Submeter #765591: SourceCodester Modern Image Gallery App v1.0 Path Traversalinformação

TítuloSourceCodester Modern Image Gallery App v1.0 Path Traversal
DescriçãoPath traversal (CWE-22) in SourceCodester Modern Image Gallery App v1.0 delete.php allows unauthenticated attackers to delete arbitrary files. The filename POST param is used directly: 'images/' . $_POST['filename'] . unlink() without validation. PoC: curl -X POST http://localhost/delete.php -d "id=1" -d "filename=../config.php" deletes config.php ( HTTP 500) , full DoS. CVSS: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). Details in linked Gist.
Fonte⚠️ https://gist.github.com/hackusman/e618b915514ed24b9333c72152bb7218
Utilizador
 hackus_man (UID 95738)
Submissão22/02/2026 17h05 (há 2 meses)
Moderação07/03/2026 09h37 (13 days later)
EstadoAceite
Entrada VulDB349641 [SourceCodester Modern Image Gallery App 1.0 /delete.php filename Travessia de Diretório]
Pontos20

VoltarVisão GeralPróximo

Do you want to use VulDB in your project?

Use the official API to access entries easily!