CVSS AC:L, PR:L) and specific bypass mechanism suggest focused targeting risk. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Parse Server file upload handler fails to validate Content-Type headers against filename extensions, allowing attackers to upload files with benign extensions (e.g., .txt) but malicious MIME types (e.g., text/html) that are served with the user-supplied Content-Type by cloud storage adapters like S3 and GCS. This enables content-type confusion attacks such as reflected XSS when files are served through CDNs or web servers that trust the stored Content-Type header. The default GridFS adapter is unaffected due to its filename-based Content-Type derivation at serving time.

Unrestricted file upload in ProjectsAndPrograms School Management System up to commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59 allows authenticated users to upload arbitrary files via the Profile Picture Handler in /admin_panel/settings.php, enabling remote code execution. The vulnerability affects the File parameter with low attack complexity and has publicly available exploit code; while CVSS 5.3 reflects moderate integrity and confidentiality impact, the low authentication requirement and network accessibility make this a practical privilege escalation and code execution vector for authenticated attackers.

Path traversal in Budibase plugin upload endpoint allows Global Builders to delete arbitrary directories and write files to any accessible filesystem path. Affecting all versions prior to 3.33.4, attackers with high privileges (Global Builder role) can exploit unsanitized filename handling in POST /api/plugin/upload to execute directory traversal attacks remotely with low complexity. CVSS 8.7 (High) with scope change indicates potential container escape or cross-tenant impact. No public exploit identified at time of analysis, though the attack vector is straightforward given the documented path traversal mechanism.

Remote code execution in BizTalk360 before version 11.5 allows any authenticated user to upload a malicious DLL and trigger its execution on the server through an unprotected DLL-loading endpoint. The vulnerability stems from missing access controls on a method that loads and executes DLL files, enabling attackers with valid domain credentials to achieve arbitrary code execution without requiring elevated privileges.

Remote code execution in Hytale Modding Wiki version 1.2.0 and earlier allows authenticated users to upload malicious PHP files through a MIME type validation bypass. The quickUpload() endpoint performs independent validation of file content (via MIME type) and filename extension, enabling attackers to craft files with benign content signatures but executable .php extensions. Uploaded files are stored in a publicly accessible location, allowing direct URL access for server-side code execution. EPSS data unavailable; publicly available exploit code exists per SSVC assessment. No vendor-released patch identified at time of analysis.

Unbounded disk consumption in Rack's multipart parser allows remote denial of service when HTTP requests lack Content-Length headers. Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 fail to enforce size limits on multipart/form-data uploads sent via chunked transfer encoding, enabling unauthenticated attackers to exhaust disk space by streaming arbitrarily large file uploads. CVSS 7.5 (High) reflects the network-accessible, low-complexity attack requiring no privileges. No public exploit identified at time of analysis, though the attack technique is well-understood.

Remote code execution in Progress ShareFile Storage Zones Controller versions up to 5.12.3 allows high-privileged authenticated users to upload and execute malicious files on the server. The CVSS 9.1 score reflects scope change and total system compromise. Publicly available exploit code exists (confirmed by Italian CERT), though EPSS probability remains low at 0.19% and no active exploitation is confirmed by CISA KEV. Real-world risk depends heavily on authentication controls and privileged account management in ShareFile deployments.

Arbitrary file movement in MW WP Form plugin for WordPress (all versions ≤5.1.0) allows unauthenticated remote attackers to relocate server files and achieve remote code execution by moving critical files like wp-config.php. Exploitation requires a form with file upload capability and database inquiry storage enabled. CVSS 8.1 with network attack vector and high attack complexity. EPSS data not provided; no public exploit or CISA KEV status identified at time of analysis, though Wordfence threat intelligence has documented the vulnerability with source code references.

Unrestricted file upload in Harvard IQSS Dataverse versions up to 6.8 allows authenticated users to bypass theme customization controls via manipulation of the uploadLogo parameter in /ThemeAndWidgets.xhtml, enabling arbitrary file upload with low confidentiality, integrity, and availability impact. The vulnerability is publicly exploitable with proof-of-concept code available; CVSS 5.3 reflects the authenticated attack vector and limited scope, though the ease of exploitation (Attack Complexity Low, Exploitation proven) combined with public POC increases practical risk. Vendor released patched version 6.10 and responded swiftly to early disclosure.

