Vulnerability: Arbitrary file upload in IsFusion ≤ 6.1 Bug Details Bug_Author: R1ckyZ Affected Version: IsFusion ≤ 6.1 Vendor: IsFusion GitHub Repository Software: IsFusion Vulnerability Summary Vulnerability Files: - Description Accessing the API invokes the method in . This method accepts an unvalidated parameter, which is directly appended to . Additionally, there are no restrictions on the uploaded filename. When combined with directory traversal, this allows an attacker to upload JSP files to a web-accessible directory, leading to client-side file upload-based remote code execution (RCE). Proof of Concept 1. Access the API , upload , and pass the to the directory you have traversed. 2. Access and exploit the generated file .