Top Upload reports from HackerOne:
- Remote Code Execution on www.semrush.com/my_reports on Logo upload to Semrush - 799 upvotes, $0
- Webshell via File Upload on ecjobs.starbucks.com.cn to Starbucks - 675 upvotes, $0
- Blind XSS on image upload to CS Money - 420 upvotes, $1000
- Unrestricted file upload on [ambassador.mail.ru] to Mail.ru - 404 upvotes, $3000
- [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File to Mail.ru - 340 upvotes, $0
- Unrestricted file upload leads to Stored XSS to Visma Public - 268 upvotes, $250
- SSRF leaking internal google cloud data through upload function [SSH Keys, etc..] to Vimeo - 252 upvotes, $0
- Arbitrary File Upload to Stored XSS to Visma Public - 245 upvotes, $250
- Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg to Starbucks - 227 upvotes, $0
- Admin Management - Login Using Default Password - Leads to Image Upload Backdoor/Shell to Razer - 199 upvotes, $200
- External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing to TikTok - 144 upvotes, $2727
- Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image to Semrush - 124 upvotes, $0
- User can upload files even after closing his account to Basecamp - 113 upvotes, $0
- XXE Injection through SVG image upload leads to SSRF to Zivver - 112 upvotes, $0
- Insecure file upload in xiaoai.mi.com Lead to Stored XSS to Xiaomi - 109 upvotes, $0
- Unrestricted File Upload on https://partner.tiktokshop.com/wsos_v2/oec_partner/upload to TikTok - 104 upvotes, $0
- [insideok.ru] Remote Command Execution via file upload. to ok.ru - 94 upvotes, $0
- Avatar upload allows arbitrary file overwriting to Mail.ru - 88 upvotes, $750
- Unrestricted file upload leads to Stored XSS to GitLab - 84 upvotes, $0
- Unauthenticated user can upload an attachment to the last updated report draft to HackerOne - 81 upvotes, $0
- XSS from arbitrary attachment upload. to Qulture.Rocks - 74 upvotes, $0
- Open s3 bucket allows for public upload to Augur - 73 upvotes, $100
- Unrestricted File Upload at ██████████ to Mars - 70 upvotes, $0
- SSRF and local file disclosure by video upload on https://www.redtube.com/upload to Pornhub - 61 upvotes, $500
- Cross site scripting via file upload in subdomain ads.tiktok.com to TikTok - 61 upvotes, $500
- Singapore - Unrestricted File Upload Leads to XSS on campaign.starbucks.com.sg/api/upload to Starbucks - 58 upvotes, $0
- Unrestricted file upload when creating quotes allows for Stored XSS to Visma Public - 57 upvotes, $250
- Stored XSS on upload files leads to steal cookie to Palo Alto Software - 56 upvotes, $0
- Unrestricted File Upload Results in Cross-Site Scripting Attacks to Uber - 54 upvotes, $0
- insecure storage of information, you can view any file uploaded to the server without authentication and only with a single link to Radancy - 54 upvotes, $0
- After the upload of an private file, using transformations, the file becomes public without the possibility of changing it. to Mozilla - 54 upvotes, $0
- SSRF and local file disclosure by video upload on https://www.tube8.com/ to Pornhub - 53 upvotes, $500
- [Kafka Connect] [JdbcSinkConnector][HttpSinkConnector] RCE by leveraging file upload via SQLite JDBC driver and SSRF to internal Jolokia to Aiven Ltd - 50 upvotes, $5000
- SSRF in VCARD photo upload functionality to Open-Xchange - 49 upvotes, $850
- IDOR in upload videos of a Channel on https://video.ibm.com to IBM - 46 upvotes, $0
- China - ecjobsdc.starbucks.com.cn html/shtml file upload vulnerability to Starbucks - 45 upvotes, $0
- XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com to Shopify - 44 upvotes, $0
- forum.getmonero.org Shell upload to Monero - 40 upvotes, $0
- Shell upload in http://widget.support.my.com/ to Mail.ru - 36 upvotes, $1000
- SSRF and local file disclosure by video upload on http://www.youporn.com/ to Pornhub - 35 upvotes, $500
- Upload profile photo from URL to HackerOne - 32 upvotes, $0
- Unrestricted File Upload Blind Stored Xss in subdomain ads.tiktok.com to TikTok - 31 upvotes, $250
- Upload Profile Photo in any folder you want with any extension you want to Stripo Inc - 31 upvotes, $0
- RCE in profile picture upload to HackerOne - 30 upvotes, $0
