This was also the case with jQuery File Upload, which adds files to a root directory. Now tracked as CVE-2018-9206, the coding flaw is no longer present in the latest version of jQuery File Upload.