Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-68909 | 2026-01-28 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogistic blogistic allows Using Malicious Files.This issue affects Blogistic: from n/a through <= 1.0.5.
|
|||||
| CVE-2026-1423 | 1 Fabian | 1 Online Examination System | 2026-01-28 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /admin_pic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
|
|||||
| CVE-2026-1424 | 1 Phpgurukul | 1 News Portal | 2026-01-27 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability was identified in PHPGurukul News Portal 1.0. This affects an unknown part of the component Profile Pic Handler. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
|
|||||
| CVE-2025-69312 | 2026-01-27 | N/A | 9.1 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1.
|
|||||
| CVE-2025-52691 | 1 Smartertools | 1 Smartermail | 2026-01-27 | N/A | 10.0 CRITICAL |
|
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
|
|||||
| CVE-2025-62050 | 2026-01-27 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogmatic blogmatic.This issue affects Blogmatic: from n/a through <= 1.0.3.
|
|||||
| CVE-2026-1445 | 2026-01-27 | 5.8 MEDIUM | 4.7 MEDIUM | ||
|
A vulnerability was found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This vulnerability affects unknown code of the file controllers/books_center/upload_bookCover.php. Performing a manipulation of the argument book_cover results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affec ...
Show More |
|||||
| CVE-2026-24815 | 2026-01-27 | N/A | N/A | ||
|
Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability is associated with program files XmlFile.Java.
This issue affects tis: before v4.3.0.
|
|||||
| CVE-2025-62056 | 2026-01-27 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes News Event news-event.This issue affects News Event: from n/a through <= 1.0.1.
|
|||||
| CVE-2025-50002 | 2026-01-26 | N/A | 9.8 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server.This issue affects Energia: from n/a through <= 1.1.2.
|
|||||
| CVE-2025-33015 | 1 Ibm | 1 Concert | 2026-01-26 | N/A | 8.8 HIGH |
|
IBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface.
|
|||||
| CVE-2012-10064 | 2026-01-26 | N/A | N/A | ||
|
Omni Secure Files plugin versions prior to 0.1.14 contain an arbitrary file upload vulnerability in the bundled plupload example endpoint. The /wp-content/plugins/omni-secure-files/plupload/examples/upload.php handler allows unauthenticated uploads without enforcing safe file type restrictions, enabling an attacker to place attacker-controlled files under the plugin's uploads directory. This can lead to remote code execution if a server-executable file type is uploaded and subsequently accessed.
|
|||||
| CVE-2026-1061 | 2026-01-26 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability was detected in xiweicheng TMS up to 2.28.0. Affected by this issue is the function Upload of the file src/main/java/com/lhjz/portal/controller/FileController.java. The manipulation of the argument filename results in unrestricted upload. The attack may be performed from remote. The exploit is now public and may be used.
|
|||||
| CVE-2025-14632 | 2026-01-26 | N/A | 4.4 MEDIUM | ||
|
The Filr – Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or ed ...
Show More |
|||||
| CVE-2026-1222 | 2026-01-26 | N/A | 7.2 HIGH | ||
|
PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
|
|||||
| CVE-2025-10856 | 2026-01-26 | N/A | 8.1 HIGH | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection.This issue affects Teknoera: through 01102025.
|
|||||
| CVE-2025-69828 | 2026-01-26 | N/A | 10.0 CRITICAL | ||
|
File Upload vulnerability in TMS Global Software TMS Management Console v.6.3.7.27386.20250818 allows a remote attacker to execute arbitrary code via the Logo upload in /Customer/AddEdit
|
|||||
| CVE-2021-47888 | 2026-01-26 | N/A | 8.8 HIGH | ||
|
Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the uploaded file through a specific URL parameter.
|
|||||
| CVE-2025-13374 | 2026-01-26 | N/A | 9.8 CRITICAL | ||
|
The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2026-0911 | 2026-01-26 | N/A | 7.5 HIGH | ||
|
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation re ...
