Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4538 | 1 Keking | 1 Kkfileview | 2025-06-16 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in kkFileView 4.4.0. It has been classified as critical. This affects an unknown part of the file /fileUpload. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-5130 | 1 Project Team | 1 Tmall Demo | 2025-06-16 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability was found in Tmall Demo up to 20250505. It has been classified as critical. This affects the function uploadProductImage of the file tmall/admin/uploadProductImage. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated relea ...
Show More |
|||||
| CVE-2025-3234 | 2025-06-16 | N/A | 7.2 HIGH | ||
|
The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.8.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Administrators have the ability to extend file manager usage privileges to lower-level users including subscribers, which would ...
Show More |
|||||
| CVE-2024-46210 | 1 Redaxo | 1 Redaxo | 2025-06-13 | N/A | 7.2 HIGH |
|
An arbitrary file upload vulnerability in the MediaPool module of Redaxo CMS v5.17.1 allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-52769 | 1 Dedebiz | 1 Dedebiz | 2025-06-13 | N/A | 7.2 HIGH |
|
An arbitrary file upload vulnerability in the component /admin/friendlink_edit of DedeBIZ v6.3.0 allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-40553 | 1 Project Team | 1 Tmall Demo | 2025-06-13 | N/A | 4.9 MEDIUM |
|
Tmall_demo v2024.07.03 was discovered to contain an arbitrary file upload via the component uploadUserHeadImage.
|
|||||
| CVE-2024-40555 | 1 Project Team | 1 Tmall Demo | 2025-06-13 | N/A | 5.3 MEDIUM |
|
Tmall_demo v2024.07.03 was discovered to contain an arbitrary file upload vulnerability.
|
|||||
| CVE-2025-1791 | 1 Skycaiji | 1 Skycaiji | 2025-06-12 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability has been found in Zorlan SkyCaiji 2.9 and classified as critical. This vulnerability affects the function fileAction of the file vendor/skycaiji/app/admin/controller/Tool.php. The manipulation of the argument save_data leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-29405 | 1 Emlog | 1 Emlog | 2025-06-12 | N/A | 6.3 MEDIUM |
|
An arbitrary file upload vulnerability in the component /admin/template.php of emlog pro 2.5.0 and pro 2.5.* allows attackers to execute arbitrary code via uploading a crafted PHP file.
|
|||||
| CVE-2025-32291 | 2025-06-12 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in FantasticPlugins SUMO Affiliates Pro allows Using Malicious Files. This issue affects SUMO Affiliates Pro: from n/a through 10.7.0.
|
|||||
| CVE-2025-4387 | 2025-06-12 | N/A | 8.8 HIGH | ||
|
The Abandoned Cart Pro for WooCommerce plugin contains an authenticated arbitrary file upload vulnerability due to missing file type validation in the wcap_add_to_cart_popup_upload_files function in all versions up to, and including, 9.16.0. This makes it possible for an authenticated attacker, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may allow for either remote or local code execution depending on the server configuration.
|
|||||
| CVE-2025-5395 | 2025-06-12 | N/A | 8.8 HIGH | ||
|
The WordPress Automatic Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'core.php' file in all versions up to, and including, 3.115.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2025-6002 | 2025-06-12 | N/A | 7.2 HIGH | ||
|
An unrestricted file upload vulnerability exists in the Product Image section of the VirtueMart backend. Authenticated attackers can upload files with arbitrary extensions, including executable or malicious files, potentially leading to remote code execution or other security impacts depending on server configuration.
|
|||||
| CVE-2024-24025 | 1 Xxyopen | 1 Novel-plus | 2025-06-12 | N/A | 9.8 CRITICAL |
|
An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.
|
|||||
| CVE-2024-24000 | 1 Huaxiaerp | 1 Jsherp | 2025-06-12 | N/A | 9.8 CRITICAL |
|
jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type, and the biz parameter can be spliced into the upload path, resulting in arbitrary file uploads with controllable paths.
|
|||||
| CVE-2025-29093 | 1 Motivian | 1 Content Management System | 2025-06-11 | N/A | 8.2 HIGH |
|
File Upload vulnerability in Motivian Content Mangment System v.41.0.0 allows a remote attacker to execute arbitrary code via the Content/Gallery/Images component.
|
|||||
| CVE-2024-33752 | 1 Emlog | 1 Emlog | 2025-06-11 | N/A | 6.3 MEDIUM |
|
An arbitrary file upload vulnerability exists in emlog pro 2.3.0 and pro 2.3.2 at admin/views/plugin.php that could be exploited by a remote attacker to submit a special request to upload a malicious file to execute arbitrary code.
|
|||||
| CVE-2024-26503 | 1 Openeclass | 1 Openeclass | 2025-06-10 | N/A | 9.1 CRITICAL |
|
Unrestricted File Upload vulnerability in Greek Universities Network Open eClass v.3.15 and earlier allows attackers to run arbitrary code via upload of crafted file to certbadge.php endpoint.
|
|||||
| CVE-2025-5299 | 1 Lerouxyxchire | 1 Client Database Management System | 2025-06-10 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was found in SourceCodester Client Database Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /user_order_customer_update.php. The manipulation of the argument uploaded_file_cancelled leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-5840 | 1 Lerouxyxchire | 1 Client Database Management System | 2025-06-10 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability, which was classified as critical, was found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /user_update_customer_order.php. The manipulation of the argument uploaded_file leads to unrestricted upload. It is possible to initiate the attack remotely.
