VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-f2m6-xbp8-6ya2

Essentials
Severities (20)
References (17)
Severity details (19)
Exploits (2)
EPSS
History (1)

Vulnerability ID	VCID-f2m6-xbp8-6ya2
Aliases	CVE-2018-9206 GHSA-4cj8-g9cp-v5wr
Summary	Unrestricted Upload of File with Dangerous Type Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload.
Status	Published
Exploitability	2.0
Weighted Severity	9.0
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-434	Unrestricted Upload of File with Dangerous Type
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.93778	https://api.first.org/data/v1/epss?cve=CVE-2018-9206
cvssv3.1	9.8	https://github.com/advisories/GHSA-4cj8-g9cp-v5wr
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-4cj8-g9cp-v5wr
generic_textual	CRITICAL	https://github.com/advisories/GHSA-4cj8-g9cp-v5wr
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2018-9206
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2018-9206
cvssv3.1	9.8	https://wpvulndb.com/vulnerabilities/9136
generic_textual	CRITICAL	https://wpvulndb.com/vulnerabilities/9136
cvssv3.1	9.8	https://www.exploit-db.com/exploits/45790
generic_textual	CRITICAL	https://www.exploit-db.com/exploits/45790
cvssv3.1	9.8	https://www.exploit-db.com/exploits/46182
generic_textual	CRITICAL	https://www.exploit-db.com/exploits/46182
cvssv3.1	9.8	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
generic_textual	CRITICAL	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
cvssv3.1	9.8	http://www.securityfocus.com/bid/105679
generic_textual	CRITICAL	http://www.securityfocus.com/bid/105679
cvssv3.1	9.8	http://www.securityfocus.com/bid/106629
generic_textual	CRITICAL	http://www.securityfocus.com/bid/106629
cvssv3.1	9.8	http://www.vapidlabs.com/advisory.php?v=204
generic_textual	CRITICAL	http://www.vapidlabs.com/advisory.php?v=204

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2018-9206
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9206
		https://wpvulndb.com/vulnerabilities/9136
		https://www.exploit-db.com/exploits/45790
		https://www.exploit-db.com/exploits/45790/
		https://www.exploit-db.com/exploits/46182
		https://www.exploit-db.com/exploits/46182/
		https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
		http://www.securityfocus.com/bid/105679
		http://www.securityfocus.com/bid/106629
CVE-2018-9206	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/45790.rb
CVE-2018-9206	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/45584.txt
CVE-2018-9206	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46182.py
CVE-2018-9206		https://nvd.nist.gov/vuln/detail/CVE-2018-9206
CVE-2018-9206	Exploit	https://raw.githubusercontent.com/rapid7/metasploit-framework/a32d8083f023c1445f411b74b8f85de5754cd3a0/modules/exploits/unix/webapp/jquery_file_upload.rb
CVE-2018-9206	Exploit	http://www.vapidlabs.com/advisory.php?v=204
GHSA-4cj8-g9cp-v5wr		https://github.com/advisories/GHSA-4cj8-g9cp-v5wr

Data source	Exploit-DB
Date added	Oct. 11, 2018
Description	jQuery-File-Upload 9.22.0 - Arbitrary File Upload
Ransomware campaign use	Known
Source publication date	Oct. 11, 2018
Exploit type	webapps
Platform	php
Source update date	Nov. 6, 2018

Data source	Metasploit
Description	This module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File Upload widget in versions <= 9.22.0. Due to a default configuration in Apache 2.3.9+, the widget's .htaccess file may be disabled, enabling exploitation of this vulnerability. This vulnerability has been exploited in the wild since at least 2015 and was publicly disclosed to the vendor in 2018. It has been present since the .htaccess change in Apache 2.3.9. This module provides a generic exploit against the jQuery widget.
Note	Reliability: - unknown-reliability Stability: - unknown-stability SideEffects: - unknown-side-effects
Ransomware campaign use	Unknown
Source publication date	Oct. 9, 2018
Platform	Linux,PHP
Source URL	https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/unix/webapp/jquery_file_upload.rb

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/advisories/GHSA-4cj8-g9cp-v5wr

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-9206

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://wpvulndb.com/vulnerabilities/9136

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/45790

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/46182

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.securityfocus.com/bid/105679

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.securityfocus.com/bid/106629

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.vapidlabs.com/advisory.php?v=204

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.99864
EPSS Score	0.93778
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:38:18.180383+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/blueimp/jquery-file-upload/CVE-2018-9206.yml	38.6.0