Home

Description

ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server.

PUBLISHED Reserved 2025-12-20 | Published 2025-12-22 | Updated 2025-12-22 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Unrestricted Upload of File with Dangerous Type

Product status

r1605
affected

Credits

Mirabbas Ağalarov finder

References

www.exploit-db.com/exploits/51238 exploit

www.exploit-db.com/exploits/51238 (ExploitDB-51238) exploit

www.projectsend.org/ (Official Product Homepage) product

www.vulncheck.com/...ecution-via-file-extension-manipulation (VulnCheck Advisory: ProjectSend r1605 Remote Code Execution via File Extension Manipulation) third-party-advisory

cve.org (CVE-2023-53980)

nvd.nist.gov (CVE-2023-53980)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.