File Upload — CraftedSignal Threat Feed

WordPress User Registration Advanced Fields Plugin Arbitrary File Upload Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 05:16:00 +0000

The User Registration Advanced Fields plugin for WordPress, specifically versions up to and including 1.6.20, contains an arbitrary file upload vulnerability (CVE-2026-4882) due to insufficient file type validation in the URAF_AJAX::method_upload function. This flaw enables unauthenticated attackers to upload any file type to the affected server, which can lead to remote code execution if the uploaded file is strategically placed and executed. The vulnerability is exploitable only if a “Profile Picture” field is active within the registration form. This poses a significant threat to websites using the plugin, as attackers can potentially gain full control of the server.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable User Registration Advanced Fields plugin (<= 1.6.20) with the “Profile Picture” field enabled.
The attacker crafts a malicious HTTP request to the URAF_AJAX::method_upload function, bypassing any client-side file type checks.
The attacker uploads a web shell (e.g., a PHP file) disguised as a legitimate file type or without any extension to evade basic detection mechanisms.
The vulnerable plugin saves the file to the WordPress uploads directory without proper validation.
The attacker identifies the exact file path of the uploaded web shell on the server.
The attacker sends another HTTP request directly to the uploaded web shell.
The web shell executes on the server, providing the attacker with remote code execution capabilities.
The attacker can then leverage the web shell to perform various malicious activities, such as installing malware, defacing the website, or exfiltrating sensitive data.

Impact

Successful exploitation of this vulnerability (CVE-2026-4882) allows unauthenticated attackers to upload arbitrary files to a vulnerable WordPress website, potentially leading to remote code execution. This can result in complete compromise of the affected website, including data theft, website defacement, and malware infections. The CVSS v3.1 base score for this vulnerability is 9.8, indicating a critical severity level. The impact includes potential damage to reputation, financial losses, and legal liabilities.

Recommendation

Upgrade the User Registration Advanced Fields plugin to the latest version (greater than 1.6.20) to patch CVE-2026-4882.
Implement file type validation on the server-side, restricting allowed file extensions for profile picture uploads.
Monitor web server logs for suspicious file upload activity targeting the URAF_AJAX::method_upload function to detect potential exploitation attempts. Deploy the Sigma rule Detect Suspicious WordPress File Uploads to your SIEM.
Implement strict file permission policies to prevent uploaded files from being executed as scripts.

Xerte Online Toolkits Unauthenticated Remote Code Execution via File Upload

hello@craftedsignal.io — Thu, 23 Apr 2026 12:00:00 +0000

Xerte Online Toolkits, a platform used for creating online learning materials, is vulnerable to unauthenticated remote code execution (RCE). Specifically, versions 3.15 and earlier contain an incomplete input validation vulnerability within the elFinder connector endpoint. This flaw allows an attacker to bypass existing file extension filters and upload PHP files with a ‘.php4’ extension. Combined with authentication bypass and path traversal vulnerabilities, this can lead to arbitrary operating system command execution on the underlying server. This vulnerability, identified as CVE-2026-34415, poses a significant risk to organizations using affected versions of Xerte Online Toolkits, potentially allowing attackers to gain complete control of the web server.

Attack Chain

An unauthenticated attacker sends a crafted HTTP request to the elFinder connector endpoint.
The attacker exploits an authentication bypass vulnerability to gain unauthorized access to file upload functionality.
The attacker leverages a path traversal vulnerability to specify a writable directory for the uploaded file.
The attacker uploads a malicious PHP file disguised with a ‘.php4’ extension, bypassing the incomplete input validation.
The server saves the malicious PHP file to the specified directory.
The attacker sends another HTTP request to directly access the uploaded PHP file via its URL.
The web server executes the PHP code within the uploaded file, granting the attacker arbitrary code execution.
The attacker can now execute operating system commands on the server, potentially leading to data theft, system compromise, or further malicious activities.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary operating system commands on the affected Xerte Online Toolkits server. Given the high CVSS score of 9.8, this vulnerability is considered critical. If exploited, an attacker could potentially gain full control of the server, leading to data breaches, defacement of the website, or the use of the compromised server as a launchpad for further attacks within the network. The number of potentially affected installations is currently unknown.

Recommendation

Upgrade Xerte Online Toolkits to a patched version greater than 3.15 to remediate CVE-2026-34415.
Implement the Sigma rule “Detect Suspicious PHP4 Uploads” to identify potential exploitation attempts by monitoring web server logs for ‘.php4’ file uploads.
Review web server access logs for unusual requests to PHP files located in unexpected directories, which may indicate exploitation attempts.
Monitor web server logs for requests to the elFinder connector endpoint that include suspicious parameters or file extensions.

Borg SPM 2007 Arbitrary File Upload Vulnerability (CVE-2026-6885)

hello@craftedsignal.io — Thu, 23 Apr 2026 10:16:18 +0000

Borg SPM 2007, a product by BorG Technology Corporation with sales ending in 2008, is vulnerable to arbitrary file uploads (CVE-2026-6885). This vulnerability allows unauthenticated remote attackers to upload malicious files, such as web shells, which can then be executed by the server. The attacker can then achieve arbitrary code execution, leading to a compromise of the system. Given the age of the software, it is likely running on outdated systems with fewer security controls making successful exploitation highly probable. This poses a significant risk to organizations still using this software.

