{"id":"CVE-2018-3814","details":"Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the \"Assets-\u003eUpload files\" screen and then the \"Replace it\" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension.","aliases":["GHSA-r342-vjc4-wrmj"],"modified":"2026-04-10T04:10:30.361792Z","published":"2018-01-01T20:29:00.240Z","references":[{"type":"EVIDENCE","url":"https://github.com/Snowty/myCVE/blob/master/CraftCMS-2.6.3000/README.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/craftcms/cms","events":[{"introduced":"0"},{"last_affected":"2455619b91aa025ad40ca650c04d13669f736b9e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.6.3000"}]}}],"versions":["0.9.2063","0.9.2064","0.9.2065","0.9.2068","0.9.2071","0.9.2078","0.9.2079","0.9.2080","0.9.2081","0.9.2083","0.9.2090","0.9.2094","0.9.2100","0.9.2101","0.9.2102","0.9.2103","0.9.2106","0.9.2116","0.9.2117","0.9.2123","0.9.2124","0.9.2146","0.9.2151","0.9.2157","0.9.2167","0.9.2168","0.9.2177","0.9.2181","0.9.2184","0.9.2189","0.9.2193","0.9.2243","0.9.2246","1.0.0-alpha.2236","1.0.0-alpha.2237","1.0.0-alpha.2238","1.0.0-alpha.2241","1.0.0-alpha.2242","1.0.0-alpha.2244","1.0.0-alpha.2245","1.0.0-alpha.2247","1.0.0-alpha.2248","1.0.0-alpha.2249","1.0.2266","1.1.0-alpha.2283","1.1.0-alpha.2284","1.1.0-alpha.2285","1.1.0-alpha.2288","1.1.2291","1.2.0-alpha.2310","1.2.0-alpha.2312","1.2.0-alpha.2318","1.2.0-alpha.2319","1.2.0-alpha.2322","1.2.0-alpha.2328","1.2.0-alpha.2329","1.2.2333","1.2.2335","1.2.2336","1.2.2339","1.4.0-alpha.2488","1.4.0-alpha.2489","1.4.0-alpha.2490","1.4.0-alpha.2491","1.4.0-alpha.2492","1.4.0-alpha.2493","1.4.0-alpha.2497","1.4.0-alpha.2498","1.4.0-alpha.2499","1.4.0-alpha.2500","1.4.0-alpha.2502","1.4.0-alpha.2503","1.4.0-alpha.2505","1.4.0-alpha.2509","2.0.2524","2.0.2525","2.0.2527","2.0.2532","2.0.2533","2.0.2535","2.0.2536","2.0.2537","2.0.2538","2.0.2539","2.1.0-alpha.2546","2.1.0-alpha.2547","2.1.0-alpha.2552","2.1.2554","2.1.2555","2.1.2556","2.1.2557","2.2.0-alpha.2578","2.2.2579","2.2.2581","2.3.0-alpha.2600","2.3.0-alpha.2602","2.3.0-alpha.2603","2.3.0-alpha.2605","2.3.0-alpha.2606","2.3.0-alpha.2608","2.3.0-alpha.2610","2.3.0-alpha.2612","2.3.2615","2.3.2616","2.3.2617","2.3.2618","2.3.2620","2.3.2621","2.3.2623","2.3.2624","2.3.2625","2.3.2626","2.3.2627","2.5.0-beta.2717","2.5.0-beta.2720","2.5.0-beta.2722","2.5.0-beta.2724","2.5.0-beta.2727","2.5.2750","2.5.2752","2.5.2753","2.5.2755","2.5.2757","2.5.2759","2.5.2760","2.5.2761","2.6.2771","2.6.2773","2.6.2774","2.6.2776","2.6.2778","2.6.2779","2.6.2780","2.6.2781","2.6.2783","2.6.2784","2.6.2785","2.6.2788","2.6.2789","2.6.2791","2.6.2793","2.6.2794","2.6.2795","2.6.2796","2.6.2797","2.6.2798","2.6.2804","2.6.2903","2.6.2911","2.6.2916","2.6.2922","2.6.2923","2.6.2929","2.6.2930","2.6.2931","2.6.2940","2.6.2944","2.6.2945","2.6.2949","2.6.2950","2.6.2951","2.6.2952","2.6.2953","2.6.2979","2.6.2980","2.6.2981","2.6.2982","2.6.2983","2.6.2984","2.6.2985","2.6.2986","2.6.2987","2.6.2988","2.6.2989","2.6.2990","2.6.2991","2.6.2992","2.6.2993","2.6.2994","2.6.2995","2.6.2996","2.6.2997","2.6.2998","2.6.2999","2.6.3000"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-3814.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}