CVE-2023-53980

CRITICAL

ProjectSend r1605 - RCE

Title source: llm

Description

ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server.

Exploits (1)

exploitdb WORKING POC

by Mirabbas Ağalarov · textwebappsphp

https://www.exploit-db.com/exploits/51238

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/51238

[Product] https://www.projectsend.org/

[Third Party Advisory, Exploit] https://www.vulncheck.com/advisories/projectsend-remote-code-execution-via-file-extension-manipulation

Scores

CVSS v3 9.8

EPSS 0.0052

EPSS Percentile 66.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

projectsend/projectsend r1605

Published Dec 22, 2025

Tracked Since Feb 18, 2026