| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with sufficient privileges can exploit a path traversal vulnerability to upload a malicious file to an arbitrary location on the server. Once uploaded, the file can be used to achieve remote code execution (RCE). An attacker must be authenticated and have the appropriate permissions to exploit this issue. If the server is configured as read-only, remote code execution (RCE) is not possible; however, the malicious file upload may still be achievable. This problem is fixed in LORIS v26.0.5 and above, v27.0.2 and above, and v28.0.0 and above. As a workaround, LORIS administrators can disable the media module if it is not being used. |
| GetSimple CMS is a content management system. All versions of GetSimple CMS do not implement CSRF protection on the administrative file upload endpoint. As a result, an attacker can craft a malicious web page that silently triggers a file upload request from an authenticated victim’s browser. The request is accepted without requiring a CSRF token or origin validation. This allows an attacker to upload arbitrary files to the application without the victim’s knowledge or consent. In order to exploit this vulnerability, the victim must be authenticated to GetSimple CMS (e.g., admin user), and visit an attacker-controlled webpage. This issue does not have a fix at the time of publication. |
| A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys-file/upload of the component API Endpoint. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.3.3-beta can resolve this issue. The name of the patch is aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is recommended. The project was informed beforehand and acted very professional: "We have introduced a whitelist restriction on the /api/admin/sys-file/upload endpoint via the oss.allowedExts and oss.allowedMimeTypes configuration options, allowing the specification of permitted file extensions and MIME types for uploads." |
| Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Wiguard wiguard allows Upload a Web Shell to a Web Server.This issue affects Wiguard: from n/a through < 2.0.1. |
|
The ACEManager
component of ALEOS 4.16 and earlier does not
validate uploaded
file names and types, which could potentially allow
an authenticated
user to perform client-side script execution within
ACEManager, altering
the device functionality until the device is
restarted.
|
|
AMI AptioV contains a vulnerability in BIOS where a User may cause an unrestricted upload of a BMP Logo file with dangerous type by Local access. A successful exploit of this vulnerability may lead to a loss of Confidentiality, Integrity, and/or Availability.
|
| FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htaccess` or `.user.ini` files. On Apache servers with `AllowOverride All` (a common configuration), an authenticated user can upload a `.htaccess` file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities. |
| Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.1.9. |
| A vulnerability was detected in FastApiAdmin up to 2.2.0. This vulnerability affects the function upload_file_controller of the file /backend/app/api/v1/module_system/params/controller.py of the component Scheduled Task API. Performing a manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. |
| Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the `image/svg+xml` Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available. |
| A security vulnerability has been detected in FastApiAdmin up to 2.2.0. This affects the function upload_controller of the file /backend/app/api/v1/module_common/file/controller.py of the component Scheduled Task API. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. |
| A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function user_avatar_upload_controller of the file /backend/app/api/v1/module_system/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. |
| A flaw has been found in ShuoRen Smart Heating Integrated Management Platform 1.0.0. Affected by this vulnerability is an unknown functionality of the file /MP/Service/Webservice/ExampleNodeService.asmx. Executing a manipulation of the argument File can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| Dell Wyse Management Suite, versions prior to WMS 5.5, contain an Unrestricted Upload of File with Dangerous Type vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote execution. |
| jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads. |
| OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE). |
| A vulnerability, which was classified as critical, has been found in SourceCodester Petshop Management System 1.0. This issue affects some unknown processing of the file /controllers/add_client.php. The manipulation of the argument image_profile leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. |
| RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When these files are accessed the browser executes embedded JavaScript, leading to stored Cross-Site Scripting (XSS) which when combined with a CSRF misconfiguration they lead to achieve full administrative account takeover, creating a rogue admin account, escalating the attacker account role to admin, and much more. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. |
| A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function download_controller of the file /backend/app/api/v1/module_common/file/controller.py of the component Download Endpoint. This manipulation of the argument file_path causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. |
| Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. Attackers can upload files with image headers in the social myfiles section, rename them to PHP extensions, and execute arbitrary code by accessing the uploaded files. |
