Search Results (4332 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-48945 1 Getk2 1 K2 Extension For Joomla 2026-06-28 5.3 Medium
The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
CVE-2026-48946 1 Getk2 1 K2 Extension For Joomla 2026-06-28 6.3 Medium
The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
CVE-2026-57658 2 Templatespare, Wordpress 2 Templatespare, Wordpress 2026-06-26 9.1 Critical
Administrator Arbitrary File Upload in TemplateSpare <= 4.2.0 versions.
CVE-2026-56058 2 Themecatcher, Wordpress 2 Quform, Wordpress 2026-06-26 9.9 Critical
Subscriber Arbitrary File Upload in Quform <= 2.23.0 versions.
CVE-2026-56027 2 Pluggabl, Wordpress 2 Booster For Woocommerce, Wordpress 2026-06-26 9.9 Critical
Customer Arbitrary File Upload in Booster for WooCommerce <= 8.0.1 versions.
CVE-2026-50873 1 Flatnotes 1 Flatnotes 2026-06-26 9.8 Critical
An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or SVG file.
CVE-2026-25446 2 Wishlist Products, Wordpress 2 Wishlist Member X, Wordpress 2026-06-26 9.9 Critical
Subscriber Arbitrary File Upload in WishList Member X <= 3.29.0 versions.
CVE-2026-39598 2 Kodezen, Wordpress 2 Academy Lms, Wordpress 2026-06-26 8 High
Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server. This issue affects Academy LMS Pro: from n/a before 3.5.2.
CVE-2026-53948 1 Ghost 1 Ghost 2026-06-25 5.4 Medium
Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On installations that serve uploaded files from the same origin as the site, this could have been used to facilitate stored cross-site scripting against site visitors or staff. This vulnerability is fixed in 6.21.1.
CVE-2026-9815 2 Magicform, Wordpress 2 Magicform, Wordpress 2026-06-24 6.5 Medium
The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.
CVE-2026-53655 1 Isaacs 1 Tar 2026-06-24 6.1 Medium
node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (node-tar) applies a PAX extended header's size= record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name (L) or long-link (K) entry. Per POSIX pax, a PAX extended header (x) describes the next file entry, not the intermediary extension headers that may sit between the x header and the file it annotates. Because node-tar lets the PAX size override the byte length of an intervening L/K/x header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python tarfile, and the now-fixed tar-rs / astral-tokio-tar). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another) This vulnerability is fixed in 7.5.16.
CVE-2026-34027 1 Wertheim 1 Safecontroller Software For Vault Rooms (safe Deposit Locker System) 2026-06-23 N/A
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application validates uploaded files based on the user-controlled HTTP Content-Type value and accepts the upload if this value contains an allowed string such as pdf, jpeg, tiff, or png. An authenticated attacker with any role or permission level can spoof the Content-Type value and upload arbitrary file content.
CVE-2018-25436 2 Shipster, Wordpress 2 Baggage Freight Shipping Australia, Wordpress 2026-06-23 9.8 Critical
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.
CVE-2026-39527 2 Sc Internet Vivoo, Wordpress 2 Wpstream, Wordpress 2026-06-23 5.4 Medium
Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions.
CVE-2026-39591 2 Cmsjunkie – Wordpress Business Directory Plugins, Wordpress 2 Wp-businessdirectory, Wordpress 2026-06-23 9.9 Critical
Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions.
CVE-2026-40772 2 Ahmad, Wordpress 2 Geekybot, Wordpress 2026-06-23 10 Critical
Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
CVE-2026-6933 2 Premmerce, Wordpress 2 Premmerce Dev Tools, Wordpress 2026-06-23 8.8 High
The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the 'createFromStub' function performing unsanitized string substitution of the 'premmerce_plugin_namespace' parameter directly into PHP stub files written to the wp-content/plugins/ directory. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, causing the generated plugin file to contain and execute that code when accessed via HTTP. This makes it possible for authenticated attackers with Subscriber-level access and above to create arbitrary PHP files on the server and achieve remote code execution.
CVE-2026-40750 2 Themagnifico52, Wordpress 2 Kids Online Store, Wordpress 2026-06-23 9.9 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server. This issue affects Kids Online Store: from n/a through 0.8.9.
CVE-2026-53538 1 Kludex 1 Python-multipart 2026-06-23 3.7 Low
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse (since the CVE-2021-23336 fix) treat only & as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component. This vulnerability is fixed in 0.0.30.
CVE-2026-53537 1 Kludex 1 Python-multipart 2026-06-23 3.7 Low
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.