The app accepts uploads without checking type/content, letting an attacker upload an executable payload.
Upgrade and validate type, extension and content; store outside the web root.
Allow-list content types, rename files, and never serve uploads from an executable path.
Stateward flags Unrestricted File Upload in your own code and dependencies on every pull request.
Scan my repoSources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.