Total
2765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-29607 | 1 Pluck-cms | 1 Pluck | 2025-04-16 | 6.5 MEDIUM | 7.2 HIGH |
| A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in remote code execution. | |||||
| CVE-2025-1980 | 2025-04-16 | N/A | N/A | ||
| The Ready_ application's Profile section allows users to upload files of any type and extension without restriction. If the server is misconfigured, as it was by default when installed at the turn of 2021 and 2022, it can result in Remote Code Execution. Refer to the Required Configuration for Exposure section for more information. | |||||
| CVE-2025-39538 | 2025-04-16 | N/A | N/A | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Mathieu Chartier WP-Advanced-Search allows Upload a Web Shell to a Web Server. This issue affects WP-Advanced-Search: from n/a through 3.3.9.3. | |||||
| CVE-2025-39557 | 2025-04-16 | N/A | N/A | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Ben Ritner - Kadence WP Kadence WooCommerce Email Designer allows Upload a Web Shell to a Web Server. This issue affects Kadence WooCommerce Email Designer: from n/a through 1.5.14. | |||||
| CVE-2025-26927 | 2025-04-15 | N/A | N/A | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in EPC AI Hub allows Upload a Web Shell to a Web Server. This issue affects AI Hub: from n/a through 1.3.3. | |||||
| CVE-2025-2952 | 1 Bluestar | 1 Micro Mall | 2025-04-15 | N/A | 9.8 CRITICAL |
| A vulnerability classified as critical was found in Bluestar Micro Mall 1.0. Affected by this vulnerability is an unknown functionality of the file /api/api.php?mod=upload&type=1. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-46102 | 1 Ayacms Project | 1 Ayacms | 2025-04-15 | N/A | 9.8 CRITICAL |
| AyaCMS 3.1.2 is vulnerable to Arbitrary file upload via /aya/module/admin/fst_down.inc.php | |||||
| CVE-2022-45966 | 1 Classcms Project | 1 Classcms | 2025-04-15 | N/A | 9.8 CRITICAL |
| here is an arbitrary file upload vulnerability in the file management function module of Classcms3.5. | |||||
| CVE-2022-46493 | 1 Nbnbk Project | 1 Nbnbk | 2025-04-15 | N/A | 9.8 CRITICAL |
| Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img. | |||||
| CVE-2025-3593 | 2025-04-14 | N/A | 6.3 MEDIUM | ||
| A vulnerability was found in ZHENFENG13/code-projects My-Blog-layui 1.0. It has been declared as critical. This vulnerability affects the function Upload of the file /admin/upload/authorImg/. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2022-45896 | 1 Planetestream | 1 Planet Estream | 2025-04-14 | N/A | 9.8 CRITICAL |
| Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads to remote code execution. | |||||
| CVE-2025-3566 | 2025-04-14 | N/A | 7.3 HIGH | ||
| A vulnerability, which was classified as critical, has been found in veal98 ??? Echo ?????? 4.2. This issue affects the function uploadMdPic of the file /discuss/uploadMdPic. The manipulation of the argument editormd-image-file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-45427 | 1 Dahuasecurity | 8 Dhi-dss4004-s2, Dhi-dss4004-s2 Firmware, Dhi-dss7016d-s2 and 5 more | 2025-04-14 | N/A | 7.2 HIGH |
| Some Dahua software products have a vulnerability of unrestricted upload of file. After obtaining the permissions of administrators, by sending a specific crafted packet to the vulnerable interface, an attacker can upload arbitrary files. | |||||
| CVE-2025-3558 | 2025-04-14 | N/A | 6.3 MEDIUM | ||
| A vulnerability, which was classified as critical, was found in ghostxbh uzy-ssm-mall 1.0.0. This affects an unknown part of the file /mall/user/uploadUserHeadImage. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-3229 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-04-11 | N/A | N/A |
| The Salon booking system plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the SLN_Action_Ajax_ImportAssistants function along with missing authorization checks in all versions up to, and including, 10.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2023-30613 | 1 Kiwitcms | 1 Kiwi Tcms | 2025-04-11 | N/A | 9.0 CRITICAL |
| Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file containing embedded JavaScript and trick others into clicking on these files, causing vulnerable browsers to execute malicious code on another computer. Kiwi TCMS v12.2 comes with functionality that allows administrators to configure additional upload validator functions which give them more control over what file types are accepted for upload. By default `.exe` are denied. Other files containing the `<script>` tag, regardless of their type are also denied b/c they are a path to XSS attacks. There are no known workarounds aside from upgrading. | |||||
| CVE-2023-45595 | 1 Ailux | 1 Imx6 | 2025-04-11 | N/A | 8.8 HIGH |
| A CWE-434 “Unrestricted Upload of File with Dangerous Type” vulnerability in the “file_configuration” functionality of the web application allows a remote authenticated attacker to upload any arbitrary type of file into the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2. | |||||
| CVE-2025-32579 | 2025-04-11 | N/A | N/A | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in SoftClever Limited Sync Posts allows Upload a Web Shell to a Web Server. This issue affects Sync Posts: from n/a through 1.0. | |||||
| CVE-2021-35002 | 1 Bmc | 1 Track-it\! | 2025-04-10 | N/A | 8.8 HIGH |
| BMC Track-It! Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It!. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of email attachments. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-14122. | |||||
| CVE-2022-48194 | 1 Tp-link | 2 Tl-wr902ac, Tl-wr902ac Firmware | 2025-04-10 | N/A | 8.8 HIGH |
| TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate. | |||||