Primary

Context

ProjectSend Remote Code Execution Vulnerability via File Extension Manipulation

Vulnerability

A remote code execution vulnerability has been identified in ProjectSend version r1605. This issue allows attackers to upload malicious files by manipulating file extensions. The vulnerability is present in the upload.process.php endpoint, where attackers can disguise shell scripts with misleading extensions to execute arbitrary commands on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where ProjectSend is installed.

Reproduction

To reproduce this vulnerability, upload a file through the upload.process.php endpoint. Rename the file to include a shell script payload, such as a reverse shell command, and disguise the extension as a JPEG file. Once the file is uploaded, the server will execute the embedded command, resulting in remote code execution.

Added: Dec 22, 2025, 10:38 PM

Updated: Dec 22, 2025, 10:38 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

10.0

exploitability

6.8

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

10.0

exploitability

6.8

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ProjectSend Remote Code Execution Vulnerability via File Extension Manipulation

Vulnerability

Impact

Reproduction

Affected Products

ProjectSend

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating