Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-43146 | 1 Canteen Management System Project | 1 Canteen Management System | 2025-05-01 | N/A | 7.2 HIGH |
|
An arbitrary file upload vulnerability in the image upload function of Canteen Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2022-43074 | 1 Ayacms Project | 1 Ayacms | 2025-05-01 | N/A | 9.8 CRITICAL |
|
AyaCMS v3.1.2 was discovered to contain an arbitrary file upload vulnerability via the component /admin/fst_upload.inc.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2024-28418 | 1 Webedition | 1 Webedition Cms | 2025-04-30 | N/A | 6.5 MEDIUM |
|
Webedition CMS 9.2.2.0 has a File upload vulnerability via /webEdition/we_cmd.php
|
|||||
| CVE-2018-15573 | 1 Reprisesoftware | 1 Reprise License Manager | 2025-04-30 | 9.3 HIGH | 8.8 HIGH |
|
An issue was discovered in Reprise License Manager (RLM) through 12.2BL2. Attackers can use the web interface to read and write data to any file on disk (as long as rlm.exe has access to it) via /goform/edit_lf_process with file content in the lfdata parameter and a pathname in the lf parameter. By default, the web interface is on port 5054, and does not require authentication. NOTE: the vendor has stated "We do not consider this a vulnerability.
|
|||||
| CVE-2025-3969 | 1 Code-projects | 1 News Publishing Site Dashboard | 2025-04-30 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in codeprojects News Publishing Site Dashboard 1.0. It has been rated as critical. This issue affects some unknown processing of the file /edit-category.php of the component Edit Category Page. The manipulation of the argument category_image leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3830 | 1 Kuangstudy | 1 Kuangsimplebbs | 2025-04-30 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in kuangstudy KuangSimpleBBS 1.0. It has been declared as critical. Affected by this vulnerability is the function fileUpload of the file src/main/java/com/kuang/controller/QuestionController.java. The manipulation of the argument editormd-image-file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-42767 | 1 Jayesh | 1 Hotel Management System | 2025-04-30 | N/A | 7.2 HIGH |
|
Kashipara Hotel Management System v1.0 is vulnerable to Unrestricted File Upload RCE via /admin/add_room_controller.php.
|
|||||
| CVE-2024-29368 | 1 Mozilo | 1 Mozilocms | 2025-04-30 | N/A | 6.5 MEDIUM |
|
An arbitrary file upload vulnerability in the file handling module of moziloCMS v2.0 allows attackers to bypass extension restrictions via file renaming, potentially leading to unauthorized file execution or storage of malicious content.
|
|||||
| CVE-2024-42991 | 1 Mingsoft | 1 Mcms | 2025-04-30 | N/A | 8.1 HIGH |
|
MCMS v5.4.1 has front-end file upload vulnerability which can lead to remote command execution.
|
|||||
| CVE-2025-29017 | 1 Codeastro | 1 Internet Banking System | 2025-04-30 | N/A | 8.8 HIGH |
|
A Remote Code Execution (RCE) vulnerability exists in Code Astro Internet Banking System 2.0.0 due to improper file upload validation in the profile_pic parameter within pages_view_client.php.
|
|||||
| CVE-2024-37762 | 1 Machform | 1 Machform | 2025-04-30 | N/A | 9.9 CRITICAL |
|
MachForm up to version 21 is affected by an authenticated unrestricted file upload which leads to a remote code execution.
|
|||||
| CVE-2024-34833 | 1 Oretnom23 | 1 Payroll Management System | 2025-04-30 | N/A | 9.8 CRITICAL |
|
Sourcecodester Payroll Management System v1.0 is vulnerable to File Upload. Users can upload images via the "save_settings" page. An unauthenticated attacker can leverage this functionality to upload a malicious PHP file instead. Successful exploitation of this vulnerability results in the ability to execute arbitrary code as the user running the web server.
|
|||||
| CVE-2022-43234 | 1 Hoosk | 1 Hoosk | 2025-04-30 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in the /attachments component of Hoosk v1.8 allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2022-43265 | 1 Canteen Management System Project | 1 Canteen Management System | 2025-04-30 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in the component /pages/save_user.php of Canteen Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2022-43192 | 1 Dedecms | 1 Dedecms | 2025-04-29 | N/A | 6.7 MEDIUM |
|
An arbitrary file upload vulnerability in the component /dede/file_manage_control.php of Dedecms v5.7.101 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is related to an incomplete fix for CVE-2022-40886.
|
|||||
| CVE-2020-23591 | 1 Optilinknetwork | 2 Op-xt71000n, Op-xt71000n Firmware | 2025-04-29 | N/A | 9.8 CRITICAL |
|
A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an attacker to upload arbitrary files through " /mgm_dev_upgrade.asp " which can "delete every file for Denial of Service (using 'rm -rf *.*' in the code), reverse connection (using '.asp' webshell), backdoor.
|
|||||
| CVE-2022-44384 | 1 Rconfig | 1 Rconfig | 2025-04-29 | N/A | 8.8 HIGH |
|
An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2022-41705 | 1 Uatech | 1 Badaso | 2025-04-29 | N/A | 9.8 CRITICAL |
|
Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.
|
|||||
| CVE-2022-44401 | 1 Online Tours \& Travels Management System Project | 1 Online Tours \& Travels Management System | 2025-04-29 | N/A | 9.8 CRITICAL |
|
Online Tours & Travels Management System v1.0 contains an arbitrary file upload vulnerability via /tour/admin/file.php.
|
|||||
| CVE-2025-46616 | 2025-04-29 | N/A | 9.9 CRITICAL | ||
|
Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage.
