Can a file upload function be vulnerable without it the file name getting passed?

From googling, a lot of file upload vulnerabilities rely on injecting something into the filename and also rely on the picture being stored on the server, is it safe to just do a post request of the picture’s content (file-contents: ‰PNG...... via post request) then display it on the browser like, as <img src="data:image/png;base64,.....> ?