Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-47259 | 1 Axis | 2 Axis Os, Axis Os 2024 | 2026-01-22 | N/A | 3.5 LOW |
|
Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources.
Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
|
|||||
| CVE-2025-66802 | 1 Covid-19 Contact Tracing System Project | 1 Covid-19 Contact Tracing System | 2026-01-22 | N/A | 9.8 CRITICAL |
|
Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE (Remote Code Execution). The application receives a reverse shell (php) into imagem of the user enabling RCE.
|
|||||
| CVE-2025-66837 | 1 Softwareag | 1 Aris | 2026-01-21 | N/A | 6.8 MEDIUM |
|
A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to execute arbitrary code via uploading a crafted PDF file/Malware
|
|||||
| CVE-2025-46068 | 1 Automai | 1 Director | 2026-01-21 | N/A | 8.8 HIGH |
|
An issue in Automai Director v.25.2.0 allows a remote attacker to execute arbitrary code via the update mechanism
|
|||||
| CVE-2024-37418 | 1 Church Admin Project | 1 Church Admin | 2026-01-21 | N/A | 9.9 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in Andy Moyle Church Admin allows Upload a Web Shell to a Web Server.This issue affects Church Admin: from n/a through 4.4.6.
|
|||||
| CVE-2024-31280 | 1 Church Admin Project | 1 Church Admin | 2026-01-21 | N/A | 9.9 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in Andy Moyle Church Admin.This issue affects Church Admin: from n/a through 4.1.5.
|
|||||
| CVE-2026-22799 | 1 Emlog | 1 Emlog | 2026-01-21 | N/A | 8.8 HIGH |
|
Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a valid API key or admin session cookie) to upload arbitrary files (including malicious PHP scripts) to the server. An attacker can obtain the API key either by gaining administrator access to enable the REST API set ...
Show More |
|||||
| CVE-2026-22789 | 1 Wem-project | 1 Wem | 2026-01-21 | N/A | 5.4 MEDIUM |
|
WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19.
|
|||||
| CVE-2025-67077 | 1 Agora-project | 1 Agora-project | 2026-01-21 | N/A | 8.8 HIGH |
|
File upload vulnerability in Omnispace Agora Project before 25.10 allowing authenticated, or under certain conditions also guest users, via the UploadTmpFile action.
|
|||||
| CVE-2025-67079 | 1 Agora-project | 1 Agora-project | 2026-01-21 | N/A | 9.8 CRITICAL |
|
File upload vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute code through the MSL engine of the Imagick library via crafted PDF file to the file upload and thumbnail functions.
|
|||||
| CVE-2025-15240 | 1 Quantatw | 1 Qoca Aim | 2026-01-20 | N/A | 8.8 HIGH |
|
QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
|
|||||
| CVE-2026-0566 | 1 Code-projects | 1 Content Management System | 2026-01-20 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A security vulnerability has been detected in code-projects Content Management System 1.0. Impacted is an unknown function of the file /admin/edit_posts.php. The manipulation of the argument image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
|
|||||
| CVE-2022-50939 | 1 E107 | 1 E107 | 2026-01-20 | N/A | 7.2 HIGH |
|
e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager's remote URL upload functionality (image.php) where the upload_caption parameter is not properly sanitized. An attacker with administrative privileges can use directory traversal sequences (../../../) in the upload_caption field to overwrite critical system files outside the intended ...
Show More |
|||||
| CVE-2022-50936 | 1 Wbce | 1 Wbce Cms | 2026-01-20 | N/A | 8.8 HIGH |
|
WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload.
|
|||||
| CVE-2011-10041 | 2026-01-20 | N/A | N/A | ||
|
Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation. An unauthenticated remote attacker can upload arbitrary files to the affected WordPress site, which may allow remote code execution by uploading executable content to a web-accessible location.
|
|||||
| CVE-2025-6327 | 2026-01-20 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in KingAddons.com King Addons for Elementor king-addons allows Upload a Web Shell to a Web Server.This issue affects King Addons for Elementor: from n/a through <= 51.1.36.
|
|||||
| CVE-2025-68562 | 2026-01-20 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through 8.7.3.
|
|||||
| CVE-2025-67924 | 2026-01-20 | N/A | 9.8 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload a Web Shell to a Web Server.This issue affects Corpkit: from n/a through <= 2.0.