Unrestricted file upload in Shandong Hoteam InforCenter PLM versions up to 8.3.8 allows remote unauthenticated attackers to upload arbitrary files via the uploadFileToIIS function in /Base/BaseHandler.ashx, with a CVSS score of 6.9 and publicly available exploit code. The vendor did not respond to early disclosure notification, leaving all affected versions unpatched and at active risk.

Unrestricted file upload in SourceCodester Simple Doctors Appointment System up to version 1.0 allows authenticated remote attackers to upload arbitrary files via the img parameter in /doctors_appointment/admin/ajax.php?action=save_category, potentially leading to remote code execution. The vulnerability has publicly available exploit code and carries a CVSS score of 5.3 with limited impact scope, though it requires valid login credentials to exploit.

Arbitrary code execution in baserCMS versions before 5.2.3 allows authenticated administrators to achieve remote code execution via malicious PHP files embedded in backup restore archives. The vulnerability exploits unsafe file inclusion during ZIP extraction in the restore function, where uploaded PHP files are executed via require_once without filename validation. No public exploit identified at time of analysis, though EPSS score of 0.00043 (0.043%) and CVSS 8.7 indicate moderate theoretical risk mitigated by high privilege requirements (PR:H).

Arbitrary file overwrite vulnerability in RAREPROB SOLUTIONS PRIVATE LIMITED Video player Play All Videos v1.0.135 enables remote attackers to overwrite critical internal files during the file import process, resulting in arbitrary code execution or information disclosure. No CVSS score, exploitation data, or vendor patch information is currently available; the vulnerability was disclosed via academic research channels rather than coordinated vendor notification.

Grav CMS versions 1.7.x and earlier allow XML External Entity (XXE) injection through SVG file uploads in the administrative panel and File Manager plugin, potentially enabling remote code execution or information disclosure to authenticated administrators. No CVSS score, CVSS vector, or CWE classification has been assigned; exploitation status and patch availability cannot be confirmed from available data.

Unrestricted file upload in PromtEngineer localGPT allows remote attackers to upload arbitrary files via the do_POST function in backend/server.py, enabling potential remote code execution or system compromise. The vulnerability affects all versions up to commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054, impacts unauthenticated remote users, and publicly available exploit code exists. The vendor has not responded to early disclosure attempts, leaving the product unpatched.

Remote code execution in Bludit CMS versions prior to 3.18.4 allows authenticated attackers holding valid API tokens to upload and execute arbitrary files through the API plugin's unrestricted file upload mechanism. The vulnerability has a CVSS 4.0 score of 8.7 with network attack vector and low complexity, requires authenticated access (PR:L), and was reported by CERT-PL. No public exploit identified at time of analysis, though the technical details are publicly disclosed.

Stored XSS in Uploady file uploader (farisc0de/Uploady versions prior to 3.1.2) allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by uploading files with malicious filenames that are rendered without proper escaping in file list and details pages. The vulnerability requires user interaction (viewing the affected page) and authenticated access, resulting in confidentiality and integrity impact with a CVSS score of 4.6. Vendor-released patch version 3.1.2 is available.

FileRise versions 2.3.7 through 3.10.0 suffer from improper access control in the file snippet endpoint, allowing authenticated users with read-only access to retrieve file content uploaded by other users in shared folders. An attacker with limited folder permissions can exploit this authorization bypass to view sensitive files beyond their intended access scope. The vulnerability affects FileRise running on PHP and is resolved in version 3.11.0.

Mattermost server versions 10.11.x through 11.4.x fail to validate decompressed archive entry sizes during ZIP file extraction, allowing authenticated users with file upload permissions to trigger denial of service by uploading crafted zip bombs that exhaust server memory. The vulnerability affects Mattermost 10.11.0-10.11.11, 11.2.0-11.2.3, 11.3.0-11.3.1, and 11.4.0, with CVSS 6.5 (medium) reflecting the requirement for prior authentication and limited scope (availability impact only). No public exploit identified at time of analysis, though the attack vector is network-accessible and requires low complexity once an attacker has valid upload credentials.

HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434) that enables authenticated remote attackers to upload and execute arbitrary scripts on the affected server, potentially achieving full system compromise. The attack requires user interaction and low-privilege authentication but carries high integrity impact. No public exploit code or active exploitation has been confirmed; however, the vulnerability's straightforward exploitation mechanics and authenticated attack vector make it a moderate-priority issue for organizations deploying this software.

Free Hotel Reservation System 1.0 permits unrestricted file uploads via the image parameter in the /admin/mod_amenities/index.php?view=add endpoint, allowing remote attackers with high privileges to upload arbitrary files. The vulnerability (CWE-434: Unrestricted Upload of File with Dangerous Type) affects the amenities management module and has publicly available exploit code. With a CVSS v4.0 score of 5.1 and network-accessible attack vector requiring high administrative privileges, this poses a moderate risk primarily to authenticated administrators or systems where authentication has been compromised.

Remote code execution in plank/laravel-mediable PHP package through version 6.4.0 allows unauthenticated attackers to upload executable PHP files disguised with benign MIME types, achieving arbitrary code execution when files land in web-accessible directories. EPSS score of 0.39% (60th percentile) indicates low observed exploitation probability, though SSVC analysis confirms the vulnerability is automatable with total technical impact. No vendor-released patch identified at time of analysis despite coordinated disclosure attempts.

An unrestricted file upload vulnerability exists in Kalcaddle Kodbox 1.64 within the Public Share Handler component's userShare.class.php file. This allows unauthenticated remote attackers to upload arbitrary files by manipulating the Add function, potentially leading to remote code execution and system compromise. A publicly available proof-of-concept exists, and the vendor has not responded to early disclosure attempts, increasing the likelihood of active exploitation.

The code16/sharp Laravel admin panel package contains a critical file upload vulnerability that allows authenticated users to bypass all file type restrictions by manipulating client-controlled validation rules. Affected versions prior to 9.20.0 accept a user-supplied validation_rule parameter that is passed directly to Laravel's validator, enabling attackers to upload arbitrary files including PHP webshells. With a CVSS score of 8.8, this vulnerability can lead to Remote Code Execution when the storage disk is publicly accessible, though default configurations provide some protection against direct execution.

Memory exhaustion in TIFF image processing allows unauthenticated remote attackers to trigger allocation of up to 4GiB of memory by submitting malicious image files, resulting in denial of service through resource depletion or application crashes. Affected systems lack available patches, leaving deployed instances vulnerable to this attack vector requiring only network access and no user interaction.

Kiteworks Secure Data Forms contains an unrestricted file upload vulnerability (CWE-434) that allows form managers to upload files with dangerous types due to missing input validation. An authenticated attacker with manager privileges can exploit this to upload malicious files, potentially leading to code execution or system compromise. The vulnerability affects all versions prior to 9.2.1, and a patch is available; no public exploit code has been confirmed, but the moderate CVSS score of 5.5 reflects the high integrity impact combined with the requirement for elevated privileges.

The halfdata Green Downloads plugin for WordPress contains an unrestricted file upload vulnerability (CWE-434) that permits attackers to upload malicious files to affected systems. This vulnerability affects Green Downloads versions up to and including 2.08, as confirmed by Patchstack and ENISA. An unauthenticated or low-privileged attacker can exploit this to upload dangerous file types, potentially leading to remote code execution, website defacement, or malware distribution.

An unrestricted file upload vulnerability (CWE-434) exists in Jordy Meow's Photo Engine WordPress plugin versions up to and including 6.4.9, allowing attackers to upload malicious web shells to compromised servers. The vulnerability affects the wplr-sync component and permits arbitrary file uploads with dangerous types, potentially leading to remote code execution. No CVSS score, EPSS probability, or KEV status information is currently available, but the ability to upload executable web shells represents a critical exploitation path.

