CWE-616
AllowedIncomplete Identification of Uploaded File Variables (PHP)
Abstraction: Variant · Status: Incomplete
The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.
9 vulnerabilities reference this CWE, most recent first.
CVE-2026-22789 (GCVE-0-2026-22789)
Vulnerability from cvelistv5 – Published: 2026-01-12 21:52 – Updated: 2026-01-13 19:41| URL | Tags |
|---|---|
| https://github.com/SMEWebify/WebErpMesv2/security… | x_refsource_CONFIRM |
| https://github.com/SMEWebify/WebErpMesv2/commit/c… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| SMEWebify | WebErpMesv2 |
Affected:
< 1.19
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22789",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T19:41:26.669967Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T19:41:31.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-64rv-f829-x6m4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WebErpMesv2",
"vendor": "SMEWebify",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-616",
"description": "CWE-616: Incomplete Identification of Uploaded File Variables (PHP)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T21:52:11.880Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-64rv-f829-x6m4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-64rv-f829-x6m4"
},
{
"name": "https://github.com/SMEWebify/WebErpMesv2/commit/c9e7f4a85aeb774a0ea4b61ad57a51b941166b69",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SMEWebify/WebErpMesv2/commit/c9e7f4a85aeb774a0ea4b61ad57a51b941166b69"
}
],
"source": {
"advisory": "GHSA-64rv-f829-x6m4",
"discovery": "UNKNOWN"
},
"title": "WebErpMesv2 has a File Upload Validation Bypass Leading to RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22789",
"datePublished": "2026-01-12T21:52:11.880Z",
"dateReserved": "2026-01-09T18:27:19.388Z",
"dateUpdated": "2026-01-13T19:41:31.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-52305 (GCVE-0-2024-52305)
Vulnerability from cvelistv5 – Published: 2024-11-13 15:20 – Updated: 2024-11-13 19:25| URL | Tags |
|---|---|
| https://github.com/unopim/unopim/security/advisor… | x_refsource_CONFIRM |
| https://github.com/unopim/unopim/commit/9a0da7a08… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:unopim:unopim:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "unopim",
"vendor": "unopim",
"versions": [
{
"lessThan": "0.1.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52305",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-13T19:23:52.354530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T19:25:30.116Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "unopim",
"vendor": "unopim",
"versions": [
{
"status": "affected",
"version": "\u003c 0.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. A vulnerability exists in the Create User process, allowing the creation of a new admin account with an option to upload a profile image. An attacker can upload a malicious SVG file containing an embedded script. When the profile image is accessed, the embedded script executes, leading to the potential theft of session cookies. This vulnerability is fixed in 0.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-616",
"description": "CWE-616: Incomplete Identification of Uploaded File Variables (PHP)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-692",
"description": "CWE-692: Incomplete Denylist to Cross-Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T18:38:42.229Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/unopim/unopim/security/advisories/GHSA-cgr4-c233-h733",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/unopim/unopim/security/advisories/GHSA-cgr4-c233-h733"
},
{
"name": "https://github.com/unopim/unopim/commit/9a0da7a0892c60f58df2351b5a9498dcb4cb8b7a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/unopim/unopim/commit/9a0da7a0892c60f58df2351b5a9498dcb4cb8b7a"
}
],
"source": {
"advisory": "GHSA-cgr4-c233-h733",
"discovery": "UNKNOWN"
},
"title": "UnoPim Stored XSS : Cookie hijacking through Create User function"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52305",
"datePublished": "2024-11-13T15:20:20.679Z",
"dateReserved": "2024-11-06T19:00:26.397Z",
"dateUpdated": "2024-11-13T19:25:30.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-945M-RW7V-2H8V
Vulnerability from github – Published: 2023-08-03 18:30 – Updated: 2024-07-16 18:31An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 allows attackers to execute arbitrary code via a crafted PHP file.