|
|||||
| CVE-2025-48471 | 1 Freescout | 1 Freescout | 2025-06-10 | N/A | 9.8 CRITICAL |
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, the application does not check or performs insufficient checking of files uploaded to the application. This allows files to be uploaded with the phtml and phar extensions, which can lead to remote code execution if the Apache web server is used. This issue has been patched in version 1.8.179.
|
|||||
| CVE-2025-5728 | 1 Nikhil-bhalerao | 1 Open Source Clinic Management System | 2025-06-10 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical was found in SourceCodester Open Source Clinic Management System 1.0. This vulnerability affects unknown code of the file /manage_website.php. The manipulation of the argument website_image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2023-6636 | 1 Wpsoul | 1 Greenshift | 2025-06-10 | N/A | 7.2 HIGH |
|
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'gspb_save_files' function in versions up to, and including, 7.6.2. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2024-32514 | 1 Infotheme | 1 Wp Poll Maker | 2025-06-09 | N/A | 9.9 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in Poll Maker & Voting Plugin Team (InfoTheme) WP Poll Maker.This issue affects WP Poll Maker: from n/a through 3.4.
|
|||||
| CVE-2025-45997 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-06-09 | N/A | 8.6 HIGH |
|
Sourcecodester Web-based Pharmacy Product Management System v.1.0 has a file upload vulnerability. An attacker can upload a PHP file disguised as an image by modifying the Content-Type header to image/jpg.
|
|||||
| CVE-2025-24650 | 1 Themefic | 1 Tourfic | 2025-06-09 | N/A | 9.1 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic allows Upload a Web Shell to a Web Server. This issue affects Tourfic: from n/a through 2.15.3.
|
|||||
| CVE-2024-48760 | 1 Gestioip | 1 Gestioip | 2025-06-06 | N/A | 9.8 CRITICAL |
|
An issue in GestioIP v3.5.7 allows a remote attacker to execute arbitrary code via the file upload function. The attacker can upload a malicious perlcmd.cgi file that overwrites the original upload.cgi file, enabling remote command execution.
|
|||||
| CVE-2025-49329 | 2025-06-06 | N/A | 6.6 MEDIUM | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Agile Logix Store Locator WordPress allows Upload a Web Shell to a Web Server. This issue affects Store Locator WordPress: from n/a through 1.5.2.
|
|||||
| CVE-2024-42563 | 1 Jerryhanjj | 1 Erp | 2025-06-05 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in ERP commit 44bd04 allows attackers to execute arbitrary code via uploading a crafted HTML file.
|
|||||
| CVE-2025-3054 | 2025-06-05 | N/A | 8.8 HIGH | ||
|
The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that this requires the 'Private Message' module to be enabled and the Business version of the P ...
Show More |
|||||
| CVE-2024-24399 | 1 Lepton-cms | 1 Leptoncms | 2025-06-05 | N/A | 7.2 HIGH |
|
An arbitrary file upload vulnerability in LEPTON v7.0.0 allows authenticated attackers to execute arbitrary PHP code by uploading this code to the backend/languages/index.php languages area.
|
|||||
| CVE-2024-10627 | 1 Vanquish | 1 Woocommerce Support Ticket System | 2025-06-05 | N/A | 9.8 CRITICAL |
|
The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions up to, and including, 17.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2024-22895 | 1 Dedecms | 1 Dedecms | 2025-06-05 | N/A | 8.8 HIGH |
|
DedeCMS 5.7.112 has a File Upload vulnerability via uploads/dede/module_upload.php.
|
|||||
| CVE-2024-11391 | 1 Advancedfilemanager | 1 Advanced File Manager | 2025-06-05 | N/A | 7.5 HIGH |
|
The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2024-47151 | 1 Honor | 1 Magicos | 2025-06-05 | N/A | 6.3 MEDIUM |
|
Some Honor products are affected by file writing vulnerability, successful exploitation could cause code execution
|
|||||
| CVE-2024-13333 | 1 Advancedfilemanager | 1 Advanced File Manager | 2025-06-05 | N/A | 7.5 HIGH |
|
The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fma_local_file_system' function in versions 5.2.12 to 5.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above and upload permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The function can be exploited only if the "Display .htaccess? ...
Show More |
|||||
| CVE-2025-47577 | 2025-06-05 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Upload a Web Shell to a Web Server.This issue affects TI WooCommerce Wishlist: from n/a before 2.10.0.
|
|||||
| CVE-2024-40744 | 1 Convert Forms Project | 1 Convert Forms | 2025-06-04 | N/A | 9.8 CRITICAL |
|
Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8.
|
|||||
| CVE-2025-46078 | 1 Huocms | 1 Huocms | 2025-06-04 | N/A | 5.3 MEDIUM |
|
HuoCMS V3.5.1 and before is vulnerable to file upload, which allows attackers to take control of the target server
|
|||||
| CVE-2025-46080 | 1 Huocms | 1 Huocms | 2025-06-04 | N/A | 5.3 MEDIUM |
|
HuoCMS V3.5.1 has a File Upload Vulnerability. An attacker can exploit this flaw to bypass whitelist restrictions and craft malicious files with specific suffixes, thereby gaining control of the server.
|
|||||