Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-0757 | 1 Elearningfreak | 1 Insert Or Embed Articulate Content | 2025-05-21 | N/A | 5.4 MEDIUM |
|
The Insert or Embed Articulate Content into WordPress plugin through 4.3000000023 is not properly filtering which file extensions are allowed to be imported on the server, allowing the uploading of malicious code within zip files
|
|||||
| CVE-2022-40925 | 1 Phpgurukul | 1 Zoo Management System | 2025-05-21 | N/A | 7.2 HIGH |
|
Zoo Management System v1.0 has an arbitrary file upload vulnerability in the picture upload point of the "save_event" file of the "Events" module in the background management system.
|
|||||
| CVE-2022-40878 | 1 Exam Reviewer Management System Project | 1 Exam Reviewer Management System | 2025-05-21 | N/A | 8.8 HIGH |
|
In Exam Reviewer Management System 1.0, an authenticated attacker can upload a web-shell php file in profile page to achieve Remote Code Execution (RCE).
|
|||||
| CVE-2025-4926 | 1 Phpgurukul | 1 Car Rental Portal | 2025-05-21 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability was found in PHPGurukul Car Rental Project 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/post-avehical.php. The manipulation of the argument img1/img2/img3/img4/img5 leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2022-41437 | 1 Billing System Project Project | 1 Billing System Project | 2025-05-20 | N/A | 7.2 HIGH |
|
Billing System Project v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/createProduct.php.
|
|||||
| CVE-2022-40407 | 1 Chamilo | 1 Chamilo | 2025-05-20 | N/A | 8.8 HIGH |
|
A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file.
|
|||||
| CVE-2022-40048 | 1 Flatpress | 1 Flatpress | 2025-05-20 | N/A | 7.2 HIGH |
|
Flatpress v1.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the Upload File function.
|
|||||
| CVE-2025-22389 | 1 Optimizely | 1 Optimizely Cms | 2025-05-20 | N/A | 8.0 HIGH |
|
An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS, where the application does not properly validate uploaded files. This allows the upload of potentially malicious file types, including .docm .html. When accessed by application users, these files can be used to execute malicious actions or compromise users' systems.
|
|||||
| CVE-2022-41406 | 1 Church Management System Project | 1 Church Management System | 2025-05-20 | N/A | 7.2 HIGH |
|
An arbitrary file upload vulnerability in the /admin/admin_pic.php component of Church Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2022-40341 | 1 Mojoportal | 1 Mojoportal | 2025-05-20 | N/A | 8.8 HIGH |
|
mojoPortal v2.7 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted PNG file.
|
|||||
| CVE-2022-41385 | 1 Democritus | 1 D8s-html | 2025-05-20 | N/A | 9.8 CRITICAL |
|
The d8s-html package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0.
|
|||||
| CVE-2022-41384 | 1 Democritus | 1 D8s-domains | 2025-05-20 | N/A | 9.8 CRITICAL |
|
The d8s-domains package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0.
|
|||||
| CVE-2022-41383 | 1 Democritus | 1 D8s-archives | 2025-05-20 | N/A | 9.8 CRITICAL |
|
The d8s-archives package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0.
|
|||||
| CVE-2022-42037 | 1 Democritus | 1 D8s-asns | 2025-05-20 | N/A | 9.8 CRITICAL |
|
The d8s-asns package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package. The affected version is 0.1.0.
|
|||||
| CVE-2022-42034 | 1 Wedding Planner Project | 1 Wedding Planner | 2025-05-20 | N/A | 8.8 HIGH |
|
Wedding Planner v1.0 is vulnerable to arbitrary code execution via users_profile.php.
|
|||||
| CVE-2022-41387 | 1 Democritus | 1 D8s-pdfs | 2025-05-20 | N/A | 9.8 CRITICAL |
|
The d8s-pdfs package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0.
|
|||||
| CVE-2022-41386 | 1 Democritus | 1 D8s-utility | 2025-05-20 | N/A | 9.8 CRITICAL |
|
The d8s-utility package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0.
|
|||||
| CVE-2022-41382 | 1 Democritus | 1 D8s-json | 2025-05-20 | N/A | 9.8 CRITICAL |
|
The d8s-json package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0.
|
|||||
| CVE-2022-41381 | 1 Democritus | 1 D8s-utility | 2025-05-20 | N/A | 9.8 CRITICAL |
|
The d8s-utility package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0.
|
|||||
| CVE-2022-41380 | 1 Democritus | 1 D8s-yaml | 2025-05-20 | N/A | 9.8 CRITICAL |
|
The d8s-yaml package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0.
