/api/v1/company/upload-logo in CompanyController.php in crater through 6.0.6 allows a superadmin to execute arbitrary PHP code by

Insecure deserialization of not validated module file in GitHub repository crater-invoice/crater prior to 6.0.6.

Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0.6.

Cross-Site Request Forgery (CSRF) in GitHub repository crater-invoice/crater prior to 6.0.4.

Business Logic Errors in GitHub repository crater-invoice/crater prior to 6.0.5.

Cross-site Scripting (XSS) - Stored in Packagist bytefury/crater prior to 6.0.2.

Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2.

Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0.

crater is vulnerable to Unrestricted Upload of File with Dangerous Type