Show More |
|||||
| CVE-2021-47899 | 2026-01-26 | N/A | 4.0 MEDIUM | ||
|
YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files like /etc/passwd by using file:/// protocol.
|
|||||
| CVE-2021-47904 | 2026-01-26 | N/A | 8.8 HIGH | ||
|
PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server.
|
|||||
| CVE-2025-32660 | 1 Joomsky | 1 Js Job Manager | 2026-01-23 | N/A | 10.0 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in JoomSky JS Job Manager allows Upload a Web Shell to a Web Server. This issue affects JS Job Manager: from n/a through 2.0.2.
|
|||||
| CVE-2026-1021 | 1 Gotac | 1 Police Statistics Database System | 2026-01-23 | N/A | 9.8 CRITICAL |
|
Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
|
|||||
| CVE-2023-25444 | 1 Joomsky | 1 Js Help Desk | 2026-01-23 | N/A | 9.1 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Using Malicious Files.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.7.
|
|||||
| CVE-2022-1952 | 1 Syntacticsinc | 1 Easync | 2026-01-23 | 7.5 HIGH | 9.8 CRITICAL |
|
The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.
|
|||||
| CVE-2026-22241 | 1 Openeclass | 1 Openeclass | 2026-01-23 | N/A | 7.2 HIGH |
|
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file system. The main cause of the issue is that no validation or sanitization of the file's present inside the zip archive. This leads to remote code execution on the web server. Version 4.2 patches the issue.
|
|||||
| CVE-2021-47753 | 1 Phpkf | 1 Cms | 2026-01-23 | N/A | 9.8 CRITICAL |
|
phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter.
|
|||||
| CVE-2021-47757 | 1 Chikitsa | 1 Patient Management System | 2026-01-23 | N/A | 8.8 HIGH |
|
Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability in the backup restoration functionality. Authenticated attackers can upload a modified backup zip file with a malicious PHP shell to execute arbitrary system commands on the server.
|
|||||
| CVE-2025-14894 | 1 Livewire-filemanager | 1 Filemanager | 2026-01-23 | N/A | 9.8 CRITICAL |
|
Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.
|
|||||
| CVE-2025-37175 | 1 Arubanetworks | 1 Arubaos | 2026-01-23 | N/A | 7.2 HIGH |
|
Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files as a privilege user and execute arbitrary commands on the underlying operating system.
|
|||||
| CVE-2024-9932 | 2026-01-23 | N/A | 9.8 CRITICAL | ||
|
The Wux Blog Editor plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'wuxbt_insertImageNew' function in versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2024-50526 | 1 Lindeni | 1 Multi Purpose Mail Form | 2026-01-23 | N/A | 10.0 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in mahlamusa Multi Purpose Mail Form allows Upload a Web Shell to a Web Server.This issue affects Multi Purpose Mail Form: from n/a through 1.0.2.
|
|||||
| CVE-2024-51791 | 2026-01-23 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms allows Upload a Web Shell to a Web Server.This issue affects Forms: from n/a through 2.8.0.
|
|||||
| CVE-2023-53889 | 1 Grabaperch | 1 Perch | 2026-01-23 | N/A | 7.2 HIGH |
|
Perch CMS 3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload arbitrary PHP files through the assets management interface. Attackers can upload a malicious .phar file with embedded system command execution capabilities to execute arbitrary commands on the server.
|
|||||
| CVE-2025-15495 | 1 Biggidroid | 1 Simple Php Cms | 2026-01-22 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. The manipulation of the argument image results in unrestricted upload. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-51793 | 1 Webfulcreations | 1 Computer Repair Shop | 2026-01-22 | N/A | 10.0 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in Webful Creations Computer Repair Shop allows Upload a Web Shell to a Web Server.This issue affects Computer Repair Shop: from n/a through 3.8115.
|
|||||
| CVE-2023-51409 | 1 Meowapps | 1 Ai Engine | 2026-01-22 | N/A | 10.0 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98.
|
|||||
| CVE-2022-50893 | 1 Viaviweb | 1 Wallpaper Admin | 2026-01-22 | N/A | 9.8 CRITICAL |
|
VIAVIWEB Wallpaper Admin 1.0 contains an unauthenticated remote code execution vulnerability in the image upload functionality. Attackers can upload a malicious PHP file through the add_gallery_image.php endpoint to execute arbitrary code on the server.
|
|||||
| CVE-2025-15503 | 1 Sangfor | 1 Operation And Maintenance Security Management System | 2026-01-22 | 7.5 HIGH | 7.3 HIGH |
|
A security flaw has been discovered in Sangfor Operation and Maintenance Management System up to 3.0.8. The impacted element is an unknown function of the file /fort/trust/version/common/common.jsp. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||