WPJAM Basic, a WordPress plugin, contains an unrestricted file upload vulnerability (CWE-434) that allows attackers to upload malicious files without proper validation. All versions through 6.9.2 are affected, potentially enabling remote code execution or other attacks depending on server configuration. While CVSS and EPSS scores are unavailable, the nature of arbitrary file upload vulnerabilities in WordPress plugins typically carries high real-world risk due to ease of exploitation and severe impact.

An unrestricted file upload vulnerability exists in the deothemes Ona WordPress theme that allows attackers to upload web shells to affected servers. All versions of Ona prior to 1.24 are vulnerable, enabling remote code execution through malicious file uploads. This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and represents a critical risk for any WordPress installation using the affected theme versions.

WPBookit Pro through version 1.6.18 contains an unrestricted file upload vulnerability (CWE-434) that allows attackers to upload malicious files to affected WordPress installations. This arbitrary file upload flaw enables remote code execution and complete site compromise without requiring authentication or special privileges. The vulnerability affects all versions of the iqonicdesign WPBookit Pro plugin up to and including 1.6.18, making it a critical risk for WordPress administrators using this booking plugin.

A remote code execution vulnerability in add-ons (CVSS 6.8). Remediation should follow standard vulnerability management procedures.

Local buffer overflow in River Past Cam Do 3.7.6's activation code field enables arbitrary code execution with SYSTEM privileges through specially crafted 608-byte input followed by shellcode and SEH chain overwrite. While exploitation requires local access and a publicly available exploit exists (Exploit-DB 46670), EPSS score of 0.01% indicates minimal real-world exploitation activity. The vulnerability affects a legacy multimedia application with no confirmed vendor patch, making it primarily relevant for environments still running this discontinued software.

The Jupiter X Core plugin for WordPress contains an unrestricted file upload vulnerability allowing authenticated users with Subscriber-level privileges or higher to upload dangerous file types including .phar, .svg, .dfxp, and .xhtml files. This stems from missing authorization checks in the import_popup_templates() function and insufficient file type validation in the upload_files() function. Successful exploitation leads to Remote Code Execution on Apache servers with mod_php configured to execute .phar files, or Stored Cross-Site Scripting attacks via malicious SVG and other file types on any server configuration.

Census CSWeb 8.0.1 contains an arbitrary file upload vulnerability allowing authenticated remote attackers to upload malicious files and achieve remote code execution. A public proof-of-concept exploit is available on GitHub (hx381/cspro-exploits), significantly increasing the risk of exploitation. The vulnerability affects the Census CSWeb data dissemination platform used for hosting census and survey data online.

A Stored Cross-Site Scripting (XSS) vulnerability exists in the file field component of the Form Plugin within Connect-CMS. The vulnerability affects Connect-CMS versions 1.41.0 and earlier in the 1.x series, and versions 2.41.0 and earlier in the 2.x series. If exploited, an attacker can inject malicious scripts that execute in an administrator's browser, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. The vulnerability has been patched and a fix is available from the vendor.

WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability (CWE-434) that allows authenticated attackers to upload and execute arbitrary PHP code on the server. The vulnerability exists in the downloadVideoFromDownloadURL() function which saves remote content with its original filename and extension to a web-accessible directory; by providing an invalid resolution parameter, attackers can bypass cleanup mechanisms, leaving executable PHP files persistent under the web root. With a CVSS score of 8.8, this represents a high-severity remote code execution risk for authenticated users.

WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability in the ImageGallery::saveFile() method that allows authenticated attackers to upload polyglot files (JPEG with embedded PHP code) and achieve Remote Code Execution. The vulnerability exploits a mismatch between MIME type validation (which checks file content) and filename extension handling (which trusts user input), allowing attackers to bypass security controls and execute arbitrary code on the server. A patch is available in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae, and the issue has been publicly disclosed via GitHub Security Advisory GHSA-wxjw-phj6-g75w.

An unrestricted file upload vulnerability exists in CodePhiliaX Chat2DB versions up to 0.3.7 in the JDBC Driver Upload functionality, allowing authenticated attackers to upload arbitrary files to the server. The vulnerability affects the JdbcDriverController.java component and has a CVSS score of 6.3 (medium severity) with a public proof-of-concept exploit available, though the vendor has not responded to disclosure attempts.

