Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-1000001 | 1 Fast-image-adder Project | 1 Fast-image-adder | 2025-04-12 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Remote file upload vulnerability in fast-image-adder v1.1 Wordpress plugin
|
|||||
| CVE-2015-1000000 | 1 Mailcwp Project | 1 Mailcwp | 2025-04-12 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
|
|||||
| CVE-2016-5050 | 1 Readydesk | 1 Readydesk | 2025-04-12 | 7.5 HIGH | 9.8 CRITICAL |
|
Unrestricted file upload vulnerability in chat/sendfile.aspx in ReadyDesk 9.1 allows remote attackers to execute arbitrary code by uploading and requesting a .aspx file.
|
|||||
| CVE-2025-32206 | 2025-04-11 | N/A | 9.1 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in LABCAT Processing Projects allows Upload a Web Shell to a Web Server. This issue affects Processing Projects: from n/a through 1.0.2.
|
|||||
| CVE-2025-32215 | 2025-04-11 | N/A | 6.5 MEDIUM | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Ability, Inc Accessibility Suite by Online ADA allows Stored XSS. This issue affects Accessibility Suite by Online ADA: from n/a through 4.18.
|
|||||
| CVE-2025-32579 | 2025-04-11 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in SoftClever Limited Sync Posts allows Upload a Web Shell to a Web Server. This issue affects Sync Posts: from n/a through 1.0.
|
|||||
| CVE-2025-32140 | 2025-04-11 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Nirmal Kumar Ram WP Remote Thumbnail allows Upload a Web Shell to a Web Server. This issue affects WP Remote Thumbnail: from n/a through 1.3.1.
|
|||||
| CVE-2025-32202 | 2025-04-11 | N/A | 9.1 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Brian Batt - elearningfreak.com Insert or Embed Articulate Content into WordPress allows Upload a Web Shell to a Web Server. This issue affects Insert or Embed Articulate Content into WordPress: from n/a through 4.3000000025.
|
|||||
| CVE-2024-3229 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-04-11 | N/A | 9.8 CRITICAL |
|
The Salon booking system plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the SLN_Action_Ajax_ImportAssistants function along with missing authorization checks in all versions up to, and including, 10.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2023-30613 | 1 Kiwitcms | 1 Kiwi Tcms | 2025-04-11 | N/A | 8.1 HIGH |
|
Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file containing embedded JavaScript and trick others into clicking on these files, causing vulnerable browsers to execute malicious code on another computer.
Kiwi TCMS v12.2 comes with functionality that allows administrators ...
Show More |
|||||
| CVE-2023-45595 | 1 Ailux | 1 Imx6 | 2025-04-11 | N/A | 5.9 MEDIUM |
|
A CWE-434 “Unrestricted Upload of File with Dangerous Type” vulnerability in the “file_configuration” functionality of the web application allows a remote authenticated attacker to upload any arbitrary type of file into the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.
|
|||||
| CVE-2024-29387 | 1 Projeqtor | 1 Projeqtor | 2025-04-11 | N/A | 8.8 HIGH |
|
projeqtor up to 11.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /view/print.php.
|
|||||
| CVE-2021-35002 | 1 Bmc | 1 Track-it\! | 2025-04-10 | N/A | 8.8 HIGH |
|
BMC Track-It! Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It!. Authentication is required to exploit this vulnerability.
The specific flaw exists within the processing of email attachments. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code ...
Show More |
|||||
| CVE-2022-48194 | 1 Tp-link | 2 Tl-wr902ac, Tl-wr902ac Firmware | 2025-04-10 | N/A | 8.8 HIGH |
|
TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate.
|
|||||
| CVE-2025-25784 | 1 Jizhicms | 1 Jizhicms | 2025-04-10 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in the component \c\TemplateController.php of Jizhicms v2.5.4 allows attackers to execute arbitrary code via uploading a crafted Zip file.
|
|||||
| CVE-2025-26325 | 1 Shopxo | 1 Shopxo | 2025-04-10 | N/A | 9.8 CRITICAL |
|
ShopXO 6.4.0 is vulnerable to File Upload in ThemeDataService.php.
|
|||||
| CVE-2025-2973 | 1 Code-projects | 1 College Management System | 2025-04-10 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability, which was classified as critical, was found in code-projects College Management System 1.0. This affects an unknown part of the file /Admin/student.php. The manipulation of the argument profile_image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-31002 | 2025-04-09 | N/A | 9.1 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Using Malicious Files. This issue affects Squeeze: from n/a through 1.6.
|
|||||
| CVE-2025-22133 | 1 Wegia | 1 Wegia | 2025-04-09 | N/A | 9.9 CRITICAL |
|
WeGIA is a web manager for charitable institutions. Prior to 3.2.8, a critical vulnerability was identified in the /WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as .phar, which can then be executed by the server. This vulnerability is fixed in 3.2.8.
