Sausage

**Name of the Vulnerable Software and Affected Versions** Kusaba versions 1.0.4 and earlier **Description** The issue allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension using (1) `load receiver.php` or (2) a `shipainter` action to `paint save.php`, then accessing the uploaded file via a direct request to this file in their user directory. **Recommendations** For Kusaba versions 1.0.4 and earlier, consider restricting access to `load receiver.php` and `paint save.php` to prevent unauthorized file uploads until a fix is available. As a temporary workaround, restrict the `shipainter` action to minimize the risk of exploitation. Avoid allowing users to upload files with executable extensions.