Lazy-Forever

**Name of the Vulnerable Software and Affected Versions** JPress versions through 5.1.1 **Description** The issue is an arbitrary file upload vulnerability that could cause arbitrary code execution via `::$DATA` to `AttachmentController`, such as a `.jsp::$DATA` file to `io.jpress.web.commons.controller.AttachmentController#upload`. This vulnerability allows for potential code execution on the server. **Recommendations** For JPress versions through 5.1.1, consider disabling the `upload` function in `AttachmentController` until a patch is available to prevent arbitrary file uploads and potential code execution. Restrict access to the `AttachmentController` to minimize the risk of exploitation. Avoid using the `::$DATA` technique in file uploads to the affected `AttachmentController` until the issue is resolved.