{"id":"CVE-2018-16388","details":"e107_web/js/plupload/upload.php in e107 2.1.8 allows remote attackers to execute arbitrary PHP code by uploading a .php filename with the image/jpeg content type.","modified":"2026-07-08T17:18:08.010566Z","published":"2018-09-12T16:29:02.317Z","references":[{"type":"FIX","url":"https://github.com/e107inc/e107/commit/e5bb5297f68e56537c004cdbb48a30892e9f6f4c"},{"type":"EVIDENCE","url":"https://gist.github.com/ommadawn46/5cb22e7c66cc32a5c7734a8064b4d3f5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/e107inc/e107","events":[{"introduced":"4264dc6f66b006e588f8882b44fa466bf07b7d47"},{"last_affected":"4264dc6f66b006e588f8882b44fa466bf07b7d47"},{"fixed":"e5bb5297f68e56537c004cdbb48a30892e9f6f4c"}],"database_specific":{"source":["CPE_STRING","REFERENCES"],"extracted_events":[{"introduced":"2.1.8"},{"last_affected":"2.1.8"}],"cpe":"cpe:2.3:a:e107:e107:2.1.8:*:*:*:*:*:*:*"}}],"versions":["2.1.8","v2.1.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-16388.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}