|
|||||
| CVE-2024-13744 | 1 Booster | 1 Booster For Woocommerce | 2025-04-09 | N/A | 8.1 HIGH |
|
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the validate_product_input_fields_on_add_to_cart function in versions 4.0.1 to 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2024-13708 | 1 Booster | 1 Booster For Woocommerce | 2025-04-09 | N/A | 7.2 HIGH |
|
The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in versions 4.0.1 to 7.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
|
|||||
| CVE-2022-46610 | 1 72crm | 1 Wukong Crm | 2025-04-09 | N/A | 8.8 HIGH |
|
72crm v9 was discovered to contain an arbitrary file upload vulnerability via the avatar upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2024-1205 | 1 Wemanage | 1 Wemanage | 2025-04-09 | N/A | 8.8 HIGH |
|
The Management App for WooCommerce – Order notifications, Order management, Lead management, Uptime Monitoring plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the nouvello_upload_csv_file function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2025-25790 | 1 Foxcms | 1 Foxcms | 2025-04-09 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in the component \controller\LocalTemplate.php of FoxCMS v1.2.5 allows attackers to execute arbitrary code via uploading a crafted Zip file.
|
|||||
| CVE-2006-6994 | 1 Indirmax.org | 1 Ozzywork Galeri | 2025-04-09 | 6.4 MEDIUM | N/A |
|
Unrestricted file upload vulnerability in add.asp in OzzyWork Gallery, possibly 2.0 and earlier, allows remote attackers to upload and execute arbitrary ASP files by removing the client-side security checks.
|
|||||
| CVE-2006-5845 | 1 Speedywiki | 1 Speedywiki | 2025-04-09 | 6.5 MEDIUM | N/A |
|
Unrestricted file upload vulnerability in index.php in Speedywiki 2.0 allows remote authenticated users to upload and execute arbitrary PHP code by setting the upload parameter to 1.
|
|||||
| CVE-2025-32370 | 1 Kentico | 1 Xperience | 2025-04-08 | N/A | 7.2 HIGH |
|
Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not necessarily related to SVG or XSS.
|
|||||
| CVE-2025-3325 | 1 Iteaj | 1 Iboot | 2025-04-08 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in iteaj iboot 物联网网关 1.1.3. This affects an unknown part of the file /core/admin/pwd of the component Admin Password Handler. The manipulation of the argument ID leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-2525 | 2025-04-08 | N/A | 8.8 HIGH | ||
|
The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2024-29100 | 1 Meowapps | 1 Ai Engine | 2025-04-08 | N/A | 9.1 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.1.4.
|
|||||
| CVE-2024-3778 | 1 Ai3 | 1 Qbibot | 2025-04-08 | N/A | 7.2 HIGH |
|
The file upload functionality of Ai3 QbiBot does not properly restrict types of uploaded files, allowing remote attackers with administrator privilege to upload files with dangerous type containing malicious code.
|
|||||
| CVE-2025-2006 | 2025-04-07 | N/A | 8.8 HIGH | ||
|
The Inline Image Upload for BBPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension validation in the file uploading functionality in all versions up to, and including, 1.1.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This may be exploitable by unauthenticated attackers when the "Allow guest users with ...
Show More |
|||||
| CVE-2025-25783 | 1 Emlog | 1 Emlog | 2025-04-07 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in the component admin\plugin.php of Emlog Pro v2.5.3 allows attackers to execute arbitrary code via uploading a crafted Zip file.
|
|||||
| CVE-2025-3324 | 1 Godcheese | 1 Nimrod | 2025-04-07 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability, which was classified as critical, has been found in godcheese/code-projects Nimrod 0.8. Affected by this issue is some unknown functionality of the file FileRestController.java. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-20296 | 1 Cisco | 1 Identity Services Engine | 2025-04-07 | N/A | 4.7 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit this vulnerability, an attacker would need at least valid Policy Admin credentials on the affected device.
This vulnerability is due to improper validation of files that are uploaded to the web-based management interface. An attacker could exploit this vulnerability by uploading arbitrary files t ...
Show More |
|||||
| CVE-2025-3169 | 2025-04-07 | 4.6 MEDIUM | 5.0 MEDIUM | ||
|
A vulnerability was found in Projeqtor up to 12.0.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /tool/saveAttachment.php. The manipulation of the argument attachmentFiles leads to unrestricted upload. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 12.0.3 is able to address this issue. I ...
Show More |
|||||
| CVE-2025-32118 | 2025-04-07 | N/A | 9.1 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in NiteoThemes CMP – Coming Soon & Maintenance allows Using Malicious Files. This issue affects CMP – Coming Soon & Maintenance: from n/a through 4.1.13.
|
|||||
| CVE-2024-31012 | 1 Sem-cms | 1 Semcms | 2025-04-04 | N/A | 9.8 CRITICAL |
|
An issue was discovered in SEMCMS v.4.8, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the upload.php file.
|
|||||
| CVE-2023-22851 | 1 Tiki | 1 Tiki | 2025-04-04 | N/A | 7.2 HIGH |
|
Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call.
|
|||||
| CVE-2024-34440 | 1 Meowapps | 1 Ai Engine | 2025-04-04 | N/A | 9.1 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.2.63.
|
|||||