CVE-2023-6551

CVE-2023-6551: Stored XSS in class.upload.php

Vendor Class.upload.php
Product class.upload.php
Weakness CWE-434 · Unrestricted file upload
Published January 4, 2024
Last update June 3, 2025

CVSS base score

What the vulnerability does

01Description

As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used. Developers must be aware of that fact and use extension whitelisting accompanied by forcing the server to always provide content-type based on the file extension. The README has been updated to include these guidelines.

Key dates

02Disclosure timeline

January 4, 2024 CVE published
June 3, 2025 Record updated