Alexandre Droullã©

**Name of the Vulnerable Software and Affected Versions** Asial JpGraph Professional versions 4.2.6-pro and earlier **Description** The issue allows remote attackers to execute arbitrary code via a PHP payload in the `data` parameter in conjunction with a .php file name in the `filename` parameter. This occurs because an unnecessary QR/demoapp folder is shipped with the product. **Recommendations** For Asial JpGraph Professional versions 4.2.6-pro and earlier, consider removing or restricting access to the QR/demoapp folder as a temporary workaround until a patch is available. Avoid using the `data` parameter in conjunction with a .php file name in the `filename` parameter in the affected API endpoint until the issue is resolved.