|
|||||
| CVE-2025-46264 | 2025-04-29 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Angelo Mandato PowerPress Podcasting allows Upload a Web Shell to a Web Server. This issue affects PowerPress Podcasting: from n/a through 11.12.5.
|
|||||
| CVE-2025-4006 | 2025-04-29 | 5.8 MEDIUM | 4.7 MEDIUM | ||
|
A vulnerability classified as critical has been found in youyiio BeyongCms 1.6.0. Affected is an unknown function of the file /admin/theme/Upload.html of the component Document Management Page. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2021-43258 | 1 Churchdb | 1 Churchinfo | 2025-04-28 | N/A | 8.8 HIGH |
|
CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email. Uploading an attachment for the email stores the attachment on the site in the /tmp_attach/ folder where it can be accessed with a GET request. There are no limitations on files that can be attached, allowing for malicious PHP code to be uploaded ...
Show More |
|||||
| CVE-2022-30529 | 1 Isic.lk Project | 1 Isic.lk | 2025-04-28 | N/A | 7.2 HIGH |
|
File upload vulnerability in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to upload arbitrary files via /system/application/libs/js/tinymce/plugins/filemanager/dialog.php and /system/application/libs/js/tinymce/plugins/filemanager/upload.php.
|
|||||
| CVE-2024-48180 | 1 Classcms | 1 Classcms | 2025-04-28 | N/A | 9.8 CRITICAL |
|
ClassCMS <=4.8 is vulnerable to file inclusion in the nowView method in/class/cms/cms.php, which can include a file uploaded to the/class/template directory to execute PHP code.
|
|||||
| CVE-2024-46101 | 1 Gdidees | 1 Gdidees Cms | 2025-04-28 | N/A | 9.8 CRITICAL |
|
GDidees CMS <= v3.9.1 has a file upload vulnerability.
|
|||||
| CVE-2024-55514 | 1 Raisecom | 8 Msg1200, Msg1200 Firmware, Msg2100e and 5 more | 2025-04-28 | N/A | 6.3 MEDIUM |
|
A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 3.90. The component affected by this issue is /upload_sfmig.php on the web interface. By crafting a suitable form name, arbitrary files can be uploaded, potentially leading to unauthorized access to server permissions.
|
|||||
| CVE-2024-40425 | 1 Sparkshop | 1 Sparkshop | 2025-04-28 | N/A | 9.8 CRITICAL |
|
File Upload vulnerability in Nanjin Xingyuantu Technology Co Sparkshop (Spark Mall B2C Mall v.1.1.6 and before allows a remote attacker to execute arbitrary code via the contorller/common.php component.
|
|||||
| CVE-2024-24714 | 1 Bplugins | 1 Icons Font Loader | 2025-04-28 | N/A | 7.2 HIGH |
|
Unrestricted Upload of File with Dangerous Type vulnerability in bPlugins LLC Icons Font Loader.This issue affects Icons Font Loader: from n/a through 1.1.4.
|
|||||
| CVE-2022-44400 | 1 Purchase Order Management System Project | 1 Purchase Order Management System | 2025-04-25 | N/A | 9.8 CRITICAL |
|
Purchase Order Management System v1.0 contains a file upload vulnerability via /purchase_order/admin/?page=system_info.
|
|||||
| CVE-2022-45039 | 1 Wbce | 1 Wbce Cms | 2025-04-25 | N/A | 7.2 HIGH |
|
An arbitrary file upload vulnerability in the Server Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2024-3369 | 1 Anisha | 1 Car Rental | 2025-04-25 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability, which was classified as critical, has been found in code-projects Car Rental 1.0. Affected by this issue is some unknown functionality of the file add-vehicle.php. The manipulation of the argument Upload Image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-259490 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2022-44354 | 1 Contec | 2 Solarview Compact, Solarview Compact Firmware | 2025-04-25 | N/A | 9.8 CRITICAL |
|
SolarView Compact 4.0 and 5.0 is vulnerable to Unrestricted File Upload via a crafted php file.
|
|||||
| CVE-2022-36431 | 1 Rocketsoftware | 1 Trufusion | 2025-04-24 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in Rocket TRUfusion Enterprise before 7.9.6.1 allows unauthenticated attackers to execute arbitrary code via a crafted JSP file. Issue fixed in version 7.9.6.1.
|
|||||
| CVE-2024-0864 | 1 Laragon | 1 Laragon | 2025-04-24 | N/A | 9.8 CRITICAL |
|
Enabling Simple Ajax Uploader plugin included in Laragon open-source software allows for a remote code execution (RCE) attack via an improper input validation in a file_upload.php file which serves as an example.
By default, Laragon is not vulnerable until a user decides to use the aforementioned plugin.
|
|||||
| CVE-2025-29287 | 1 Mingsoft | 1 Mcms | 2025-04-24 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-24026 | 1 Xxyopen | 1 Novel-plus | 2025-04-24 | N/A | 9.8 CRITICAL |
|
An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.
|
|||||
| CVE-2023-50386 | 1 Apache | 1 Solr | 2025-04-24 | N/A | 8.8 HIGH |
|
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.
In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API.
When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSy ...
Show More |
|||||
| CVE-2023-26686 | 1 Cs-cart | 1 Cs-cart Multivendor | 2025-04-24 | N/A | 9.8 CRITICAL |
|
File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the image upload feature when customizing a shop.
|
|||||
| CVE-2023-26690 | 1 Cs-cart | 1 Cs-cart Multivendor | 2025-04-24 | N/A | 8.8 HIGH |
|
File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via File Manager/Editor component in the vendor or admin menu.
|
|||||