{
"affected": [],
"aliases": [
"CVE-2023-38947"
],
"database_specific": {
"cwe_ids": [
"CWE-434",
"CWE-616"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-03T16:15:12Z",
"severity": "HIGH"
},
"details": "An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 allows attackers to execute arbitrary code via a crafted PHP file.",
"id": "GHSA-945m-rw7v-2h8v",
"modified": "2024-07-16T18:31:41Z",
"published": "2023-08-03T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38947"
},
{
"type": "WEB",
"url": "https://gitee.com/CTF-hacker/pwn/issues/I7LH2N"
},
{
"type": "WEB",
"url": "https://github.com/capture0x/WBCE_CMS"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/176018/WBCE-CMS-1.6.1-Shell-Upload.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9WQC-Q367-Q634
Vulnerability from github – Published: 2024-04-26 21:31 – Updated: 2024-08-01 15:31An issue in Beijing Panabit Network Software Co., Ltd Panalog big data analysis platform v. 20240323 and before allows attackers to execute arbitrary code via the exportpdf.php component.
{
"affected": [],
"aliases": [
"CVE-2024-31601"
],
"database_specific": {
"cwe_ids": [
"CWE-616"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-26T21:15:49Z",
"severity": "CRITICAL"
},
"details": "An issue in Beijing Panabit Network Software Co., Ltd Panalog big data analysis platform v. 20240323 and before allows attackers to execute arbitrary code via the exportpdf.php component.",
"id": "GHSA-9wqc-q367-q634",
"modified": "2024-08-01T15:31:42Z",
"published": "2024-04-26T21:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31601"
},
{
"type": "WEB",
"url": "https://github.com/tianqing191/book.io"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CGR4-C233-H733
Vulnerability from github – Published: 2024-11-13 18:37 – Updated: 2024-11-13 18:37Summary
A vulnerability exists in the Create User process, allowing the creation of a new admin account with an option to upload a profile image. An attacker can upload a malicious SVG file containing an embedded script. When the profile image is accessed, the embedded script executes, leading to the potential theft of session cookies.
Details
- Login as admin
- Go to Create User
- Fill up everything in the registration form then upload SVG image as a profile picture
- In SVG image, add script tag to prepare for XSS attack
- Complete the Create User process
- Right click at the image to obtain image URL address
- XSS triggered
PoC
The below link is a private YouTube video for PoC. https://youtu.be/5j8owD0--1A
Impact
The stored XSS can lead to session hijacking and privilege escalation, effectively bypassing any CSRF protections in place.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "unopim/unopim"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52305"
],
"database_specific": {
"cwe_ids": [
"CWE-616",
"CWE-692",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-13T18:37:15Z",
"nvd_published_at": "2024-11-13T16:15:20Z",
"severity": "MODERATE"
},
"details": "### Summary\nA vulnerability exists in the Create User process, allowing the creation of a new admin account with an option to upload a profile image. An attacker can upload a malicious SVG file containing an embedded script. When the profile image is accessed, the embedded script executes, leading to the potential theft of session cookies.\n\n### Details\n1. Login as admin\n2. Go to Create User\n3. Fill up everything in the registration form then upload SVG image as a profile picture\n4. In SVG image, add script tag to prepare for XSS attack\n5. Complete the Create User process\n6. Right click at the image to obtain image URL address\n7. XSS triggered\n### PoC\nThe below link is a private YouTube video for PoC. \nhttps://youtu.be/5j8owD0--1A\n\n### Impact\nThe stored XSS can lead to session hijacking and privilege escalation, effectively bypassing any CSRF protections in place.\n",
"id": "GHSA-cgr4-c233-h733",
"modified": "2024-11-13T18:37:15Z",
"published": "2024-11-13T18:37:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/unopim/unopim/security/advisories/GHSA-cgr4-c233-h733"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52305"
},
{
"type": "WEB",
"url": "https://github.com/unopim/unopim/commit/9a0da7a0892c60f58df2351b5a9498dcb4cb8b7a"
},
{
"type": "PACKAGE",
"url": "https://github.com/unopim/unopim"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "UnoPim Stored XSS : Cookie hijacking through Create User function"
}
GHSA-JGGQ-GVFM-QX6F
Vulnerability from github – Published: 2025-09-25 21:30 – Updated: 2025-09-26 21:30Flock Safety Bravo Edge AI Compute Device BRAVO_00.00_local_20241017 accepts the default Thundercomm TurboX 6490 Firehose loader in EDL/QDL mode. This enables attackers with physical access to flash arbitrary firmware, dump partitions, and bypass bootloader and OS security controls.