Attack Chain

The attacker identifies a Borg SPM 2007 server exposed to the internet.
The attacker sends a crafted HTTP POST request to the server, exploiting the file upload vulnerability (CVE-2026-6885).
The POST request contains a malicious file, such as a PHP web shell, disguised with a permissible extension or without any extension check.
The Borg SPM 2007 server saves the uploaded file to a publicly accessible directory, without proper sanitization.
The attacker sends another HTTP request to access the uploaded web shell.
The web server executes the web shell code, granting the attacker arbitrary code execution on the server.
The attacker uses the web shell to gain a persistent foothold, install malware, or exfiltrate sensitive data.

Impact

Successful exploitation of this vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the vulnerable server. This can lead to full system compromise, data theft, and potential disruption of services. While the number of active installations is likely low due to the product’s end-of-life status in 2008, organizations still running Borg SPM 2007 are at high risk if the system is exposed to the Internet.

Recommendation

Identify instances of Borg SPM 2007 running in your environment and isolate them from the network if possible.
Implement the provided Sigma rule to detect potential web shell uploads based on HTTP request characteristics.
Since no patch exists, consider immediate decommissioning or migration to a supported alternative.

FlowiseAI File Upload Validation Bypass Leads to RCE

hello@craftedsignal.io — Fri, 17 Apr 2026 14:00:00 +0000

FlowiseAI, a low-code platform for building AI applications, contains a file upload validation bypass vulnerability. By modifying the Chatflow configuration, specifically the allowedUploadFileTypes setting, an attacker can add application/javascript as an accepted MIME type. This bypasses previous mitigations (CVE-2025-61687) intended to prevent the upload of potentially malicious files. Although the frontend UI restricts JavaScript uploads, a direct API request can circumvent this. Successful exploitation allows attackers to persistently store Node.js web shells (e.g., shell.js) on the Flowise server. This vulnerability affects FlowiseAI versions up to 3.0.13. If executed, these web shells could grant the attacker Remote Code Execution (RCE) capabilities on the server, posing a significant risk to system integrity and data confidentiality.

Attack Chain

The attacker identifies a vulnerable FlowiseAI instance running a version <= 3.0.13.
The attacker authenticates to the FlowiseAI instance as an administrator or with compromised credentials.
The attacker crafts a malicious HTTP PUT request to the /api/v1/chatflows/{CHATFLOW_ID} endpoint.
The PUT request modifies the Chatflow configuration, specifically the chatbotConfig to include application/javascript in the allowedUploadFileTypes.
The attacker crafts a malicious HTTP POST request to the /api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID} endpoint to upload a .js file (Node.js web shell), such as the shell.js example.
The server saves the malicious .js file to a publicly accessible directory.
The attacker accesses the uploaded .js file via a direct HTTP request.
The web shell executes commands specified in the URL parameters, such as http://localhost:8888/?cmd=id, resulting in RCE.

Impact

Successful exploitation of this vulnerability allows attackers to upload and persistently store malicious web shells on the FlowiseAI server. Execution of these web shells grants the attacker the ability to execute arbitrary commands on the underlying system. This can lead to complete system compromise, data exfiltration, and denial of service. This vulnerability affects FlowiseAI versions up to 3.0.13.

Recommendation

Apply appropriate input validation and sanitization to prevent modification of allowedUploadFileTypes settings.
Monitor network traffic for PUT requests to /api/v1/chatflows/{CHATFLOW_ID} modifying allowedUploadFileTypes as described in the attack chain.
Monitor for POST requests to /api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID} uploading .js files based on the attack chain.
Deploy the Sigma rules provided below to detect suspicious HTTP requests indicative of this attack.

Goshs File-Based ACL Authorization Bypass Vulnerability

hello@craftedsignal.io — Fri, 10 Apr 2026 20:02:46 +0000

The Goshs web server is susceptible to a critical authorization bypass (CVE-2026-40189) affecting versions up to and including 1.1.4 and v2.0.0-beta.3. The vulnerability stems from inconsistent enforcement of file-based ACLs defined by .goshs files. While the application correctly enforces authorization for reading and listing files, state-changing routes such as PUT, POST /upload, ?mkdir, and ?delete do not perform the same authorization checks. This allows unauthenticated attackers to upload, create, and delete files within directories that should be protected by authentication. The most severe impact arises from the ability to delete the .goshs file itself, thereby removing the authentication requirement and exposing previously protected content. This vulnerability undermines the intended security mechanisms of Goshs, posing a significant risk to data confidentiality, integrity, and availability.

