Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-6466 | 1 Ageerle | 1 Ruoyi-ai | 2025-08-26 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in ageerle ruoyi-ai 2.0.0 and classified as critical. Affected by this issue is the function speechToTextTranscriptionsV2/upload of the file ruoyi-modules/ruoyi-system/src/main/java/org/ruoyi/system/service/impl/SseServiceImpl.java. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.1 is able to address this issue. The patch is ide ...
Show More |
|||||
| CVE-2025-53119 | 2025-08-25 | N/A | 7.5 HIGH | ||
|
An unauthenticated unrestricted file upload vulnerability allows an attacker to upload malicious binaries and scripts to the server.
|
|||||
| CVE-2025-7864 | 1 Jeesite | 1 Jeesite | 2025-08-25 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in thinkgem JeeSite up to 5.12.0. It has been classified as critical. This affects the function Upload of the file src/main/java/com/jeesite/modules/file/web/FileUploadController.java. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 3585737d21fe490ff6948d913fcbd8d99c41fc08. It is recommended to apply a patch to fix this issue.
|
|||||
| CVE-2025-49222 | 1 Mattermost | 1 Mattermost Server | 2025-08-25 | N/A | 6.8 MEDIUM |
|
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.
|
|||||
| CVE-2025-55743 | 1 Webkul | 1 Unopim | 2025-08-22 | N/A | 8.8 HIGH |
|
UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, the image upload at the user creation feature performs only client side file type validation. A user can capture the request by uploading an image, capture the request through a Proxy like Burp suite. Make changes to the file extension and content. The vulnerability is fixed in 0.2.1.
|
|||||
| CVE-2024-13144 | 1 Zhenfeng13 | 1 My-blog | 2025-08-22 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical has been found in zhenfeng13 My-Blog 1.0. Affected is the function uploadFileByEditomd of the file src/main/java/com/site/blog/my/core/controller/admin/BlogController.java. The manipulation of the argument editormd-image-file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-13145 | 1 Zhenfeng13 | 1 My-blog | 2025-08-22 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical was found in zhenfeng13 My-Blog 1.0. Affected by this vulnerability is the function upload of the file src/main/java/com/site/blog/my/core/controller/admin/uploadController. java. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-13210 | 1 Donglight | 1 Bookstore | 2025-08-22 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability was found in donglight bookstore电商书城系统说明 1.0. It has been declared as critical. Affected by this vulnerability is the function uploadPicture of the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java. The manipulation of the argument pictureFile leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-53251 | 2025-08-22 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP allows Upload a Web Shell to a Web Server.This issue affects Pin WP: from n/a before 7.2.
|
|||||
| CVE-2025-55383 | 2025-08-22 | N/A | 8.6 HIGH | ||
|
Moss before v0.15 has a file upload vulnerability. The "upload" function configuration allows attackers to upload files of any extension to any location on the target server.
|
|||||
| CVE-2025-24489 | 2025-08-22 | N/A | 6.3 MEDIUM | ||
|
An attacker could exploit this vulnerability by uploading arbitrary
files via a specific service, which could lead to system compromise.
|
|||||
| CVE-2025-27714 | 2025-08-22 | N/A | 6.3 MEDIUM | ||
|
An attacker could exploit this vulnerability by uploading arbitrary
files via the a specific endpoint, leading to unauthorized remote code
execution or system compromise.
|
|||||
| CVE-2025-54460 | 2025-08-22 | N/A | 7.1 HIGH | ||
|
The vulnerability, if exploited, could allow an authenticated miscreant
(with privileges to create or access publication targets of type Text
File or HDFS) to upload and persist files that could potentially be
executed.
|
|||||
| CVE-2024-13201 | 1 Wander-chu | 1 Springboot-blog | 2025-08-22 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability has been found in wander-chu SpringBoot-Blog 1.0 and classified as critical. This vulnerability affects the function upload of the file src/main/java/com/my/blog/website/controller/admin/AttachtController.java of the component Admin Attachment Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did no ...
Show More |
|||||
| CVE-2025-9153 | 1 Mayurik | 1 Online Tour \& Travel Management System | 2025-08-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was detected in itsourcecode Online Tour and Travel Management System 1.0. This vulnerability affects unknown code of the file /admin/operations/travellers.php. The manipulation of the argument photo results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used.
|
|||||
| CVE-2024-13022 | 1 Taisan | 1 Tarzan-cms | 2025-08-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability, which was classified as critical, was found in taisan tarzan-cms 1.0.0. This affects the function UploadResponse of the file src/main/java/com/tarzan/cms/modules/admin/controller/common/UploadController.java of the component Article Management. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-3736 | 1 Cym1102 | 1 Nginxwebui | 2025-08-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in cym1102 nginxWebUI up to 3.9.9. It has been declared as problematic. Affected by this vulnerability is the function upload of the file /adminPage/main/upload. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-260575.
|
|||||
| CVE-2025-51489 | 1 Moonshine | 1 Moonshine | 2025-08-21 | N/A | 5.4 MEDIUM |
|
A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.5, allowing remote attackers to upload a malicious SVG file when creating/updating an Article and correctly execute arbitrary JavaScript when the file link is opened.
|
|||||
| CVE-2025-53213 | 2025-08-20 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ReachShip WooCommerce Multi-Carrier & Conditional Shipping allows Using Malicious Files. This issue affects ReachShip WooCommerce Multi-Carrier & Conditional Shipping: from n/a through 4.3.1.
