Unrated severityNVD Advisory· Published Dec 11, 2025· Updated Apr 7, 2026

xbtitFM 4.1.18 Insecure File Upload in file_hosting Feature

CVE-2024-58313

Description

xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands.

Affected products

xbtitFM/xbtitFMllm-create
Range: = 4.1.18
xbtitfm/xbtitFMv5
Range: 4.1.18

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/51909mitreexploit
www.vulncheck.com/advisories/xbtitfm-insecure-file-upload-in-filehosting-featuremitrethird-party-advisory
xbtitfm.eumitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000