Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-27747 | 1 Mayurik | 1 Petrol Pump Management | 2025-03-28 | N/A | 9.8 CRITICAL |
|
File Upload vulnerability in Petrol Pump Mangement Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email Image parameter in the profile.php component.
|
|||||
| CVE-2024-24146 | 1 Libming | 1 Libming | 2025-03-27 | N/A | 6.5 MEDIUM |
|
A memory leak issue discovered in parseSWF_DEFINEBUTTON in libming v0.4.8 allows attackers to cause s denial of service via a crafted SWF file.
|
|||||
| CVE-2022-47854 | 1 I-librarian | 1 I-librarian | 2025-03-27 | N/A | 9.8 CRITICAL |
|
i-librarian 4.10 is vulnerable to Arbitrary file upload in ajaxsupplement.php.
|
|||||
| CVE-2025-2687 | 1 Phpgurukul | 1 Elearning System | 2025-03-27 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical has been found in PHPGurukul eLearning System 1.0. Affected is an unknown function of the file /user/index.php of the component Image Handler. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-2705 | 2025-03-27 | 7.5 HIGH | 7.3 HIGH | ||
|
A vulnerability classified as critical has been found in Digiwin ERP 5.1. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-2706 | 2025-03-27 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability classified as critical was found in Digiwin ERP 5.0.1. Affected by this vulnerability is an unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-2819 | 2025-03-27 | N/A | 6.6 MEDIUM | ||
|
There is a risk of unauthorized file uploads in GT-SoftControl and potential file overwrites due to insufficient validation in the file selection process. This could lead to data integrity issues and unauthorized access by an authenticated privileged user.
|
|||||
| CVE-2022-47769 | 1 Serinf | 1 Fast Checkin | 2025-03-27 | N/A | 9.8 CRITICAL |
|
An arbitrary file write vulnerability in Serenissima Informatica Fast Checkin v1.0 allows unauthenticated attackers to upload malicious files in the web root of the application to gain access to the server via the web shell.
|
|||||
| CVE-2024-25832 | 1 F-logic | 1 Datacube3 | 2025-03-27 | N/A | 8.8 HIGH |
|
F-logic DataCube3 v1.0 is vulnerable to unrestricted file upload, which could allow an authenticated malicious actor to upload a file of dangerous type by manipulating the filename extension.
|
|||||
| CVE-2023-24610 | 1 Nosh Chartingsystem Project | 1 Nosh Chartingsystem | 2025-03-27 | N/A | 8.8 HIGH |
|
NOSH 4a5cfdb allows remote authenticated users to execute PHP arbitrary code via the "practice logo" upload feature. The client-side checks can be bypassed. This may allow attackers to steal Protected Health Information because the product is for health charting.
|
|||||
| CVE-2023-23135 | 1 Ftdms Project | 1 Ftdms | 2025-03-27 | N/A | 7.2 HIGH |
|
An arbitrary file upload vulnerability in Ftdms v3.1.6 allows attackers to execute arbitrary code via uploading a crafted JPG file.
|
|||||
| CVE-2023-0587 | 1 Trendmicro | 1 Apex One | 2025-03-27 | N/A | 9.1 CRITICAL |
|
A file upload vulnerability in exists in Trend Micro Apex One server build 11110. Using a malformed Content-Length header in an HTTP PUT message sent to URL /officescan/console/html/cgi/fcgiOfcDDA.exe, an unauthenticated remote attacker can upload arbitrary files to the SampleSubmission directory (i.e., \PCCSRV\TEMP\SampleSubmission) on the server. The attacker can upload a large number of large files to fill up the file system on which the Apex One server is installed.
|
|||||
| CVE-2022-48079 | 1 Mengnai | 1 Aapanel Host System | 2025-03-27 | N/A | 9.8 CRITICAL |
|
Monnai aaPanel host system v1.5 contains an access control issue which allows attackers to escalate privileges and execute arbitrary code via uploading a crafted PHP file to the virtual host directory of the system.
|
|||||
| CVE-2022-46604 | 1 Tecrail | 1 Responsive Filemanager | 2025-03-27 | N/A | 8.8 HIGH |
|
An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file, leading to arbitrary code execution.
|
|||||
| CVE-2021-36426 | 1 Phpwcms | 1 Phpwcms | 2025-03-26 | N/A | 8.8 HIGH |
|
File Upload vulnerability in phpwcms 1.9.25 allows remote attackers to run arbitrary code via crafted file upload to include/inc_lib/general.inc.php.
|
|||||
| CVE-2023-24202 | 1 Oretnom23 | 1 Raffle Draw System | 2025-03-26 | N/A | 9.8 CRITICAL |
|
Raffle Draw System v1.0 was discovered to contain a local file inclusion vulnerability via the page parameter in index.php.
|
|||||
| CVE-2023-5601 | 1 Atomicwebstrategy | 1 Woocommerce Ninja Forms Product Add-ons | 2025-03-25 | N/A | 9.8 CRITICAL |
|
The WooCommerce Ninja Forms Product Add-ons WordPress plugin before 1.7.1 does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE.
|
|||||
| CVE-2025-2216 | 1 Zzskzy | 1 Warehouse Refinement Management System | 2025-03-25 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability, which was classified as critical, has been found in zzskzy Warehouse Refinement Management System 1.3. Affected by this issue is the function UploadCrash of the file /crash/log/SaveCrash.ashx. The manipulation of the argument file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-2219 | 1 Lovecards | 1 Lovecards | 2025-03-25 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. This issue affects some unknown processing of the file /api/upload/image. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-40549 | 1 Publiccms | 1 Publiccms | 2025-03-25 | N/A | 8.8 HIGH |
|
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/savePlace of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-25410 | 1 Flusity | 1 Flusity | 2025-03-25 | N/A | 6.5 MEDIUM |
|
flusity-CMS 2.33 is vulnerable to Unrestricted Upload of File with Dangerous Type in update_setting.php.