|
|||||
| CVE-2025-48148 | 2025-08-20 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Using Malicious Files. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4.
|
|||||
| CVE-2025-7441 | 2025-08-18 | N/A | 9.8 CRITICAL | ||
|
The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2025-9099 | 2025-08-18 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability was identified in Acrel Environmental Monitoring Cloud Platform up to 20250804. This affects an unknown part of the file /NewsManage/UploadNewsImg. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-6079 | 2025-08-18 | N/A | 8.8 HIGH | ||
|
The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the homework.php file in all versions up to, and including, 93.2.0. This makes it possible for authenticated attackers, with Student-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2025-8297 | 1 Ivanti | 1 Avalanche | 2025-08-15 | N/A | 7.2 HIGH |
|
Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to achieve remote code execution
|
|||||
| CVE-2025-54473 | 2025-08-15 | N/A | N/A | ||
|
An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. The issue allows code execution via the unzip feature.
|
|||||
| CVE-2025-6679 | 2025-08-15 | N/A | 9.8 CRITICAL | ||
|
The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.
|
|||||
| CVE-2025-52239 | 1 Zkea | 1 Zkeacms | 2025-08-14 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in ZKEACMS v4.1 allows attackers to execute arbitrary code via a crafted file.
|
|||||
| CVE-2025-54693 | 2025-08-14 | N/A | 9.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in epiphyt Form Block allows Upload a Web Shell to a Web Server. This issue affects Form Block: from n/a through 1.5.5.
|
|||||
| CVE-2025-24775 | 2025-08-14 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms allows Upload a Web Shell to a Web Server. This issue affects Forms: from n/a through 2.9.0.
|
|||||
| CVE-2012-10056 | 2025-08-14 | N/A | N/A | ||
|
PHP Volunteer Management System v1.0.2 contains an arbitrary file upload vulnerability in its document upload functionality. Authenticated users can upload files to the mods/documents/uploads/ directory without any restriction on file type or extension. Because this directory is publicly accessible and lacks execution controls, attackers can upload a malicious PHP payload and execute it remotely. The application ships with default credentials, making exploitation trivial. Once authenticated, the ...
Show More |
|||||
| CVE-2025-5061 | 1 Vjinfotech | 1 Wp Import Export Lite | 2025-08-13 | N/A | 7.5 HIGH |
|
The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and including, 3.9.29. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version ...
Show More |
|||||
| CVE-2025-44139 | 1 Emlog | 1 Emlog | 2025-08-13 | N/A | 7.2 HIGH |
|
Emlog Pro V2.5.7 is vulnerable to Unrestricted Upload of File with Dangerous Type via /emlog/admin/plugin.php?action=upload_zip
|
|||||
| CVE-2025-6206 | 1 Coderevolution | 1 Aiomatic | 2025-08-13 | N/A | 7.5 HIGH |
|
The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aiomatic_image_editor_ajax_submit' function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. In order to ex ...
Show More |
|||||
| CVE-2025-2005 | 1 Etoilewebdesign | 1 Front End Users | 2025-08-12 | N/A | 9.8 CRITICAL |
|
The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2025-6207 | 1 Vjinfotech | 1 Wp Import Export Lite | 2025-08-12 | N/A | 7.5 HIGH |
|
The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_tempalte_import' function in all versions up to, and including, 3.9.28. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2025-33023 | 2025-08-12 | N/A | 4.1 MEDIUM | ||
|
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions), RUGGEDCOM ROX MX5000RE (All versions), RUGGEDCOM ROX RX1400 (All versions), RUGGEDCOM ROX RX1500 (All versions), RUGGEDCOM ROX RX1501 (All versions), RUGGEDCOM ROX RX1510 (All versions), RUGGEDCOM ROX RX1511 (All versions), RUGGEDCOM ROX RX1512 (All versions), RUGGEDCOM ROX RX1524 (All versions), RUGGEDCOM ROX RX1536 (All versions), RUGGEDCOM ROX RX5000 (All versions). The affected devices do not properly enforce the re ...
Show More |
|||||
| CVE-2025-27127 | 2025-08-12 | N/A | 4.3 MEDIUM | ||
|
A vulnerability has been identified in TIA Project-Server (All versions < V2.1.1), TIA Project-Server V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions), Totally Integrated Automation Portal (TIA Portal) V19 (All versions < V19 Update 4), Totally Integrated Automation Portal (TIA Portal) V20 (All versions < V20 Update 3). The affected application improperly handles uploaded projects in the ...
Show More |
|||||
| CVE-2025-3515 | 1 Codedropz | 1 Drag And Drop Multiple File Upload - Contact Form 7 | 2025-08-11 | N/A | 8.1 HIGH |
|
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, ...
Show More |
|||||
| CVE-2012-10038 | 2025-08-11 | N/A | N/A | ||
|
Auxilium RateMyPet contains an unauthenticated arbitrary file upload vulnerability in upload_banners.php. The banner upload feature fails to validate file types or enforce authentication, allowing remote attackers to upload malicious PHP files. These files are stored in a web-accessible /banners/ directory and can be executed directly, resulting in remote code execution.
|
|||||
| CVE-2025-2512 | 1 File Away Project | 1 File Away | 2025-08-11 | N/A | 9.8 CRITICAL |
|
The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||