{"id":"CVE-2018-11736","details":"An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file.","modified":"2026-04-10T04:05:34.479606Z","published":"2018-06-05T06:29:00.343Z","references":[{"type":"ADVISORY","url":"https://github.com/pluck-cms/pluck/releases/tag/4.7.7-dev2"},{"type":"EVIDENCE","url":"https://github.com/pluck-cms/pluck/issues/61"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pluck-cms/pluck","events":[{"introduced":"0"},{"last_affected":"c2fc54e0e948277361b488e60035bdf92b1e0fb6"},{"introduced":"0"},{"last_affected":"0e45e991bf41beffe0bbfe6ef1e29cf69f669723"},{"fixed":"673d605b917db70a1134eb60385f4581e8ee3e0f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.7.7"},{"introduced":"0"},{"last_affected":"4.7.7-dev1"}]}}],"versions":["4.7","4.7.2","4.7.3","4.7.5","4.7.5-noversion","4.7.6","4.7.7","4.7.7-dev1","4.7.7-dev2","4.74","4.74-dev5","4.743","v4.7.4","v4.744"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-11736.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}