Attack Chain

The attacker identifies a Goshs instance utilizing .goshs files for access control.
The attacker sends an unauthenticated PUT request to upload a file to a protected directory, bypassing ACL checks via httpserver/updown.go:18-60. Example: PUT /protected/put-created.txt
Alternatively, the attacker sends an unauthenticated multipart POST request to /upload endpoint to upload a file to a protected directory, bypassing ACL checks via httpserver/updown.go:63-165. Example: POST /protected/upload
The attacker sends an unauthenticated request with the ?mkdir parameter to create a directory within the protected directory, bypassing ACL checks via httpserver/handler.go:901-937. Example: /?mkdir=new_directory
The attacker sends an unauthenticated request with the ?delete parameter targeting the .goshs file within the protected directory, leveraging the vulnerable route in httpserver/handler.go:679-698. Example: /.goshs?delete
The server deletes the .goshs file using os.RemoveAll(), effectively removing the access control restrictions for the directory.
The attacker sends an unauthenticated request to access previously protected files, which are now accessible due to the absence of the .goshs file.
The attacker gains unauthorized access to sensitive information and can perform further malicious actions, such as deleting or modifying critical files.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to bypass intended access controls in Goshs deployments. This can lead to unauthorized access to sensitive files, potentially exposing confidential information. Attackers can also create, modify, or delete files within protected directories, causing data corruption or service disruption. The ability to delete the .goshs file directly amplifies the impact, as it permanently removes the authentication barrier, affecting all previously protected content. This vulnerability poses a significant threat to the confidentiality, integrity, and availability of Goshs-hosted data.

Recommendation

Apply the vendor-supplied patch or upgrade to a version of Goshs that addresses CVE-2026-40189.
Deploy the Sigma rule “Detect Goshs Unauthenticated .goshs Deletion” to your SIEM to detect attempts to remove .goshs ACL files via the ?delete parameter.
Deploy the Sigma rule “Detect Goshs Unauthenticated PUT Request to Protected Directories” to detect unauthorized file uploads to protected directories.
Monitor web server logs for PUT, POST, and DELETE requests targeting directories containing .goshs files to identify potential exploitation attempts. (Log Source: webserver)

WordPress Plugin Vulnerability: Arbitrary File Upload in Gerador de Certificados – DevApps

hello@craftedsignal.io — Wed, 08 Apr 2026 07:16:22 +0000

The Gerador de Certificados – DevApps plugin for WordPress, versions up to and including 1.3.6, contains an arbitrary file upload vulnerability (CVE-2026-4808). This flaw stems from a lack of file type validation within the moveUploadedFile() function. Authenticated users with administrator privileges or higher can exploit this vulnerability by uploading arbitrary files to the affected server. Successful exploitation could allow an attacker to execute arbitrary code on the server, leading to a complete system compromise. This vulnerability poses a significant threat to websites using the affected plugin, potentially impacting data confidentiality, integrity, and availability.

Attack Chain

An attacker authenticates to the WordPress site with administrator-level privileges.
The attacker navigates to the Gerador de Certificados – DevApps plugin’s upload functionality.
The attacker crafts a malicious file (e.g., a PHP file) with a disguised extension or no extension.
The attacker uploads the malicious file through the plugin’s interface, bypassing the missing file type validation in the moveUploadedFile() function.
The plugin saves the file to a publicly accessible directory on the server.
The attacker identifies the location of the uploaded file.
The attacker sends an HTTP request to the uploaded file’s location.
The server executes the malicious code within the uploaded file, granting the attacker remote code execution capabilities.

Impact

Successful exploitation of this vulnerability allows attackers with administrator privileges to upload arbitrary files to the web server. This can lead to remote code execution, potentially allowing the attacker to gain full control of the WordPress website and the underlying server. This could lead to data theft, website defacement, or use of the server for malicious purposes such as hosting phishing sites or launching attacks against other systems. The number of affected sites is potentially very large.

Recommendation

Upgrade the Gerador de Certificados – DevApps plugin to the latest version, which includes a fix for CVE-2026-4808.
Implement web server configurations to prevent the execution of scripts in upload directories.
Enable web server logging and monitor for suspicious file uploads and access attempts to unusual file types.
Deploy the Sigma rule to detect attempts to access PHP files within the wp-content/uploads directory.

Ninja Forms File Upload Plugin Vulnerability Leads to RCE

hello@craftedsignal.io — Tue, 07 Apr 2026 05:16:06 +0000

The Ninja Forms - File Uploads plugin for WordPress, specifically versions up to and including 3.3.26, contains an arbitrary file upload vulnerability (CVE-2026-0740). This flaw stems from a lack of proper file type validation within the NF_FU_AJAX_Controllers_Uploads::handle_upload function. An unauthenticated attacker can exploit this vulnerability to upload arbitrary files to the affected WordPress server. Successful exploitation could enable remote code execution, allowing the attacker to compromise the web server and potentially the underlying network. The vulnerability was partially addressed in version 3.3.25 and fully resolved in version 3.3.27. This vulnerability poses a significant risk to organizations using the vulnerable plugin, potentially leading to data breaches, website defacement, or complete system compromise.