- Unrestricted File Upload to U.S. Dept Of Defense - 30 upvotes, $0
- Unrestricted File Upload on reddit.secure.force.com to Reddit - 27 upvotes, $100
- SSRF in upload IMG through URL to Discourse - 27 upvotes, $64
- No validation to Image upload user can upload ( php APK zip files and can be used as storage purpose) to Linktree - 27 upvotes, $0
- SVG file that HTML Included is able to upload via File Manager to Concrete CMS - 26 upvotes, $0
- Shell upload in partner service to Mail.ru - 25 upvotes, $500
- RCE via File Upload with a Null Byte Truncated File Extension at https://██████/ to U.S. Dept Of Defense - 24 upvotes, $0
- Wordpress 4.7.2 - Two XSS in Media Upload when file too large. to WordPress - 23 upvotes, $0
- XSS via unicode characters in upload filename to WordPress - 23 upvotes, $0
- File Upload XSS in image uploading of App in mopub to X (Formerly Twitter) - 22 upvotes, $560
- Malicious file upload (secure.lahitapiola.fi) to LocalTapiola - 22 upvotes, $0
- XXE in upload file feature to Informatica - 21 upvotes, $0
- Unrestricted File Upload on https://auth.ratelimited.me to RATELIMITED - 21 upvotes, $0
- SSRF & unrestricted file upload on https://my.stripo.email/ to Stripo Inc - 21 upvotes, $0
- Arbritrary file Upload on AirMax to Ubiquiti Inc. - 20 upvotes, $0
- XSS through image upload of contacts using svg file with png extension to Nextcloud - 20 upvotes, $0
- Suspended users can bypass UGC upload ban to Valve - 19 upvotes, $500
- XSS through image upload of contacts using svg file to Nextcloud - 19 upvotes, $100
- Server side request forgery on image upload for lists to Instacart - 19 upvotes, $50
- Unrestricted File Upload in Chat Window to Qulture.Rocks - 19 upvotes, $0
- Reporters can upload design to issues using the "Move to" feature to GitLab - 18 upvotes, $600
- Unrestricted Upload of File with Dangerous Type to Enjin - 17 upvotes, $0
- (Pornhub & Youporn & Brazzers ANDROID APP) : Upload Malicious APK / Overrite Existing APK / Android BackOffice Access to Pornhub - 16 upvotes, $1500
- Unrestricted file upload on the image of contacts to Nextcloud - 16 upvotes, $100
- Buddypress 2.9.1 - Exceeding the maximum upload size - XSS leading to potential RCE. to WordPress - 14 upvotes, $0
- [█████] Bug Reports allow for Unrestricted File Upload to U.S. Dept Of Defense - 14 upvotes, $0
- SVG parser loads external resources on image upload to Shopify - 13 upvotes, $0
- Unrestricted File Upload To Xss Stored [ https://ideas.browser.mail.ru/ ] to Mail.ru - 13 upvotes, $0
- Unrestricted File Upload in Chat Window to OWOX, Inc. - 13 upvotes, $0
- store xss in calendar via upload filename to Open-Xchange - 12 upvotes, $250
- (Critical) Remote Code Execution Through Old TinyMCE upload bypass to 8x8 - 12 upvotes, $0
- Unrestricted File Upload Leads to XSS & Potential RCE to U.S. Dept Of Defense - 12 upvotes, $0
- Vulnerability in GoldSource Engine allows to upload and run an arbitrary DLL on client to Valve - 11 upvotes, $1000
- DOS: out of memory from gif through upload api to Mattermost - 11 upvotes, $150
- Unrestricted file upload (RCE) to Node.js third-party modules - 11 upvotes, $0
- Post Based XSS On Upload Via CK Editor [semrush.com] to Semrush - 11 upvotes, $0
- Unrestricted File Upload on https://app.lemlist.com to lemlist - 11 upvotes, $0
- UniFi Video Server - Arbitrary file upload as SYSTEM to Ubiquiti Inc. - 10 upvotes, $0
- Open redirect open.rocket.chat/file-upload/ID/filename.svg to Rocket.Chat - 10 upvotes, $0
- SVG file upload leads to XML injection to Topcoder - 10 upvotes, $0
- [chaturbate.com] - CSRF Vulnerability on image upload to Chaturbate - 9 upvotes, $300
- A malicious user can upload a malicious script through managesieve and trigger its execution in order to consume almost 100% of CPU (LMTP). to Open-Xchange - 9 upvotes, $300
- File upload vulnerability on a DoD website to U.S. Dept Of Defense - 9 upvotes, $0
- Unrestricted File Upload Leading to Remote Code Execution to Central Security Project - 9 upvotes, $0
- Unrestricted File Upload to ███████SubmitRequest/Index.cfm?fwa=wizardform to U.S. Dept Of Defense - 9 upvotes, $0
