CVE-2025-28168

Name of the Vulnerable Software and Affected Versions Outsystems versions prior to 3.1.0

Description The issue arises because file extension and size validations are enforced solely on the client side in the Outsystems Multiple File Upload feature. This allows an attacker to intercept the upload request, modify the parameter, bypass extension restrictions, and upload arbitrary files.

Recommendations For versions prior to 3.1.0, update to version 3.1.0 or later to resolve the issue. As a temporary workaround, consider implementing server-side validation for file extensions and sizes to prevent unrestricted file uploads.