Attack Chain

An unauthenticated attacker sends a crafted HTTP POST request to the WordPress server targeting the wp-admin/admin-ajax.php endpoint.
The POST request includes a malicious file disguised as a legitimate file type, exploiting the missing file type validation in the NF_FU_AJAX_Controllers_Uploads::handle_upload function.
The handle_upload function processes the request without properly validating the file type, allowing the malicious file to be uploaded to the server.
The uploaded file is stored in the WordPress uploads directory, typically located within the wp-content/uploads/ninja-forms-uploads/ directory.
The attacker crafts the malicious file (e.g., a PHP script) to execute arbitrary code on the server when accessed.
The attacker accesses the uploaded malicious file via a direct HTTP request to the file’s location within the uploads directory.
The web server executes the malicious file (e.g., a PHP script), granting the attacker the ability to execute arbitrary commands on the server.
The attacker leverages the executed code to gain a persistent foothold on the server, install malware, or exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-0740 allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution. This can result in complete compromise of the WordPress website, including data breaches, website defacement, and installation of backdoors. The impact is significant due to the widespread use of WordPress and the Ninja Forms plugin. Even a single successful attack can lead to substantial financial losses, reputational damage, and legal liabilities. Websites utilizing versions of the Ninja Forms File Uploads plugin prior to 3.3.27 are vulnerable.

Recommendation

Upgrade the Ninja Forms File Uploads plugin to version 3.3.27 or later to fully patch CVE-2026-0740.
Implement web application firewall (WAF) rules to detect and block malicious file upload attempts targeting the wp-admin/admin-ajax.php endpoint.
Monitor web server access logs for suspicious requests to the wp-content/uploads/ninja-forms-uploads/ directory.
Deploy the Sigma rule “Detect Ninja Forms Arbitrary File Upload Attempt” to identify potential exploitation attempts in web server logs.
Enforce strict file type validation on all file upload forms, even after upgrading the plugin, as a defense-in-depth measure.

Brave CMS Unrestricted File Upload Leads to Remote Code Execution

hello@craftedsignal.io — Mon, 06 Apr 2026 18:16:42 +0000

Brave CMS, an open-source content management system, is vulnerable to an unrestricted file upload vulnerability (CVE-2026-35164) in versions prior to 2.0.6. The vulnerability resides within the CKEditor upload functionality, specifically in the ckupload method located in app/Http/Controllers/Dashboard/CkEditorController.php. The application fails to properly validate the types of uploaded files, relying solely on user-provided input. This lack of validation enables an authenticated user to upload malicious PHP scripts, leading to arbitrary code execution on the server. The vulnerability was reported on April 6, 2026, and is fixed in Brave CMS version 2.0.6. Organizations using affected versions of Brave CMS are at risk of complete system compromise.

Attack Chain

Attacker authenticates to the Brave CMS application as a user with upload privileges.
The attacker navigates to a page or functionality within the CMS that utilizes the CKEditor for content creation or editing.
The attacker uses the CKEditor’s upload functionality to upload a malicious PHP script disguised as a legitimate file type (e.g., image).
The ckupload method in app/Http/Controllers/Dashboard/CkEditorController.php processes the uploaded file without proper validation of the file type or content.
The malicious PHP script is stored on the server in a publicly accessible directory.
The attacker crafts a request to directly access the uploaded PHP script via its URL.
The web server executes the PHP script, granting the attacker the ability to run arbitrary commands on the server.
The attacker establishes persistence, installs a web shell, and performs lateral movement within the network, escalating privileges as needed to achieve their objectives.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary PHP code on the affected Brave CMS server. This can lead to complete compromise of the CMS instance, including unauthorized access to sensitive data, modification of website content, and potential lateral movement to other systems on the network. The CVSS v3.1 base score for this vulnerability is 8.8, indicating a high severity level. Organizations running vulnerable versions of Brave CMS are at risk of data breaches, website defacement, and further exploitation of their infrastructure.

Recommendation

Upgrade Brave CMS to version 2.0.6 or later to remediate the unrestricted file upload vulnerability (CVE-2026-35164).
Implement server-side file validation to prevent the upload of malicious files, regardless of file extension.
Monitor web server logs for suspicious activity related to file uploads and execution of PHP scripts.
Deploy the following Sigma rule to detect attempts to access potentially malicious PHP files in the web server’s upload directories.

phpBB Arbitrary File Upload Vulnerability (CVE-2019-25685)

hello@craftedsignal.io — Sun, 05 Apr 2026 21:16:47 +0000

CVE-2019-25685 is an arbitrary file upload vulnerability affecting phpBB. An authenticated attacker can exploit this vulnerability to upload malicious files by leveraging the plupload functionality and the phar:// stream wrapper. This allows them to upload a crafted ZIP archive that includes serialized PHP objects, leading to arbitrary code execution when these objects are deserialized via the imagick parameter within the attachment settings. Successful exploitation can result in complete server compromise, allowing the attacker to execute arbitrary commands, potentially leading to data theft, website defacement, or denial of service.

Attack Chain

The attacker authenticates to the phpBB application.
The attacker crafts a malicious ZIP archive containing serialized PHP objects designed for remote code execution. This archive is designed to be processed by the phar:// stream wrapper.
The attacker uploads the crafted ZIP archive through the plupload functionality, potentially disguised as a legitimate attachment type.
The phpBB application processes the uploaded file. The application uses the phar:// stream wrapper to extract the contents of the uploaded ZIP file.
The application deserializes the malicious PHP objects, triggered by the imagick parameter in attachment settings.
Deserialization of the crafted PHP objects leads to arbitrary code execution on the server.
The attacker gains control of the web server, potentially escalating privileges.

