From an uploads folder, attackers click to move up and explore other folders, potentially finding configuration files ( config.php , .env ) or backup archives containing database credentials.
The parent directory link ( ../ ) enables . An attacker might manually manipulate the URL: https://example.com/uploads/../../etc/passwd If the server is poorly configured, this could expose system files. index of parent directory uploads top