|
|||||
| CVE-2025-67910 | 2026-01-20 | N/A | 9.8 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload a Web Shell to a Web Server.This issue affects Contentstudio: from n/a through <= 1.3.7.
|
|||||
| CVE-2025-66074 | 2026-01-20 | N/A | 9.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8.
|
|||||
| CVE-2025-64374 | 2026-01-20 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in StylemixThemes Motors motors allows Using Malicious Files.This issue affects Motors: from n/a through <= 5.6.81.
|
|||||
| CVE-2025-64231 | 2026-01-20 | N/A | 9.8 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through <= 3.0.0.
|
|||||
| CVE-2025-62065 | 2026-01-20 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Rometheme RTMKit rometheme-for-elementor.This issue affects RTMKit: from n/a through <= 1.6.5.
|
|||||
| CVE-2025-62047 | 2026-01-20 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Case-Themes Case Addons case-addons.This issue affects Case Addons: from n/a through < 1.3.0.
|
|||||
| CVE-2025-62016 | 2026-01-20 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in hogash Kallyas kallyas.This issue affects Kallyas: from n/a through <= 4.22.0.
|
|||||
| CVE-2025-60235 | 2026-01-20 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Plugify Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce allows Using Malicious Files.This issue affects Helpdesk Support Ticket System for WooCommerce: from n/a through <= 2.1.0.
|
|||||
| CVE-2025-60207 | 2026-01-20 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Addify Custom User Registration Fields for WooCommerce user-registration-plugin-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects Custom User Registration Fields for WooCommerce: from n/a through <= 2.1.2.
|
|||||
| CVE-2025-60187 | 2026-01-20 | N/A | 4.8 MEDIUM | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Using Malicious Files.This issue affects Atarim: from n/a through <= 4.2.
|
|||||
| CVE-2025-58996 | 2026-01-20 | N/A | 9.1 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Helmut Wandl Advanced Settings advanced-settings allows Upload a Web Shell to a Web Server.This issue affects Advanced Settings: from n/a through <= 3.1.1.
|
|||||
| CVE-2025-58963 | 2026-01-20 | N/A | 9.8 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in 7oroof Medcity medcity allows Upload a Web Shell to a Web Server.This issue affects Medcity: from n/a through < 1.1.9.
|
|||||
| CVE-2025-53283 | 2026-01-20 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in borisolhor Drop Uploader for CF7 - Drag&Drop File Uploader Addon drop-uploader-for-contact-form-7-dragdrop-file-uploader-addon allows Upload a Web Shell to a Web Server.This issue affects Drop Uploader for CF7 - Drag&Drop File Uploader Addon: from n/a through <= 2.4.1.
|
|||||
| CVE-2025-52758 | 2026-01-20 | N/A | 9.1 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy zippy allows Using Malicious Files.This issue affects Zippy: from n/a through <= 1.7.0.
|
|||||
| CVE-2025-49060 | 2026-01-20 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Wastia wastia allows Upload a Web Shell to a Web Server.This issue affects Wastia: from n/a through < 1.1.3.
|
|||||
| CVE-2025-48106 | 2026-01-20 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Clanora clanora allows Using Malicious Files.This issue affects Clanora: from n/a through < 1.3.1.
|
|||||
| CVE-2025-31048 | 2026-01-20 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo allows Upload a Web Shell to a Web Server.This issue affects Shopo: from n/a through 1.1.4.
|
|||||
| CVE-2026-21877 | 1 N8n | 1 N8n | 2026-01-20 | N/A | 9.9 CRITICAL |
|
n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.
|
|||||
| CVE-2022-50916 | 1 E107 | 1 E107 | 2026-01-16 | N/A | 7.2 HIGH |
|
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. Attackers can exploit the upload mechanism by manipulating the upload URL parameter to overwrite existing files like top.php in the web application directory.
|
|||||
| CVE-2022-50907 | 1 E107 | 1 E107 | 2026-01-16 | N/A | 7.2 HIGH |
|
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code execution through the Media Manager import feature.
|
|||||
| CVE-2026-22783 | 1 Dfir-iris | 1 Iris | 2026-01-16 | N/A | 9.6 CRITICAL |
|
Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file's fi ...
Show More |
|||||
| CVE-2025-13062 | 2026-01-16 | N/A | 8.8 HIGH | ||
|
The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||