| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Census CSWeb 8.0.1 allows arbitrary file upload. A remote, authenticated attacker could upload a malicious file, possibly leading to remote code execution. Fixed in 8.1.0 alpha. |
| PhreeBooks ERP 5.2.3 contains a remote code execution vulnerability in the image manager that allows authenticated attackers to upload and execute arbitrary PHP files by bypassing file extension controls. Attackers can upload malicious PHP files through the image manager endpoint and execute them to establish reverse shell connections and execute system commands. |
| WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An attacker can upload a polyglot file (valid JPEG magic bytes followed by PHP code) with a `.php` extension. The MIME check passes, but the file is saved as an executable `.php` file in a web-accessible directory, achieving Remote Code Execution. Commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae contains a patch. |
| WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVideoFromDownloadURL()` function in `objects/aVideoEncoder.json.php` saves remote content to a web-accessible temporary directory using the original URL's filename and extension (including `.php`). By providing an invalid `resolution` parameter, an attacker triggers an early `die()` via `forbiddenPage()` before the temp file can be moved or cleaned up, leaving an executable PHP file persistently accessible under the web root at `videos/cache/tmpFile/`. Commit 6da79b43484099a0b660d1544a63c07b633ed3a2 contains a patch. |
| Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. Versions 1.41.1 and 2.41.1 contain a patch. |
| i-doit CMDB 1.12 contains an arbitrary file download vulnerability that allows authenticated attackers to download sensitive files by manipulating the file parameter in index.php. Attackers can send GET requests to index.php with file_manager=image and supply arbitrary file paths like src/config.inc.php to retrieve configuration files and sensitive system data. |
| FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular upload path. In non-default deployments lacking Apache's LocationMatch protection, this leads to remote code execution. When files are uploaded via WebDAV, the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php accept the filename directly from the WebDAV client without any validation. In contrast, the regular upload endpoint in UploadModel::upload() validates filenames against REGEX_FILE_NAME. This issue is fixed in version 3.8.0. |
| SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can bypass intended file type restrictions when uploading PDF font files, allowing arbitrary files with attacker‑controlled filenames to be written to the server. Although the upload directory is not directly web‑accessible by default, this behavior breaks security boundaries and may enable further attacks when combined with other vulnerabilities or in certain deployment configurations. Versions 7.15.1 and 8.9.3 patch the issue. |
| Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7. |
| An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file. |
| xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the `binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue. |
| xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue. |
| ClipBucket version 2.6 and earlier contains a critical vulnerability in the ofc_upload_image.php script located at /admin_area/charts/ofc-library/. This endpoint allows unauthenticated users to upload arbitrary files, including executable PHP scripts. Once uploaded, the attacker can access the file via a predictable path and trigger remote code execution. |
| Cross-Site Scripting (XSS) vulnerability in the subtitle loading function of the asbplayer Chrome Extension version 1.14.0 allows attackers to execute arbitrary JavaScript in the context of the active streaming platform via a crafted .srt subtitle file. Because the script executes within the same-site context, it can bypass cross-origin restrictions, leading to unauthorized same-site API requests and session data exfiltration. |
| PipesHub is a fully extensible workplace AI platform for enterprise search and workflow automation. Versions prior to 0.1.0-beta expose POST /api/v1/record/buffer/convert through missing authentication. The endpoint accepts a file upload and converts it to PDF via LibreOffice by uploading payload to os.path.join(tmpdir, file.filename) without normalizing the filename. An attacker can submit a crafted filename containing ../ sequences to write arbitrary files anywhere the service account has permission, enabling remote file overwrite or planting malicious code. This issue is fixed in version 0.1.0-beta. |
| The E-POINT CMS eagle.gsam-1169.1 file upload feature improperly handles nested archive files. An attacker can upload a nested ZIP (a ZIP containing another ZIP) where the inner archive contains an executable file (e.g. webshell.php). When the application extracts the uploaded archives, the executable may be extracted into a web-accessible directory. This can lead to remote code execution (RCE), data disclosure, account compromise, or further system compromise depending on the web server/process privileges. The issue arises from insufficient validation of archive contents and inadequate restrictions on extraction targets. |
| A vulnerability was found in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. This impacts the function Upload of the file src/main/java/com/macro/mall/controller/MinioController.java. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. |
| A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.
By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload. |
| The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload server-side executable files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an existing one. |
| DobryCMS's upload file functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can result in Remote Code Execution.
This issue was fixed in versions above 5.0. |