|
|||||
| CVE-2022-29623 | 1 Connect-multiparty Project | 1 Connect-multiparty | 2025-05-20 | 6.8 MEDIUM | 7.8 HIGH |
|
An arbitrary file upload vulnerability in the file upload module of Express Connect-Multiparty 2.2.0 allows attackers to execute arbitrary code via a crafted PDF file. NOTE: the Supplier has not verified this vulnerability report.
|
|||||
| CVE-2022-42229 | 1 Wedding Planner Project | 1 Wedding Planner | 2025-05-19 | N/A | 8.8 HIGH |
|
Wedding Planner v1.0 is vulnerable to Arbitrary code execution via package_edit.php.
|
|||||
| CVE-2022-42044 | 1 Democritus | 1 D8s-asns | 2025-05-19 | N/A | 9.8 CRITICAL |
|
The d8s-asns package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-html package. The affected version is 0.1.0.
|
|||||
| CVE-2022-42043 | 1 Democritus | 1 D8s-xml | 2025-05-19 | N/A | 9.8 CRITICAL |
|
The d8s-xml package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-html package. The affected version is 0.1.0.
|
|||||
| CVE-2022-42040 | 1 Democritus | 1 D8s-algorithms | 2025-05-19 | N/A | 9.8 CRITICAL |
|
The d8s-algorithms package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-dicts package. The affected version is 0.1.0.
|
|||||
| CVE-2022-42039 | 1 Democritus | 1 D8s-lists | 2025-05-19 | N/A | 9.8 CRITICAL |
|
The d8s-lists package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-dicts package. The affected version is 0.1.0.
|
|||||
| CVE-2022-42038 | 1 Democritus | 1 D8s-ip-addresses | 2025-05-19 | N/A | 9.8 CRITICAL |
|
The d8s-ip-addresses package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package. The affected version is 0.1.0.
|
|||||
| CVE-2025-4389 | 2025-05-19 | N/A | 9.8 CRITICAL | ||
|
The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2025-4391 | 2025-05-19 | N/A | 9.8 CRITICAL | ||
|
The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2025-3917 | 2025-05-16 | N/A | 9.8 CRITICAL | ||
|
The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2025-4768 | 2025-05-16 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability classified as critical has been found in feng_ha_ha/megagao ssm-erp and production_ssm 1.0. This affects the function uploadPicture of the file PictureServiceImpl.java. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is distributed under two entirely different names.
|
|||||
| CVE-2024-42180 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | N/A | 1.6 LOW |
|
HCL MyXalytics is affected by a malicious file upload vulnerability. The application accepts invalid file uploads, including incorrect content types, double extensions, null bytes, and special characters, allowing attackers to upload and execute malicious files.
|
|||||
| CVE-2024-24393 | 1 Oaooa | 1 Pichome | 2025-05-15 | N/A | 9.8 CRITICAL |
|
File Upload vulnerability index.php in Pichome v.1.1.01 allows a remote attacker to execute arbitrary code via crafted POST request.
|
|||||
| CVE-2024-0699 | 1 Meowapps | 1 Ai Engine | 2025-05-15 | N/A | 6.6 MEDIUM |
|
The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_image_from_url' function in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Editor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2023-6925 | 1 Unitecms | 1 Unlimited Addons For Wpbakery Page Builder | 2025-05-15 | N/A | 7.2 HIGH |
|
The Unlimited Addons for WPBakery Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'importZipFile' function in versions up to, and including, 1.0.42. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin (the default is editor role, but access can also be granted to contributor role), to upload arbitrary files on the affected site's server which may mak ...
Show More |
|||||
| CVE-2023-6635 | 1 Extendify | 1 Editorskit | 2025-05-15 | N/A | 7.2 HIGH |
|
The EditorsKit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'import_styles' function in versions up to, and including, 1.40.3. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2023-40265 | 1 Mitel | 1 Unify Openscape Xpressions Webassistant | 2025-05-15 | N/A | 8.8 HIGH |
|
An issue was discovered in Atos Unify OpenScape Xpressions WebAssistant V7 before V7R1 FR5 HF42 P911. It allows authenticated remote code execution via file upload.
|
|||||
| CVE-2022-41537 | 1 Online Tours \& Travels Management System Project | 1 Online Tours \& Travels Management System | 2025-05-15 | N/A | 7.2 HIGH |
|
Online Tours & Travels Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /user_operations/profile.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2022-41534 | 1 Online Diagnostic Lab Management System Project | 1 Online Diagnostic Lab Management System | 2025-05-15 | N/A | 7.2 HIGH |
|
Online Diagnostic Lab Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /php_action/createOrder.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2022-41533 | 1 Online Diagnostic Lab Management System Project | 1 Online Diagnostic Lab Management System | 2025-05-15 | N/A | 7.2 HIGH |
|
Online Diagnostic Lab Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /php_action/editProductImage.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||