class.upload.php <= 2.0.4 Arbitrary file upload
This is basically the exact same thing again as with CVE-2019–19576. I took another look after the patch was released and realized that there are other PHP extensions out there, in this case on Debian/Ubuntu with PHP5 that this library does not blacklist. So I installed PHP5 on Ubuntu and tested it, and the same thing went through. Both Verot and K2/JoomlaWorks have released patches and agreed to release this new CVE.
So this is a bit of a shorter text, but there are a bunch of more coming up (That are currently within the 90 days responsible disclosure timeline, plus some Vendors that have asked for extended time).