An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows malicious users to execute arbitrary code via uploading a crafted file.