The trx_addons WordPress plugin before version 2.38.5 contains an arbitrary file upload vulnerability in an AJAX action that fails to properly validate file types, allowing unauthenticated attackers to upload malicious files. This vulnerability represents an incomplete remediation of the previously disclosed CVE-2024-13448, meaning the original patch was insufficient. A public proof-of-concept exploit is available, and the vulnerability can lead to remote code execution or information disclosure depending on server configuration and file placement.

An unrestricted file upload vulnerability exists in Acrel Environmental Monitoring Cloud Platform version 1.1.0, allowing unauthenticated remote attackers to upload arbitrary files to the system. The vendor was notified but did not respond, and a public proof-of-concept exploit is available on GitHub. With a CVSS score of 7.3 and public exploit code, this presents an elevated risk for organizations using the affected platform.

PbootCMS versions up to 3.2.12 contain an incomplete blacklist bypass vulnerability in the file upload functionality (core/function/file.php) that allows authenticated attackers to upload dangerous files by manipulating the blacklist parameter. An attacker with login credentials can bypass file type restrictions to upload arbitrary files, potentially achieving remote code execution or other malicious outcomes. A public proof-of-concept exploit is available on GitHub, increasing the practical risk of exploitation.

An unrestricted file upload vulnerability exists in eosphoros-ai DB-GPT versions up to 0.7.5 within the module_plugin.refresh_plugins function of the FastAPI endpoint located at packages/dbgpt-serve/src/dbgpt_serve/agent/hub/controller.py. An authenticated attacker can remotely upload arbitrary files to the system, potentially achieving remote code execution or system compromise. A public proof-of-concept exploit is available on GitHub, and the vendor has not responded to early disclosure attempts, indicating patches may not be forthcoming.

FileRise, a self-hosted web file manager and WebDAV server, contains a critical hardcoded encryption key vulnerability in versions prior to 3.9.0. The default key 'default_please_change_this_key' is used for all cryptographic operations including HMAC token generation, AES configuration encryption, and session tokens, allowing unauthenticated attackers to forge upload tokens for arbitrary file upload and decrypt sensitive admin configuration data such as OIDC client secrets and SMTP passwords. No evidence of active exploitation (not in CISA KEV) is currently available, though the vulnerability is straightforward to exploit given the hardcoded nature of the default key.

FileRise, a self-hosted web file manager and WebDAV server, contains an unrestricted file upload vulnerability in its WebDAV endpoint that bypasses filename validation controls present in the regular upload path, allowing authenticated attackers to upload executable file types such as .phtml, .php5, and .htaccess. In non-default Apache configurations lacking LocationMatch protection, this enables remote code execution on the underlying web server. The vulnerability affects FileRise versions prior to 3.8.0 and has been patched; no public exploit code or active KEV listing is currently confirmed, but the presence of a GitHub security advisory indicates vendor acknowledgment of the threat.

Xerte Online Toolkits 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability allowing remote code execution with a CVSS score of 9.8. The template import functionality at /website_code/php/import/import.php lacks authentication checks, enabling attackers to upload ZIP archives containing malicious PHP files that are extracted to web-accessible directories. This is a critical severity issue with network-based attack vector requiring no privileges or user interaction, and a proof-of-concept has been published by VulnCheck.

A file upload vulnerability exists in multiple Terrapack software components from ASTER TEC / ASTER S.p.A. that permits remote code execution when attackers upload malicious files. The affected products include Terrapack TkWebCoreNG version 1.0.20200914, Terrapack TKServerCGI version 2.5.4.150, and Terrapack TpkWebGIS Client version 1.0.0. Proof-of-concept code is available in public repositories, and the vulnerability enables arbitrary code execution on affected systems.

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application.

The ThemeGoods Photography WordPress theme through version 7.7.5 permits authenticated administrators to upload arbitrary files with path traversal capabilities, enabling remote code execution and complete site compromise. While the CVSS score of 7.2 indicates high severity, the requirement for high-privileged admin credentials (PR:H) significantly constrains real-world exploitability. The EPSS score of 0.04% (12th percentile) suggests minimal likelihood of active exploitation, with no public exploit code identified at time of analysis.

