CVE-2025-28168 MEDIUM

CVE-2025-28168

Vendor Multi Uploaders
Product Multiple File Upload
Weakness CWE-602 · Client-side enforcement
Published May 5, 2025
Last update August 26, 2025

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems.

Key dates

02Disclosure timeline

May 5, 2025 CVE published
August 26, 2025 Record updated