CVE-2024-58313 HIGH

CVE-2024-58313: xbtitFM 4.1.18 Insecure File Upload in file_hosting Feature

Vendor Xbtitfm

Product xbtitFM

Weakness CWE-434 · Unrestricted file upload

Published December 11, 2025

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands.

Key dates

02Disclosure timeline

December 11, 2025 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-58313 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/434.html

Related vulnerabilities

CVE-2024-58313: xbtitFM 4.1.18 Insecure File Upload in file_hosting Feature

01Description

02Disclosure timeline

03References

04Related CVE