Impact

Successful exploitation of CVE-2019-25685 allows an attacker to execute arbitrary code on the phpBB server. The attacker could gain complete control of the web server, potentially leading to data theft, website defacement, or denial of service. The impact is significant due to the potential for full system compromise. The number of victims is dependent on the number of phpBB installations exposed and targeted.

Recommendation

Inspect web server logs for POST requests to attachment upload endpoints containing ZIP archives and the “phar://” wrapper in request parameters to detect potential exploit attempts. (Log Source: webserver, Rule: phpbb_phar_upload)
Monitor phpBB file upload directories for the creation of unexpected files, particularly PHP scripts or other executable files. (Log Source: file_event, Rule: phpbb_suspicious_file_creation)
Apply available patches or updates for phpBB to address CVE-2019-25685 as soon as possible.

Technostrobe HI-LED-WR120-G2 Unrestricted File Upload Vulnerability (CVE-2026-5573)

hello@craftedsignal.io — Sun, 05 Apr 2026 15:16:41 +0000

A critical vulnerability, CVE-2026-5573, has been identified in Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30. This flaw allows unauthenticated, remote attackers to upload arbitrary files to the device due to improper handling of the ‘cwd’ argument when accessing the /fs file. Publicly available exploits exist, increasing the risk of widespread exploitation. The vendor was notified but did not respond. This vulnerability poses a significant threat due to the potential for complete system compromise, including remote code execution and data exfiltration.

Attack Chain

The attacker identifies a Technostrobe HI-LED-WR120-G2 device running the vulnerable firmware version 5.5.0.1R6.03.30.
The attacker sends a crafted HTTP request to the /fs endpoint, manipulating the cwd argument.
The manipulated cwd argument bypasses access controls, allowing the attacker to specify an arbitrary upload directory.
The attacker uploads a malicious file, such as a web shell or executable, to the specified directory.
The attacker accesses the uploaded file via a web browser or other means.
If the uploaded file is executable (e.g., a web shell), the attacker executes arbitrary commands on the device with the privileges of the web server.
The attacker leverages the gained access to escalate privileges, install persistent backdoors, or exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-5573 allows attackers to gain complete control over affected Technostrobe HI-LED-WR120-G2 devices. This can lead to data breaches, system disruption, or the device being used as a foothold for further attacks within the network. The lack of vendor response and the availability of public exploits make this vulnerability particularly dangerous.

Recommendation

Monitor web server logs for suspicious requests to the /fs endpoint with unusual cwd parameter values. Use the provided Sigma rule to detect such activity.
Inspect uploaded files for malicious content. Deploy the file upload detection Sigma rule to identify potential web shells.
Block connections to the identified malicious URLs to prevent exploit attempts (see IOCs).

ShareFile Storage Zones Controller Unauthenticated Remote Code Execution via File Upload (CVE-2026-2701)

hello@craftedsignal.io — Thu, 02 Apr 2026 14:16:27 +0000

CVE-2026-2701 is a critical vulnerability affecting ShareFile Storage Zones Controller, allowing authenticated users to upload and execute malicious files on the server, resulting in remote code execution. The vulnerability stems from inadequate input validation and insufficient restrictions on file types during upload. Successful exploitation enables attackers to execute arbitrary code on the affected system, potentially leading to complete system compromise. While the specific versions affected are not explicitly stated in the source, the vulnerability was reported in conjunction with a security vulnerability advisory published in February 2026. Defenders should prioritize patching and implementing mitigations to prevent potential exploitation.

Attack Chain

An authenticated user logs into the ShareFile Storage Zones Controller.
The user navigates to the file upload functionality within the application.
The attacker uploads a specially crafted malicious file (e.g., a web shell or executable).
The application fails to properly validate the file type or content, allowing the malicious file to be stored on the server.
The attacker crafts a request to execute the uploaded malicious file. This may involve leveraging OS command injection (CWE-78) or code injection (CWE-94) vulnerabilities.
The server executes the malicious file, granting the attacker arbitrary code execution.
The attacker uses the gained access to move laterally, install backdoors, or exfiltrate sensitive data.
The attacker achieves complete control over the compromised server and potentially the entire ShareFile environment.

Impact

Successful exploitation of CVE-2026-2701 allows attackers to execute arbitrary code on the affected ShareFile Storage Zones Controller server. This can lead to a complete compromise of the server, data exfiltration, and potential lateral movement within the network. While the exact number of victims is unknown, any organization using vulnerable versions of ShareFile Storage Zones Controller is at risk. Given the nature of ShareFile, this could expose sensitive data belonging to customers and partners.

Recommendation

Apply the security patch referenced in the Progress Software Corporation advisory (https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26) to remediate CVE-2026-2701.
Implement strict file type validation and sanitization on all file upload functionalities within the ShareFile Storage Zones Controller.
Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.
Monitor web server logs for suspicious file upload activity or attempts to execute unusual file types using the provided Sigma rule targeting webserver logs.