- Possible to Upload Local Arbitrary Private File to the Cloud against User's Will to Mail.ru - 8 upvotes, $150
- From Unrestricted File Upload to Remote Command Execution to Yahoo! - 7 upvotes, $0
- Stored XSS thru SVG upload to Moneybird - 7 upvotes, $0
- Unrestricted File Upload to U.S. Dept Of Defense - 7 upvotes, $0
- Blind SSRF via image upload URL downloader on https://██████/ to U.S. Dept Of Defense - 7 upvotes, $0
- Upload and delete files in debug page without access control. to U.S. Dept Of Defense - 7 upvotes, $0
- Remote file Inclusion - RFI in upload to Slack - 6 upvotes, $0
- apps.owncloud.com: Malicious file upload leads to remote code execution to ownCloud - 6 upvotes, $0
- Unrestricted file upload - cloudacademy.informatica.com to Informatica - 6 upvotes, $0
- Arbitrary file upload when setting an avatar to ExpressionEngine - 6 upvotes, $0
- Remote code execution due to unvalidated file upload to MTN Group - 6 upvotes, $0
- CodeQL query to detect weak (duplicated) encryption keys for ASP.NET Telerik Upload to GitHub Security Lab - 5 upvotes, $500
- File upload over private IM channel to Slack - 5 upvotes, $0
- HTML injection and limited XSS via logo image upload - Nextcloud 12.0.0 to Nextcloud - 5 upvotes, $0
- Upload directory of Mtn.ci to MTN Group - 5 upvotes, $0
- Unrestricted File Upload on https://my.stripo.email and https://stripo.email to Stripo Inc - 5 upvotes, $0
- File Upload Restriction Bypass to U.S. Dept Of Defense - 5 upvotes, $0
- [z.tochka.com] Unlimited file uploads lead to malware executed to QIWI - 5 upvotes, $0
- Arbitrary file upload and stored XSS via ███ support request to U.S. Dept Of Defense - 5 upvotes, $0
- Unrestricted file upload vulnerability in IMCE to Acronis - 5 upvotes, $0
- Image Upload Path Disclosure to Instacart - 4 upvotes, $100
- Arbitrary file uploads to Amazon WS. to HackerOne - 4 upvotes, $0
- Missing "size check" on files to upload could make memory leaks. to Uzbey - 4 upvotes, $0
- Avatar image upload and bypass real image verification to Nextcloud - 4 upvotes, $0
- potential RCE and XSS via file upload requiring user account and default settings to Nextcloud - 4 upvotes, $0
- idor on upload profile functionality to U.S. Dept Of Defense - 4 upvotes, $0
- ActiveStorage direct upload fails to sign content-length header for S3 service to Ruby on Rails - 4 upvotes, $0
- Unrestricted file upload leads to stored xss on https://████████/ to U.S. Dept Of Defense - 4 upvotes, $0
- Full path disclosure vulnerability via Upload .htaccess file to Nextcloud - 4 upvotes, $0
- Flash Cross Domain Policy Bypass by Using File Upload and Redirection - only in Chrome to Internet Bug Bounty - 3 upvotes, $0
- Can upload files without authentication on AirFibre 3.2 to Ubiquiti Inc. - 3 upvotes, $0
- Upload directory of Mtn.co.sz has listing enabled to MTN Group - 3 upvotes, $0
- Able to upload backgrounds before entering 2FA to CS Money - 3 upvotes, $0
- NoSQL-Injection discloses S3 File Upload URLs to Rocket.Chat - 3 upvotes, $0
- e.mail.ru: File upload "Chapito" circus to Mail.ru - 2 upvotes, $1000
- Malicious File Upload to Moneybird - 2 upvotes, $0
- Arbitrary File Upload in Logo & Log in image Theming setting. to Nextcloud - 2 upvotes, $0
- S3 bucket Upload on studio.redditinc.com (s3-r-w.ap-east-1.amazonaws.com) to Reddit - 2 upvotes, $0
- Reflected XSS via File Upload to Reddit - 2 upvotes, $0
- File upload XSS (Java applet) on http://slackatwork.com/ to Slack - 1 upvotes, $200
- cloud.mail.ru: File upload XSS using Content-Type header to Mail.ru - 1 upvotes, $150
- ftp upload of video allows naming that is not sanitized as the manual naming to Vimeo - 1 upvotes, $0
- Remote File Upload Vulnerability in business-blog.zomato.com to Zomato - 1 upvotes, $0
- Uploading Plain Text to uber-documents.s3.amazonaws.com Through the Driver Document Upload Page to Uber - 1 upvotes, $0
- UNRESTRICTED FILE UPLOAD AT chat.makerdao.com to BlockDev Sp. Z o.o - 1 upvotes, $0
- Parallel upload hangs curl if upload file not found to curl - 1 upvotes, $0
- Null Pointer Dereference in PHP Session Upload Progress to Internet Bug Bounty - 1 upvotes, $0
- unknow files Upload in profile photo to Dropbox Acquisitions - 0 upvotes, $0