EIP-2026-110812

This is a technical analysis of an arbitrary file upload vulnerability in PHP-Fusion 9.03.50, where the 'Edit Profile' feature fails to validate file extensions, allowing PHP files to be uploaded as avatars. The vulnerable code section in UserFieldsInput.inc is highlighted, showing the lack of proper file extension checks.