|
|||||
| CVE-2023-52154 | 1 Sigb | 1 Pmb | 2025-03-25 | N/A | 7.2 HIGH |
|
File Upload vulnerability in pmb/camera_upload.php in PMB 7.4.7 and earlier allows attackers to run arbitrary code via upload of crafted PHTML files.
|
|||||
| CVE-2022-45527 | 1 Institutional Management Website Project | 1 Institutional Management Website | 2025-03-25 | N/A | 9.8 CRITICAL |
|
File upload vulnerability in Future-Depth Institutional Management Website (IMS) 1.0, allows unauthorized attackers to directly upload malicious files to the courseimg directory.
|
|||||
| CVE-2024-54525 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2025-03-24 | N/A | 8.8 HIGH |
|
A logic issue was addressed with improved file handling. This issue is fixed in visionOS 2.2, watchOS 11.2, tvOS 18.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2. Restoring a maliciously crafted backup file may lead to modification of protected system files.
|
|||||
| CVE-2025-2702 | 2025-03-24 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability, which was classified as critical, has been found in Softwin WMX3 3.1. This issue affects the function ImageAdd of the file /ImageAdd.ashx. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-2671 | 2025-03-23 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability was found in Yue Lao Blind Box 月老盲盒 up to 4.0. It has been declared as critical. This vulnerability affects the function base64image of the file /app/controller/Upload.php. The manipulation of the argument data leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2023-24646 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2025-03-21 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in the component /fos/admin/ajax.php of Food Ordering System v2.0 allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2023-0255 | 1 Shortpixel | 1 Enable Media Replace | 2025-03-21 | N/A | 8.8 HIGH |
|
The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
|
|||||
| CVE-2021-34639 | 1 W3eden | 1 Download Manager | 2025-03-21 | 6.5 MEDIUM | 7.5 HIGH |
|
Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. "payload.php.png" which is executable in some configurations. This issue affects: WordPress Download Manager version 3.1.24 and prior versions.
|
|||||
| CVE-2024-9920 | 2025-03-20 | N/A | 6.6 MEDIUM | ||
|
In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with malicious content and then using the '/open_file' API endpoint to execute these files. The vulnerability arises from the use of 'subprocess.Popen' to open files without proper validation, leading to potential remote code execution.
|
|||||
| CVE-2023-47873 | 1 Wensolutions | 1 Wp Child Theme Generator | 2025-03-19 | N/A | 9.1 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in WEN Solutions WP Child Theme Generator.This issue affects WP Child Theme Generator: from n/a through 1.0.9.
|
|||||
| CVE-2023-47846 | 1 Terryl | 1 Wp Githuber Md | 2025-03-19 | N/A | 9.1 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in Terry Lin WP Githuber MD.This issue affects WP Githuber MD: from n/a through 1.16.2.
|
|||||
| CVE-2023-38388 | 1 Artbees | 1 Jupiter X Core | 2025-03-19 | N/A | 9.0 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in Artbees JupiterX Core.This issue affects JupiterX Core: from n/a through 3.3.5.
|
|||||
| CVE-2024-23762 | 1 Gambio | 1 Gambio | 2025-03-18 | N/A | 7.8 HIGH |
|
Unrestricted File Upload vulnerability in Content Manager feature in Gambio 4.9.2.0 allows attackers to execute arbitrary code via upload of crafted PHP file.
|
|||||
| CVE-2021-35261 | 1 Bearadmin Project | 1 Bearadmin | 2025-03-18 | N/A | 9.8 CRITICAL |
|
File Upload Vulnerability in Yupoxion BearAdmin before commit 10176153528b0a914eb4d726e200fd506b73b075 allows attacker to execute arbitrary remote code via the Upfile function of the extend/tools/Ueditor endpoint.
|
|||||
| CVE-2022-0959 | 1 Pgadmin | 1 Pgadmin 4 | 2025-03-17 | 3.5 LOW | 6.5 MEDIUM |
|
A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write.
|
|||||
| CVE-2024-25414 | 1 Cszcms | 1 Csz Cms | 2025-03-14 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in /admin/upgrade of CSZ CMS v1.3.0 allows attackers to execute arbitrary code via uploading a crafted Zip file.
|
|||||
| CVE-2024-51208 | 1 Phpgurukul | 1 Boat Booking System | 2025-03-13 | N/A | 7.2 HIGH |
|
File Upload vulnerability in change-image.php in Anuj Kumar's Boat Booking System version 1.0 allows local attackers to upload a malicious PHP script via the Image Upload Mechanism parameter.
|
|||||
| CVE-2024-52677 | 1 Hkcms | 1 Hkcms | 2025-03-13 | N/A | 9.8 CRITICAL |
|
HkCms <= v2.3.2.240702 is vulnerable to file upload in the getFileName method in /app/common/library/Upload.php.
|
|||||
| CVE-2024-42778 | 1 Lopalopa | 1 Music Management System | 2025-03-13 | N/A | 8.8 HIGH |
|
An Unrestricted file upload vulnerability was found in "/music/ajax.php?action=save_playlist" in Kashipara Music Management System v1.0. This allows attackers to execute arbitrary code via uploading a crafted PHP file.
|
|||||