Salvo web framework's form data parsing functions fail to enforce payload size limits before loading request bodies into memory, allowing attackers to trigger Out-of-Memory crashes by sending extremely large form payloads. This affects the Rust package salvo (pkg:rust/salvo) through multiple attack vectors including URL-encoded and multipart form data handling. A proof-of-concept demonstrates successful denial-of-service against containerized deployments with limited memory, and the vulnerability is publicly documented in GitHub security advisories GHSA-pp9r-xg4c-8j4x.

The Mobile App Editor WordPress plugin contains an unrestricted file upload vulnerability that allows authenticated administrators to upload malicious web shells to the web server. This affects all versions through 1.3.1 and carries a critical CVSS score of 9.1 due to the potential for complete system compromise with changed scope. While requiring high privileges (administrator access), successful exploitation enables full server control including data theft, integrity compromise, and service disruption.

An unrestricted file upload vulnerability exists in the Woocommerce Wholesale Lead Capture plugin for WordPress, allowing remote attackers to upload and execute malicious files without authentication. The vulnerability affects all versions through 2.0.3.1 of the plugin developed by Rymera Web Co Pty Ltd. With a CVSS score of 9.0 (Critical), this vulnerability enables attackers to achieve complete system compromise through arbitrary file upload, though the attack complexity is rated as high.

The Nhost storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection, allowing attackers to upload files with spoofed MIME types that bypass bucket-level MIME restrictions. This affects the Go module github.com/nhost/nhost and could cause downstream systems (browsers, CDNs, applications) to mishandle files based on false type metadata. While the CVSS vector indicates low immediate severity due to requiring user interaction and lacking direct confidentiality or availability impact, the metadata corruption poses integrity risks for systems relying on accurate file type information.

xiaoheiFS, a self-hosted financial and operational system for cloud service businesses, contains a critical authenticated remote code execution vulnerability in versions up to 0.3.15. An attacker who knows the hardcoded password 'qweasd123456' can upload arbitrary executable files through the AdminPaymentPluginUpload endpoint, which are then automatically executed by a background watcher service every 5 seconds. While EPSS data is not provided, the combination of hardcoded credentials (CWE-434, Authentication Bypass tag) and automatic execution significantly elevates real-world risk despite requiring high privileges (PR:H) in the CVSS vector.

aaPanel v7.57.0 contains an arbitrary file upload vulnerability that allows unauthenticated or low-privileged attackers to upload malicious files and achieve remote code execution on affected systems. The vulnerability exists in the file upload functionality of the web-based server management panel, enabling attackers to bypass file type validation and execute arbitrary code with the privileges of the aaPanel process. While no CVSS score or EPSS probability is available in current sources, the Remote Code Execution impact combined with file upload attack vectors suggests critical severity; exploitation feasibility is indicated by the existence of public vulnerability research repositories.

MuraCMS versions through 10.1.10 contain a Cross-Site Request Forgery (CSRF) vulnerability in the cForm.importform function that lacks proper token validation, allowing attackers to deceive authenticated administrators into uploading and installing malicious form definitions. An attacker can craft a malicious webpage that, when visited by an authenticated MuraCMS administrator, automatically generates and submits a forged file upload request containing a ZIP archive with attacker-controlled form definitions. Successful exploitation results in the installation of data-harvesting forms on the target website that can steal sensitive user information collected through legitimate-appearing web forms. No active exploitation in the wild has been documented (KEV status unknown), and no formal CVSS score has been assigned, though the vulnerability requires user interaction (administrator must visit the malicious page) which moderates the overall risk profile.

A critical unrestricted file upload vulnerability in Admidio's Documents & Files module allows authenticated users with upload permissions to bypass file extension restrictions by submitting an invalid CSRF token, enabling upload of PHP scripts that lead to Remote Code Execution. The vulnerability affects Admidio versions prior to the patch and has a published proof-of-concept demonstrating webshell upload and command execution. With a CVSS score of 8.8 and detailed exploitation steps available, this represents a high-priority risk for organizations using Admidio for document management.