Rapplex reports this finding when a page contains HTML file upload fields that allow users to select and submit files.

This finding is triggered when the following element is identified:

• File input fields in forms (<input type="file">)

This indicates that the application exposes functionality for user-supplied file uploads.

Why this matters

File upload features introduce a potentially sensitive attack surface. If not properly secured, they may lead to vulnerabilities such as:

• Arbitrary file upload
• Remote Code Execution (RCE)
• Stored Cross-Site Scripting (XSS)
• Malicious file hosting

However, the presence of a file input alone does not confirm a vulnerability.

Limitations

This detection is based solely on the presence of HTML input elements and does not guarantee that:

• The backend actually processes or stores uploaded files
• The upload functionality is reachable or functional
• The implementation is vulnerable

Further testing is required to validate behavior and security controls.

Treat this finding as an identified attack surface and verify how the upload functionality is implemented:

• Confirm whether files are accepted and processed by the server
• Test allowed file types and extensions
• Check how uploaded files are stored and accessed
• Verify that uploaded files cannot be executed

Additional analysis is required to determine whether the feature is securely implemented.