X2Engine versions 4.1.7 and below suffer from an unrestricted file upload vulnerability due to poor use of a blacklist.