{
"affected": [],
"aliases": [
"CVE-2025-59402"
],
"database_specific": {
"cwe_ids": [
"CWE-616"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-25T21:15:31Z",
"severity": "MODERATE"
},
"details": "Flock Safety Bravo Edge AI Compute Device BRAVO_00.00_local_20241017 accepts the default Thundercomm TurboX 6490 Firehose loader in EDL/QDL mode. This enables attackers with physical access to flash arbitrary firmware, dump partitions, and bypass bootloader and OS security controls.",
"id": "GHSA-jggq-gvfm-qx6f",
"modified": "2025-09-26T21:30:28Z",
"published": "2025-09-25T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59402"
},
{
"type": "WEB",
"url": "https://gainsec.com/2025/09/19/root-from-the-coop-device-3-root-shell-on-flock-safetys-bravo-compute-box"
},
{
"type": "WEB",
"url": "https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf"
},
{
"type": "WEB",
"url": "https://www.flocksafety.com/products"
},
{
"type": "WEB",
"url": "https://www.flocksafety.com/products/license-plate-readers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-JPMF-R2GF-85WF
Vulnerability from github – Published: 2025-08-26 00:31 – Updated: 2025-08-26 18:31File upload vulnerability in WebErpMesv2 1.17 in the app/Http/Controllers/FactoryController.php controller. This flaw allows an authenticated attacker to upload arbitrary files, including PHP scripts, which can be accessed via direct GET requests, potentially resulting in remote code execution (RCE) on the web server.
{
"affected": [],
"aliases": [
"CVE-2025-52130"
],
"database_specific": {
"cwe_ids": [
"CWE-616"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-25T20:15:40Z",
"severity": "MODERATE"
},
"details": "File upload vulnerability in WebErpMesv2 1.17 in the app/Http/Controllers/FactoryController.php controller. This flaw allows an authenticated attacker to upload arbitrary files, including PHP scripts, which can be accessed via direct GET requests, potentially resulting in remote code execution (RCE) on the web server.",
"id": "GHSA-jpmf-r2gf-85wf",
"modified": "2025-08-26T18:31:15Z",
"published": "2025-08-26T00:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52130"
},
{
"type": "WEB",
"url": "https://github.com/SMEWebify/WebErpMesv2"
},
{
"type": "WEB",
"url": "https://medium.com/@The_Hiker/wrong-variable-name-leads-to-rce-cve-2025-52130-8ff59a7d245c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JPVH-V7H3-V24C
Vulnerability from github – Published: 2026-01-15 15:31 – Updated: 2026-01-15 18:31File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).
{
"affected": [],
"aliases": [
"CVE-2025-67084"
],
"database_specific": {
"cwe_ids": [
"CWE-616"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-15T15:15:51Z",
"severity": "MODERATE"
},
"details": "File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).",
"id": "GHSA-jpvh-v7h3-v24c",
"modified": "2026-01-15T18:31:28Z",
"published": "2026-01-15T15:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67084"
},
{
"type": "WEB",
"url": "https://github.com/InvoicePlane/InvoicePlane"
},
{
"type": "WEB",
"url": "https://www.helx.io/blog/advisory-invoice-plane"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PPJV-38XC-PVPX
Vulnerability from github – Published: 2024-03-21 06:33 – Updated: 2024-08-05 21:31In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.
{
"affected": [],
"aliases": [
"CVE-2024-29858"
],
"database_specific": {
"cwe_ids": [
"CWE-616"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-21T04:15:09Z",
"severity": "CRITICAL"
},
"details": "In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.",
"id": "GHSA-ppjv-38xc-pvpx",
"modified": "2024-08-05T21:31:19Z",
"published": "2024-03-21T06:33:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29858"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/6a2986be6aad6b37858b4869e238f517b295c111"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use PHP 4 or later.
Mitigation
If you must support older PHP versions, write your own version of is_uploaded_file() and run it against $HTTP_POST_FILES['userfile']))
Mitigation
For later PHP versions, reference uploaded files using the $HTTP_POST_FILES or $_FILES variables, and use is_uploaded_file() or move_uploaded_file() to ensure that you are dealing with an uploaded file.
No CAPEC attack patterns related to this CWE.