Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-27282 | 2025-04-17 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in rockgod100 Theme File Duplicator allows Using Malicious Files. This issue affects Theme File Duplicator: from n/a through 1.3.
|
|||||
| CVE-2025-32682 | 2025-04-17 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG Lite allows Upload a Web Shell to a Web Server. This issue affects MapSVG Lite: from n/a through 8.5.34.
|
|||||
| CVE-2025-39436 | 2025-04-17 | N/A | 9.1 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in aidraw I Draw allows Using Malicious Files. This issue affects I Draw: from n/a through 1.0.
|
|||||
| CVE-2025-32652 | 2025-04-17 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in solacewp Solace Extra allows Using Malicious Files. This issue affects Solace Extra: from n/a through 1.3.1.
|
|||||
| CVE-2023-52044 | 1 Std42 | 1 Elfinder | 2025-04-17 | N/A | 9.8 CRITICAL |
|
Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution (RCE) as there is no restriction for uploading files with the .php8 extension.
|
|||||
| CVE-2022-46135 | 1 Aerocms Project | 1 Aerocms | 2025-04-17 | N/A | 7.2 HIGH |
|
In AeroCms v0.0.1, there is an arbitrary file upload vulnerability at /admin/posts.php?source=edit_post , through which we can upload webshell and control the web server.
|
|||||
| CVE-2023-42248 | 1 Seling | 1 Visual Access Manager | 2025-04-17 | N/A | 6.5 MEDIUM |
|
An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. An authenticated attacker can write arbitrary files by manipulating POST parameters of the page "common/vam_Sql.php".
|
|||||
| CVE-2022-46020 | 1 Wbce | 1 Wbce Cms | 2025-04-17 | N/A | 9.8 CRITICAL |
|
WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
|
|||||
| CVE-2024-46377 | 1 Mayurik | 1 Best House Rental Management System | 2025-04-16 | N/A | 9.8 CRITICAL |
|
Best House Rental Management System 1.0 contains an arbitrary file upload vulnerability in the save_settings() function of the file rental/admin_class.php.
|
|||||
| CVE-2024-33438 | 1 Cubecart | 1 Cubecart | 2025-04-16 | N/A | 8.0 HIGH |
|
File Upload vulnerability in CubeCart before 6.5.5 allows an authenticated user to execute arbitrary code via a crafted .phar file.
|
|||||
| CVE-2024-31615 | 1 Thinkcmf | 1 Thinkcmf | 2025-04-16 | N/A | 9.8 CRITICAL |
|
ThinkCMF 6.0.9 is vulnerable to File upload via UeditorController.php.
|
|||||
| CVE-2022-0517 | 1 Mozilla | 1 Vpn | 2025-04-16 | N/A | 7.8 HIGH |
|
Mozilla VPN can load an OpenSSL configuration file from an unsecured directory. A user or attacker with limited privileges could leverage this to launch arbitrary code with SYSTEM privilege. This vulnerability affects Mozilla VPN < 2.7.1.
|
|||||
| CVE-2023-42286 | 1 Eyoucms | 1 Eyoucms | 2025-04-16 | N/A | 9.8 CRITICAL |
|
There is a PHP file inclusion vulnerability in the template configuration of eyoucms v1.6.4, allowing attackers to execute code or system commands through a carefully crafted malicious payload.
|
|||||
| CVE-2020-29607 | 1 Pluck-cms | 1 Pluck | 2025-04-16 | 6.5 MEDIUM | 7.2 HIGH |
|
A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in remote code execution.
|
|||||
| CVE-2020-20969 | 1 Pluck-cms | 1 Pluck | 2025-04-16 | N/A | 7.2 HIGH |
|
File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file.
|
|||||
| CVE-2025-39538 | 2025-04-16 | N/A | 6.6 MEDIUM | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Mathieu Chartier WP-Advanced-Search allows Upload a Web Shell to a Web Server. This issue affects WP-Advanced-Search: from n/a through 3.3.9.3.
|
|||||
| CVE-2025-26927 | 2025-04-16 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in EPC AI Hub allows Upload a Web Shell to a Web Server. This issue affects AI Hub: from n/a through 1.3.3.
|
|||||
| CVE-2025-1980 | 2025-04-16 | N/A | N/A | ||
|
The Ready_ application's Profile section allows users to upload files of any type and extension without restriction. If the server is misconfigured, as it was by default when installed at the turn of 2021 and 2022, it can result in Remote Code Execution. Refer to the Required Configuration for Exposure section for more information.
|
|||||
| CVE-2025-39557 | 2025-04-16 | N/A | 9.1 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Ben Ritner - Kadence WP Kadence WooCommerce Email Designer allows Upload a Web Shell to a Web Server. This issue affects Kadence WooCommerce Email Designer: from n/a through 1.5.14.
|
|||||
| CVE-2022-34483 | 1 Mozilla | 1 Firefox | 2025-04-15 | N/A | 8.8 HIGH |
|
An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34482. This vulnerability affects Firefox < 102.
|
|||||
| CVE-2022-34482 | 1 Mozilla | 1 Firefox | 2025-04-15 | N/A | 8.8 HIGH |
|
An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483. This vulnerability affects Firefox < 102.
|
|||||
| CVE-2025-2952 | 1 Bluestar | 1 Micro Mall | 2025-04-15 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical was found in Bluestar Micro Mall 1.0. Affected by this vulnerability is an unknown functionality of the file /api/api.php?mod=upload&type=1. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2022-46493 | 1 Nbnbk Project | 1 Nbnbk | 2025-04-15 | N/A | 9.8 CRITICAL |
|
Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img.