Path Traversal Vulnerability in API File Upload Endpoint (CVE-2026-5027)

hello@craftedsignal.io — Fri, 27 Mar 2026 15:17:04 +0000

CVE-2026-5027 exposes a critical vulnerability in the ‘POST /api/v2/files’ endpoint, where the ‘filename’ parameter within multipart form data is not properly sanitized. This flaw allows an attacker to manipulate the filename by injecting path traversal sequences such as ‘../’, leading to the ability to write files to arbitrary locations on the server’s filesystem. This vulnerability was reported by Tenable Network Security, Inc. and has a CVSS v3.1 base score of 8.8 (HIGH). Successful…

Sharp Laravel Admin Panel Unrestricted File Upload Vulnerability

hello@craftedsignal.io — Wed, 25 Mar 2026 20:03:11 +0000

The code16/sharp Laravel admin panel package, specifically versions before 9.20.0, is vulnerable to unrestricted file upload. An authenticated user can manipulate the validation_rule parameter in the /api/form/upload endpoint to bypass file type restrictions. This vulnerability stems from insufficient server-side validation of the client-supplied validation_rule, which is directly passed to the Laravel validator. Successfully exploiting this vulnerability allows an attacker to upload arbitrary files, including PHP webshells, which can lead to remote code execution (RCE) if the storage disk is publicly accessible. The vulnerability was reported by zaurgsynv and has been patched in pull request #714. Defenders should ensure their Sharp instances are updated to version 9.20.0 or later, and restrict disk access.

Attack Chain

An authenticated user logs into the Sharp Laravel admin panel.
The user navigates to a section of the application that utilizes the file upload functionality.
The user intercepts the HTTP request sent to the /api/form/upload endpoint.
The user modifies the request body, specifically the validation_rule parameter, setting it to validation_rule[]=file.
The modified request is sent to the server, bypassing MIME type and file extension checks.
The server processes the upload request, saving the arbitrary file (e.g., a PHP webshell) to the designated storage disk.
If the storage disk is publicly accessible, the attacker can access the uploaded file via a web browser.
The attacker executes the uploaded PHP webshell, achieving remote code execution (RCE) on the server.

Impact

Successful exploitation of this vulnerability allows attackers to upload arbitrary files, including PHP webshells, to the affected server. This can lead to Remote Code Execution (RCE) if the server’s storage disk is misconfigured to be publicly accessible. While default configurations prevent direct execution of uploaded PHP files, compromised servers can be leveraged for lateral movement, data exfiltration, or further malicious activities. This vulnerability impacts all installations of code16/sharp prior to version 9.20.0.

Recommendation

Upgrade code16/sharp to version 9.20.0 or later to remediate CVE-2026-33687.
Ensure that the storage disk used for Sharp uploads is strictly private, as described in the Laravel filesystem documentation (https://laravel.com/docs/13.x/filesystem).
Deploy the Sigma rule “Detect Sharp File Upload Bypass Attempt” to identify attempts to exploit this vulnerability based on the validation_rule parameter.
Monitor web server logs for suspicious file uploads to the /api/form/upload endpoint, correlating with user activity and file extensions.

PhreeBooks ERP 5.2.3 Arbitrary File Upload Vulnerability

hello@craftedsignal.io — Tue, 24 Mar 2026 12:16:03 +0000

PhreeBooks ERP version 5.2.3 contains a critical arbitrary file upload vulnerability within its Image Manager component. This vulnerability allows authenticated attackers to bypass security restrictions and upload malicious files to the server. By crafting specific requests to the image upload endpoint, threat actors can inject PHP files. The successful exploitation of this vulnerability allows for arbitrary code execution on the underlying system, potentially leading to full system compromise. This issue was reported and assigned CVE-2019-25630. Successful exploitation requires authentication, limiting the scope of easily exploitable targets. However, the impact of successful exploitation is severe, allowing for complete control of the affected PhreeBooks ERP instance.

Attack Chain

The attacker authenticates to the PhreeBooks ERP 5.2.3 application.
The attacker navigates to the Image Manager component.
The attacker crafts a malicious HTTP POST request to the bizuno/image/manager endpoint.
The request includes the imgFile parameter containing a PHP file disguised as an image (e.g., using a double extension like evil.php.jpg).
The server saves the uploaded file to a publicly accessible directory.
The attacker then accesses the uploaded PHP file via a direct HTTP request to /bizunoFS.php.
The bizunoFS.php script executes the malicious PHP code.
The attacker gains remote code execution on the server, enabling further malicious activities like data exfiltration or system compromise.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the PhreeBooks ERP server. This can lead to complete compromise of the server, including data exfiltration, modification of financial records, and denial of service. While the number of affected installations is unknown, the potential impact on compromised systems is significant due to the sensitive data typically managed by ERP systems. Organizations using PhreeBooks ERP 5.2.3 are vulnerable to complete data loss, financial fraud, and reputational damage.

Recommendation

Apply available patches or upgrade to a secure version of PhreeBooks ERP to remediate CVE-2019-25630.
Implement the Sigma rule Phreebooks Image Upload to detect suspicious requests to the bizuno/image/manager endpoint.
Monitor web server logs for access to PHP files within the image upload directories, as this can be a sign of successful exploitation via bizunoFS.php.
Implement input validation on the server side to prevent uploading files with dangerous extensions like .php.

