Craft CMS Unrestricted Upload of File with Dangerous Type Vulnerability - CVE-2018-3814
Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the quotAssets-gtUpload filesquot screen and then the quotReplace itquot option because this allows a .jpg file to have embedded PHP code and then be renamed to a .php extension.