{"id":"CVE-2021-40887","details":"Projectsend version r1295 is affected by a directory traversal vulnerability. Because of lacking sanitization input for files[] parameter, an attacker can add ../ to move all PHP files or any file on the system that has permissions to /upload/files/ folder.","modified":"2026-04-12T02:00:22.488041Z","published":"2021-10-11T11:15:09.633Z","references":[{"type":"EVIDENCE","url":"https://github.com/projectsend/projectsend/issues/994"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/projectsend/projectsend","events":[{"introduced":"0"},{"last_affected":"1ec836a08d8c71d1347cc08552ee7b3bd218f21f"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"r1295"}],"cpe":"cpe:2.3:a:projectsend:projectsend:r1295:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["r1053","r1070","r1270","r1295","r559","r753","r754","r756"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-40887.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}