We found results for “


Date: October 11, 2018


jQuery is a free and open source JavaScript library that is widely used to simplify a wide range of client-side scripting tasks such as HTML DOM tree manipulation, event handling, and more. Blueimp jQuery-File-Upload is a popular jQuery-based plugin that comes with lots of features for uploading files easily on multiple server-side platforms. Affected versions of this tool could allow a remote attacker to execute code arbitrarily on the target system.


CVE-2018-9206 is caused by an unauthenticated arbitrary file upload flaw in the Blueimp jQuery-File-Upload plugin. Since the plugin does not have disallowed file types, by default, a remote unauthenticated threat actor could upload arbitrary files to the system. If exploited, this arbitrary file upload vulnerability lets an unrestricted invader upload and execute a malicious type of file on the target server. For example, these files could consist of malware, executables, or shell scripts. With these malicious payloads, the attacker could then remotely access the server and wholly assume control over the victim’s host. This way, they can carry out further attacks, such as exfiltration of sensitive data, or make lateral movements to other hosts within the network. Ultimately, exploiting this vulnerability lets invaders take full control of a susceptible host and bring it to its knees.

Affected Environments

Blueimp jQuery-File-Upload plugin versions 9.22.0 and earlier


Configure your web server to avoid executing files in the upload directory. For example, you can modify your Apache configuration to achieve this.


Update to the latest version of the plugin.

Language: JS

Good to know:


Unrestricted Upload of File with Dangerous Type


Upgrade Version

Upgrade to version 9.22.1

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privilegs Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: