Elias realized he wasn't looking at a security flaw. He was looking at a lifeboat. In the polished, curated world of the modern web, this "Index of /uploads" was the only place left where things were allowed to be real, messy, and hidden in plain sight.
If an application has a vulnerable upload form, an attacker might have already uploaded a PHP or ASP web shell (e.g., cmd.php or shell.aspx ) months ago. Finding it in the index is like finding a hidden key under the doormat. They can now execute commands on the server. index of parent directory uploads
Alternatively, use Google dorks (advanced search operators): Elias realized he wasn't looking at a security flaw