What are file upload vulnerabilities?

Upload features are everywhere: avatars, documents, images. They become vulnerabilities when the server trusts the uploaded file too much, accepting a dangerous type, trusting a client-supplied content type, or saving the file somewhere it can be executed.

The headline risk is uploading a web shell: a small script that, once placed in an executable web directory, lets the attacker run commands through their browser. Uploads also enable stored XSS (SVG/HTML), XXE (SVG/DOCX), and path traversal in the filename.

The attacker tries to get an executable file into an executable location:

• Upload shell.php containing <?php system($_GET[0]); ?> and browse to it to run commands.
• Bypass weak filters: double extensions (shell.php.jpg), null bytes, case (.pHp), or trusting the client Content-Type.
• Bypass magic-byte checks by prepending valid image headers to a polyglot file.
• Path traversal in the filename (../../shell.php) to escape the upload directory.
• Upload an SVG with embedded script (stored XSS) or external entities (XXE).

Examples shown for defensive context.

• Validate type server-side by content, not the client-supplied extension or Content-Type, and allow-list permitted types.
• Store uploads outside the web root and serve via a controlled handler, so they are never executed.
• Rename files to server-generated names and strip path components from the original filename.
• Disable script execution in the upload directory (web-server config).
• Scan and size-limit uploads, and treat SVG/Office files as active content.
• Test the upload flow for filter bypasses.