CVE-2026-4883

Name of the Vulnerable Software and Affected Versions Piotnet Forms versions prior to 2.1.41

Description An arbitrary file upload issue exists due to missing file type validation within the piotnetforms ajax form builder() function. The software employs an incomplete extension blacklist that blocks only php, phpt, php5, php7, and exe extensions, while permitting dangerous extensions such as .phar or .phtml. This allows unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution. This issue is only exploitable if a file field has been added to the form.

Recommendations Update to a version later than 2.1.40. As a temporary workaround, avoid adding file fields to forms until the update is applied.