Census CSWeb 8.0.1 Arbitrary File Upload Vulnerability

hello@craftedsignal.io — Tue, 24 Mar 2026 12:00:00 +0000

Census CSWeb 8.0.1 is vulnerable to an arbitrary file upload vulnerability (CVE-2025-60947). An authenticated attacker can leverage this vulnerability to upload malicious files to the server. Successful exploitation could allow the attacker to achieve remote code execution on the targeted system. The vulnerability was patched in version 8.1.0 alpha. This poses a significant risk to organizations using the affected CSWeb version, potentially leading to data breaches, system compromise, and…

Breeze Cache Plugin Arbitrary File Upload Vulnerability (CVE-2026-3844)

hello@craftedsignal.io — Thu, 29 Feb 2024 10:00:00 +0000

The Breeze Cache plugin for WordPress, in versions up to and including 2.4.4, contains an arbitrary file upload vulnerability (CVE-2026-3844). This flaw stems from the lack of file type validation within the ‘fetch_gravatar_from_remote’ function. An unauthenticated attacker can exploit this vulnerability to upload arbitrary files to the affected WordPress site’s server. Successful exploitation could lead to remote code execution on the server. It is important to note that the vulnerability can only be exploited if the “Host Files Locally - Gravatars” setting is enabled within the Breeze Cache plugin. This setting is disabled by default, reducing the attack surface. Defenders should prioritize identifying potentially compromised systems running vulnerable versions of Breeze Cache with the “Host Files Locally - Gravatars” option enabled.

Attack Chain

An unauthenticated attacker identifies a WordPress site running a vulnerable version (<= 2.4.4) of the Breeze Cache plugin.
The attacker confirms the “Host Files Locally - Gravatars” option is enabled on the target WordPress site.
The attacker crafts a malicious HTTP request targeting the ‘fetch_gravatar_from_remote’ function. This request contains a payload designed to upload an arbitrary file to the server.
Due to the missing file type validation, the server accepts the malicious file upload without proper sanitization. The uploaded file can be a PHP file, a web shell, or another executable type.
The attacker determines the location where the file has been saved by the plugin.
The attacker sends an HTTP request to the uploaded file’s location, triggering its execution on the server.
The malicious file executes, granting the attacker remote code execution capabilities on the web server.
The attacker can then perform actions such as installing malware, stealing sensitive data, or further compromising the server and network.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to upload arbitrary files to a vulnerable WordPress server. This can lead to complete compromise of the server, allowing for remote code execution. The attacker can then pivot to other systems, steal sensitive information, or cause significant disruption. While the “Host Files Locally - Gravatars” option is disabled by default, any instance where this option is enabled is at critical risk.

Recommendation

Upgrade the Breeze Cache plugin to the latest version to patch CVE-2026-3844.
Disable the “Host Files Locally - Gravatars” setting in the Breeze Cache plugin if it is enabled.
Deploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts.
Monitor web server logs for suspicious file uploads and requests to unusual file extensions using the provided Sigma rules.
Implement strict file upload policies and validation mechanisms on all web applications to prevent arbitrary file uploads.

MindsDB Unrestricted File Upload Vulnerability (CVE-2026-7711)

hello@craftedsignal.io — Fri, 26 Jan 2024 12:00:00 +0000

A critical vulnerability, CVE-2026-7711, exists in MindsDB, an open-source machine learning platform, up to version 26.01. This flaw resides within the exec function of the mindsdb/integrations/handlers/byom_handler/proc_wrapper.py file, a component of the Engine Handler. The vulnerability allows a remote attacker to perform unrestricted file uploads due to a lack of input validation. Public exploits are available, making exploitation more likely. Successful exploitation could lead to arbitrary code execution on the MindsDB server, potentially compromising the entire system and any data it manages. The vendor was notified but has not responded.

Attack Chain

The attacker identifies a MindsDB instance running a vulnerable version (<= 26.01).
The attacker crafts a malicious request targeting the exec function within mindsdb/integrations/handlers/byom_handler/proc_wrapper.py.
This request includes a payload designed to bypass any existing file type or size restrictions.
The vulnerable exec function processes the request without proper validation.
The attacker uploads an arbitrary file, such as a web shell or a malicious executable, to a writeable directory on the server.
The attacker executes the uploaded file, gaining code execution on the server.
The attacker leverages the gained access to escalate privileges, move laterally within the network, and potentially exfiltrate sensitive data or install malware.

Impact

Successful exploitation of CVE-2026-7711 can have severe consequences. An attacker could gain complete control over the MindsDB server, potentially leading to data breaches, service disruption, or further malicious activities within the affected network. Given the nature of MindsDB as a machine learning platform, the data stored or processed by it is highly sensitive, increasing the potential damage. Without remediation, any instance running an affected version is susceptible to remote compromise.

Recommendation

Upgrade MindsDB to a version greater than 26.01 to remediate CVE-2026-7711.
Deploy the Sigma rule “Detect MindsDB Unrestricted Upload Attempt” to identify exploitation attempts targeting the vulnerable exec function.
Monitor web server logs for suspicious POST requests containing file uploads to paths associated with the byom_handler.
Implement strict file upload restrictions and validation on the MindsDB server, even after patching, as a defense-in-depth measure.

