Files & Media

File paths constructed with unvalidated user input allow attackers to read or write arbitrary files on the server using ../ sequences.

Accepting file uploads without verifying type, size, or content allows attackers to upload malicious executables, web shells, or oversized files that crash the server.

Accepting SVG uploads without sanitization allows attackers to embed JavaScript in SVG files, enabling XSS attacks when the SVG is rendered in a browser.

Images served without stripping EXIF metadata can leak GPS coordinates, device information, timestamps, and other sensitive data about the person who took the photo.

Injecting HTML or JavaScript into PDF generation templates allows attackers to read server-side files, make internal network requests, or execute scripts in the PDF viewer.

Extracting ZIP archives without validating file paths allows attackers to craft archives that write files outside the target directory, overwriting critical application files.

Validating file type only by extension instead of content allows attackers to upload malicious files with renamed extensions, bypassing security controls.