|
|||||
| CVE-2022-46102 | 1 Ayacms Project | 1 Ayacms | 2025-04-15 | N/A | 9.8 CRITICAL |
|
AyaCMS 3.1.2 is vulnerable to Arbitrary file upload via /aya/module/admin/fst_down.inc.php
|
|||||
| CVE-2022-45966 | 1 Classcms Project | 1 Classcms | 2025-04-15 | N/A | 9.8 CRITICAL |
|
here is an arbitrary file upload vulnerability in the file management function module of Classcms3.5.
|
|||||
| CVE-2022-45415 | 1 Mozilla | 1 Firefox | 2025-04-15 | N/A | 7.8 HIGH |
|
When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. This vulnerability affects Firefox < 107.
|
|||||
| CVE-2022-45896 | 1 Planetestream | 1 Planet Estream | 2025-04-14 | N/A | 9.8 CRITICAL |
|
Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads to remote code execution.
|
|||||
| CVE-2024-56975 | 1 Invoiceplane | 1 Invoiceplane | 2025-04-14 | N/A | 9.8 CRITICAL |
|
InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerability in the upload_file method of the Upload controller.
|
|||||
| CVE-2024-54918 | 1 Lopalopa | 1 E-learning Management System | 2025-04-14 | N/A | 9.8 CRITICAL |
|
Kashipara E-learning Management System v1.0 is vulnerable to Remote Code Execution via File Upload in /teacher_avatar.php.
|
|||||
| CVE-2022-45427 | 1 Dahuasecurity | 8 Dhi-dss4004-s2, Dhi-dss4004-s2 Firmware, Dhi-dss7016d-s2 and 5 more | 2025-04-14 | N/A | 7.2 HIGH |
|
Some Dahua software products have a vulnerability of unrestricted upload of file. After obtaining the permissions of administrators, by sending a specific crafted packet to the vulnerable interface, an attacker can upload arbitrary files.
|
|||||
| CVE-2016-7902 | 1 Dotclear | 1 Dotclear | 2025-04-12 | 6.5 MEDIUM | 8.8 HIGH |
|
Unrestricted file upload vulnerability in the fileUnzip->unzip method in Dotclear before 2.10.3 allows remote authenticated users with permissions to manage media items to execute arbitrary code by uploading a ZIP file containing a file with a crafted extension, as demonstrated by .php.txt or .php%20.
|
|||||
| CVE-2016-9187 | 1 Moodle | 1 Moodle | 2025-04-12 | 6.5 MEDIUM | 8.8 HIGH |
|
Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.
|
|||||
| CVE-2016-2914 | 1 Ibm | 1 Engineering Lifecycle Optimization - Publishing | 2025-04-12 | 5.5 MEDIUM | 5.4 MEDIUM |
|
Unrestricted file upload vulnerability in the Document Builder in IBM Rational Publishing Engine (aka RPENG) 2.0.1 before ifix002 allows remote authenticated users to execute arbitrary code by specifying an unexpected file extension.
|
|||||
| CVE-2015-1000013 | 1 Csv2wpec-coupon Project | 1 Csv2wpec-coupon | 2025-04-12 | 5.0 MEDIUM | 7.8 HIGH |
|
Remote file upload vulnerability in wordpress plugin csv2wpec-coupon v1.1
|
|||||
| CVE-2015-4524 | 1 Emc | 5 Documentum Administrator, Documentum Digital Asset Manager, Documentum Taskspace and 2 more | 2025-04-12 | 6.5 MEDIUM | N/A |
|
Unrestricted file upload vulnerability in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before P18, 7.1 before P15, and 7.2 before P01; Documentum Digital Assets Manager 6.5SP6 before P25; Documentum Web Publishers 6.5 SP7 before P25; and Documentum Task Space 6.7SP1 before P31 and 6.7SP2 before P23 allows remote authenticated users to execute arbitrary code by uploading a file to the backend Con ...
Show More |
|||||
| CVE-2015-0702 | 1 Cisco | 1 Unified Meetingplace | 2025-04-12 | 9.0 HIGH | N/A |
|
Unrestricted file upload vulnerability in the Custom Prompts upload implementation in Cisco Unified MeetingPlace 8.6(1.9) allows remote authenticated users to execute arbitrary code by using the languageShortName parameter to upload a file that provides shell access, aka Bug ID CSCus95712.
|
|||||
| CVE-2016-9268 | 1 Dotclear | 1 Dotclear | 2025-04-12 | 9.0 HIGH | 7.2 HIGH |
|
Unrestricted file upload vulnerability in the Blog appearance in the "Install or upgrade manually" module in Dotclear through 2.10.4 allows remote authenticated super-administrators to execute arbitrary code by uploading a theme file with an zip extension, and then accessing it via unspecified vectors.
|
|||||
| CVE-2016-7095 | 1 Exponentcms | 1 Exponent Cms | 2025-04-12 | 7.5 HIGH | 9.8 CRITICAL |
|
Exponent CMS before 2.3.9 is vulnerable to an attacker uploading a malicious script file using redirection to place the script in an unprotected folder, one allowing script execution.
|
|||||
| CVE-2016-7452 | 1 Exponentcms | 1 Exponent Cms | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
|
The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to upload a malicious file to any folder on the site via a cpi directory traversal.
|
|||||
| CVE-2016-9186 | 1 Moodle | 1 Moodle | 2025-04-12 | 6.5 MEDIUM | 8.8 HIGH |
|
Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.
|
|||||