WordPress Drag and Drop File Upload Plugin Vulnerable to Arbitrary File Upload (CVE-2026-5364)

hello@craftedsignal.io — Wed, 03 Jan 2024 18:23:00 +0000

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress, in versions up to and including 1.1.3, contains an arbitrary file upload vulnerability tracked as CVE-2026-5364. The flaw stems from insufficient sanitization of file extensions during the upload process. Specifically, the plugin extracts the file extension before sanitization and allows the file type parameter to be controlled by the attacker. Furthermore, validation occurs on the unsanitized extension, while the file is saved with a sanitized extension, stripping special characters like ‘$’ during the save. While an .htaccess file and name randomization are present, these restrictions may be bypassable in certain configurations or by exploiting other vulnerabilities. This vulnerability could allow unauthenticated attackers to upload arbitrary PHP files to the web server, potentially leading to remote code execution (RCE).

Attack Chain

An unauthenticated attacker identifies a WordPress website using a vulnerable version (<= 1.1.3) of the “Drag and Drop File Upload for Contact Form 7” plugin.
The attacker crafts a malicious HTTP POST request targeting the plugin’s upload endpoint, typically /wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php.
The POST request includes a file with a manipulated extension, such as evil.php$.jpg, where evil.php is the malicious PHP payload and $.jpg is designed to be sanitized to .jpg.
The attacker modifies the file type parameter in the request to reflect the original manipulated file extension (evil.php$.jpg).
The plugin validates the extension against administrator-configured types but, due to the unsanitized extension and attacker control over the file type parameter, the malicious file passes validation.
The plugin sanitizes the extension, removing the $ character, resulting in a file saved with the extension .php.
The attacker attempts to access the uploaded PHP file via a direct HTTP request to /wp-content/uploads/.php.
If the .htaccess restrictions are bypassed (e.g., due to misconfiguration or another vulnerability), the web server executes the malicious PHP code, granting the attacker remote code execution.

Impact

Successful exploitation of CVE-2026-5364 allows unauthenticated attackers to upload and execute arbitrary PHP code on the target WordPress server. This can lead to complete compromise of the website, including defacement, data theft, and installation of backdoors. While the presence of .htaccess and name randomization mitigates the risk, these protections may be bypassed, especially when combined with other vulnerabilities or misconfigurations. Given the widespread use of WordPress and its plugins, this vulnerability poses a significant risk to a large number of websites. The CVSS v3.1 base score is 8.1, indicating a high severity vulnerability.

Recommendation

Upgrade the “Drag and Drop File Upload for Contact Form 7” plugin to the latest version (greater than 1.1.3) to patch CVE-2026-5364.
Implement a Web Application Firewall (WAF) rule to inspect and block requests containing suspicious file extensions in the POST parameters targeting the plugin’s upload endpoint (/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php).
Deploy the Sigma rule Detect Suspicious File Upload via Drag and Drop CF7 to identify exploitation attempts in web server logs (cs-uri-query).
Review and harden .htaccess configurations to ensure that PHP execution is restricted in the /wp-content/uploads/ directory.

Weaver E-office Unauthenticated Arbitrary File Upload Vulnerability

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Weaver E-office, a web-based office automation system, is vulnerable to an unauthenticated arbitrary file upload vulnerability (CVE-2022-50993) affecting versions prior to 10.0_20221201. The vulnerability exists within the OfficeServer.php endpoint, allowing remote attackers to upload arbitrary files without authentication. This is achieved by sending multipart POST requests with manipulated filenames and content types. The Shadowserver Foundation observed initial exploitation evidence on October 10, 2022. Successful exploitation enables attackers to upload malicious PHP webshells to the Document directory and execute them via HTTP GET requests, leading to remote code execution on the affected server as the web server user. This can compromise the confidentiality, integrity, and availability of the E-office system and the underlying server.

Attack Chain

An unauthenticated attacker sends a crafted HTTP POST request to the OfficeServer.php endpoint.
The POST request includes a multipart form with a file upload field.
The attacker sets an arbitrary filename for the uploaded file, typically with a .php extension.
The attacker disguises the content type of the uploaded file to bypass basic server-side checks.
The server saves the uploaded file (a PHP webshell) to the Document directory.
The attacker sends an HTTP GET request to the uploaded PHP webshell file.
The web server executes the PHP code within the uploaded file.
The attacker achieves remote code execution as the web server user, enabling further malicious activities.

Impact

Successful exploitation of CVE-2022-50993 allows an unauthenticated attacker to execute arbitrary code on the affected Weaver E-office server. This can lead to complete system compromise, data theft, modification of sensitive data, and disruption of services. The vulnerability has a CVSS v3.1 base score of 9.8, indicating its critical severity. While the number of victims and specific sectors targeted are not detailed, organizations using vulnerable versions of Weaver E-office are at high risk.

Recommendation

Upgrade Weaver E-office to version 10.0_20221201 or later to patch CVE-2022-50993.
Deploy the Sigma rule “Detect Weaver E-office Webshell Upload” to detect malicious PHP file uploads to the OfficeServer.php endpoint.
Monitor web server access logs for requests to the Document directory with .php extensions, indicative of webshell execution.
Implement web application firewall (WAF) rules to block suspicious POST requests to OfficeServer.php with arbitrary file upload attempts.