Total
4073 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27891 | 2026-06-17 | N/A | 7.2 HIGH | ||
| FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a Zip Slip attack, leading to Arbitrary File Write and Remote Code Execution (RCE) by overwriting sensitive .php files outside the designated plugins directory. The vulnerability is located in Plugins.php. While the testZipFile function attempts to validate that the ZIP contains only one root folder, it does not sanitize or validate the individual file paths within that folder. An attacker can bypass this check by naming a file ValidPluginName/../../shell.php. The explode function will see ValidPluginName as the root folder, satisfying the count($folders) != 1 check. However, during extraction, the ../../ sequence triggers a path traversal, allowing the file to be written anywhere the web server has permissions the root directory. This issue is fixed in version 2026.1. | |||||
| CVE-2026-27636 | 1 Freescout | 1 Freescout | 2026-06-17 | N/A | 8.8 HIGH |
| FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htaccess` or `.user.ini` files. On Apache servers with `AllowOverride All` (a common configuration), an authenticated user can upload a `.htaccess` file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities. | |||||
| CVE-2026-27605 | 1 Depomo | 1 Chartbrew | 2026-06-17 | N/A | 6.3 MEDIUM |
| Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files (project logos) without validating the file type or content. It trusts the extension provided by the user. These files are saved to the uploads/ directory and served statically. An attacker can upload an HTML file containing malicious JavaScript. Since authentication tokens are likely stored in localStorage (as they are returned in the API body), this XSS can lead to account takeover. This issue has been patched in version 4.8.4. | |||||
| CVE-2026-27540 | 2026-06-17 | N/A | 9.0 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead Capture: from n/a through <= 2.0.3.1. | |||||
| CVE-2026-27146 | 1 Getsimple-ce | 1 Getsimple Cms | 2026-06-17 | N/A | 4.5 MEDIUM |
| GetSimple CMS is a content management system. All versions of GetSimple CMS do not implement CSRF protection on the administrative file upload endpoint. As a result, an attacker can craft a malicious web page that silently triggers a file upload request from an authenticated victim’s browser. The request is accepted without requiring a CSRF token or origin validation. This allows an attacker to upload arbitrary files to the application without the victim’s knowledge or consent. In order to exploit this vulnerability, the victim must be authenticated to GetSimple CMS (e.g., admin user), and visit an attacker-controlled webpage. This issue does not have a fix at the time of publication. | |||||
| CVE-2026-27067 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor mobile-app-editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a through <= 1.3.1. | |||||
| CVE-2026-27043 | 2026-06-17 | N/A | 7.2 HIGH | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.This issue affects Photography: from n/a before 7.7.6. | |||||
| CVE-2026-26984 | 1 Mcgill | 1 Loris | 2026-06-17 | N/A | 8.8 HIGH |
| LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with sufficient privileges can exploit a path traversal vulnerability to upload a malicious file to an arbitrary location on the server. Once uploaded, the file can be used to achieve remote code execution (RCE). An attacker must be authenticated and have the appropriate permissions to exploit this issue. If the server is configured as read-only, remote code execution (RCE) is not possible; however, the malicious file upload may still be achievable. This problem is fixed in LORIS v26.0.5 and above, v27.0.2 and above, and v28.0.0 and above. As a workaround, LORIS administrators can disable the media module if it is not being used. | |||||
| CVE-2026-26975 | 1 Music-assistant | 1 Music Assistant Server | 2026-06-17 | N/A | 8.8 HIGH |
| Music Assistant is an open-source media library manager that integrates streaming services with connected speakers. Versions 2.6.3 and below allow unauthenticated network-adjacent attackers to execute arbitrary code on affected installations. The music/playlists/update API allows users to bypass the .m3u extension enforcement and write files anywhere on the filesystem, which is exacerbated by the container running as root. This can be exploited to achieve Remote Code Execution by writing a malicious .pth file to the Python site-packages directory, which will execute arbitrary commands when Python loads. This issue has been fixed in version 2.7.0. | |||||
| CVE-2026-26746 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2026-06-17 | N/A | 8.8 HIGH |
| OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE). | |||||
| CVE-2026-25923 | 1 Mylittleforum | 1 My Little Forum | 2026-06-17 | N/A | 9.1 CRITICAL |
| my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1. | |||||
| CVE-2026-25648 | 1 Traccar | 1 Traccar | 2026-06-17 | N/A | 8.7 HIGH |
| Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the `image/svg+xml` Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available. | |||||
| CVE-2026-25510 | 1 Ci4-cms-erp | 1 Ci4ms | 2026-06-17 | N/A | 9.9 CRITICAL |
| CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0. | |||||
| CVE-2026-25413 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Using Malicious Files.This issue affects WPBookit Pro: from n/a through <= 1.6.18. | |||||
| CVE-2026-25201 | 1 Samsung | 1 Magicinfo 9 Server | 2026-06-17 | N/A | 8.8 HIGH |
| An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1. | |||||
| CVE-2026-25200 | 1 Samsung | 1 Magicinfo 9 Server | 2026-06-17 | N/A | 9.8 CRITICAL |
| A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9 Server: less than 21.1090.1. | |||||
| CVE-2026-25099 | 1 Bludit | 1 Bludit | 2026-06-17 | N/A | 8.8 HIGH |
| Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4. | |||||
| CVE-2026-25056 | 1 N8n | 1 N8n | 2026-06-17 | N/A | 8.8 HIGH |
| n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server's filesystem potentially leading to remote code execution. This issue has been patched in versions 1.118.0 and 2.4.0. | |||||
| CVE-2026-24960 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Charety charety allows Using Malicious Files.This issue affects Charety: from n/a through < 2.0.2. | |||||
| CVE-2026-24897 | 1 Erugo | 1 Erugo | 2026-06-17 | N/A | 10.0 CRITICAL |
| Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue. | |||||