{"id":"CVE-2016-11020","details":"Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution.","modified":"2026-04-10T03:52:06.622685Z","published":"2020-02-25T19:15:10.817Z","references":[{"type":"ADVISORY","url":"https://www.kunena.org/blog/179-kunena-5-0-4-released"},{"type":"ADVISORY","url":"https://www.kunena.org/bugs/changelog"},{"type":"FIX","url":"https://github.com/Kunena/Kunena-Forum/pull/5028"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kunena/kunena-forum","events":[{"introduced":"0"},{"fixed":"7f7696ce53b7a57c7affa5cf4190e07c5f105383"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.0.4"}]}}],"versions":["2.0.0","2.0.1","2.0.2","4.0.0","4.0.0-Beta1","4.0.0-Beta2","4.0.0-Beta3","4.0.0-RC1","5.0.0","5.0.0-Beta1","5.0.0-Beta2","5.0.0-Beta3","5.0.0-Beta4","5.0.0-Beta5","5.0.0-RC1","5.0.0-RC2","5.0.0-RC3","5.0.0-RC4","5.0.0-RC5","5.0.1","5.0.2","5.0.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-11020.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}