Total
2765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-22132 | 1 Wegia | 1 Wegia | 2025-02-13 | N/A | 4.8 MEDIUM |
| WeGIA is a web manager for charitable institutions. A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. By uploading a file containing malicious JavaScript code, an attacker can execute arbitrary scripts in the context of a victim's browser. This can lead to information theft, session hijacking, and other forms of client-side exploitation. This vulnerability is fixed in 3.2.7. | |||||
| CVE-2018-15961 | 1 Adobe | 1 Coldfusion | 2025-02-13 | 10.0 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2023-31428 | 1 Broadcom | 1 Brocade Fabric Operating System | 2025-02-13 | N/A | 5.5 MEDIUM |
| Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability in the command line that could allow a local user to dump files under user's home directory using grep. | |||||
| CVE-2023-0265 | 1 Uvdesk | 1 Community-skeleton | 2025-02-13 | N/A | 8.8 HIGH |
| Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers. | |||||
| CVE-2023-26857 | 1 Dynamic Transaction Queuing System Project | 1 Dynamic Transaction Queuing System | 2025-02-13 | N/A | 7.2 HIGH |
| An arbitrary file upload vulnerability in /admin/ajax.php?action=save_uploads of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2025-1070 | 2025-02-13 | N/A | N/A | ||
| CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could render the device inoperable when a malicious file is downloaded. | |||||
| CVE-2020-8260 | 1 Ivanti | 1 Connect Secure | 2025-02-12 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. | |||||
| CVE-2023-27033 | 1 Cdesigner Project | 1 Cdesigner | 2025-02-12 | N/A | 9.8 CRITICAL |
| Prestashop cdesigner v3.1.3 to v3.1.8 was discovered to contain a code injection vulnerability via the component CdesignerSaverotateModuleFrontController::initContent(). | |||||
| CVE-2023-29375 | 1 Progress | 1 Sitefinity | 2025-02-12 | N/A | 9.8 CRITICAL |
| An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potentially dangerous file upload through the SharePoint connector. | |||||
| CVE-2025-26350 | 2025-02-12 | N/A | N/A | ||
| A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests. | |||||
| CVE-2024-13714 | 2025-02-12 | N/A | 8.8 HIGH | ||
| The All-Images.ai – IA Image Bank and Custom Image creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_get_image_by_url' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2023-1406 | 1 Crocoblock | 1 Jetengine For Elementor | 2025-02-11 | N/A | 8.8 HIGH |
| The JetEngine WordPress plugin before 3.1.3.1 includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability. | |||||
| CVE-2023-24720 | 1 Readium | 1 Readium-js | 2025-02-11 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in readium-js v0.32.0 allows attackers to execute arbitrary code via uploading a crafted EPUB file. | |||||
| CVE-2020-19802 | 1 Doyocms Project | 1 Doyocms | 2025-02-11 | N/A | 9.8 CRITICAL |
| File Upload vulnerability found in Milken DoyoCMS v.2.3 allows a remote attacker to execute arbitrary code via the upload file type parameter. | |||||
| CVE-2024-5247 | 1 Netgear | 1 Prosafe Network Management System | 2025-02-11 | N/A | 8.8 HIGH |
| NETGEAR ProSAFE Network Management System UpLoadServlet Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Authentication is required to exploit this vulnerability. The specific flaw exists within the UpLoadServlet class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22923. | |||||
| CVE-2023-27178 | 1 Gdidees | 1 Gdidees Cms | 2025-02-11 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the upload function of GDidees CMS 3.9.1 allows attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2023-27179 | 1 Gdidees | 1 Gdidees Cms | 2025-02-11 | N/A | 7.5 HIGH |
| GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary file download vulenrability via the filename parameter at /_admin/imgdownload.php. | |||||
| CVE-2024-13011 | 2025-02-10 | N/A | 9.8 CRITICAL | ||
| The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up to, and including, 4.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2023-26852 | 1 Textpattern | 1 Textpattern | 2025-02-10 | N/A | 7.2 HIGH |
| An arbitrary file upload vulnerability in the upload plugin of Textpattern v4.8.8 and below allows attackers to execute arbitrary code by uploading a crafted PHP file. | |||||
| CVE-2023-29625 | 1 Employee Performance Evaluation System Project | 1 Employee Performance Evaluation System | 2025-02-10 | N/A | 8.8 HIGH |
| Employee Performance Evaluation System v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server. | |||||