Total
3620 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-49060 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Wastia wastia allows Upload a Web Shell to a Web Server.This issue affects Wastia: from n/a through < 1.1.3. | ||||
| CVE-2025-48106 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Clanora clanora allows Using Malicious Files.This issue affects Clanora: from n/a through < 1.3.1. | ||||
| CVE-2025-42883 | 1 Sap | 5 Application Server, Netweaver, Netweaver Abap and 2 more | 2025-11-12 | 2.7 Low |
| Migration Workbench (DX Workbench) in SAP NetWeaver Application Server for ABAP fails to trigger a malware scan when an attacker with administrative privileges uploads files to the application server. An attacker could leverage this and upload a malicious file into the system. This results in a low impact on the integrity of the application. | ||||
| CVE-2025-27082 | 1 Arubanetworks | 1 Arubaos | 2025-11-12 | 7.2 High |
| Arbitrary File Write vulnerabilities exist in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an Authenticated attacker to upload arbitrary files and execute arbitrary commands on the underlying host operating system. | ||||
| CVE-2025-61417 | 1 Tastyigniter | 1 Tastyigniter | 2025-11-12 | 8.8 High |
| Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicious SVG file containing JavaScript code. When an administrator previews the file, the code executes in their browser context, allowing the attacker to perform unauthorized actions such as modifying the admin account credentials. | ||||
| CVE-2025-12867 | 1 Hundredplus | 1 Eip Plus | 2025-11-12 | 7.2 High |
| EIP Plus developed by Hundred Plus has an Arbitrary File Uplaod vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||||
| CVE-2025-11948 | 1 Excellent Infotek | 1 Document Management System | 2025-11-12 | 9.8 Critical |
| Document Management System developed by Excellent Infotek has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||||
| CVE-2025-37132 | 2 Arubanetworks, Hpe | 2 Arubaos, Arubaos | 2025-11-12 | 7.2 High |
| An arbitrary file write vulnerability exists in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files and execute arbitrary commands on the underlying operating system. | ||||
| CVE-2025-12352 | 2 Gravityforms, Wordpress | 2 Gravity Forms, Wordpress | 2025-11-12 | 9.8 Critical |
| The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the copy_post_image() function in all versions up to, and including, 2.9.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This only impacts sites that have allow_url_fopen set to `On`, the post creation form enabled along with a file upload field for the post | ||||
| CVE-2025-12161 | 1 Wordpress | 1 Wordpress | 2025-11-12 | 8.8 High |
| The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-11967 | 2 Getwpfunnels, Wordpress | 2 Mail Mint, Wordpress | 2025-11-12 | 7.2 High |
| The Mail Mint plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_contact_attribute_import function in all versions up to, and including, 1.18.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-12399 | 1 Wordpress | 1 Wordpress | 2025-11-12 | 7.2 High |
| The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/file REST endpoint in all versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-5406 | 1 Chaitak-gorai | 1 Blogbook | 2025-11-10 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in chaitak-gorai Blogbook up to 92f5cf90f8a7e6566b576fe0952e14e1c6736513. Affected is an unknown function of the file /admin/posts.php?source=add_post. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2021-20022 | 2 Microsoft, Sonicwall | 20 Windows, Email Security, Email Security Appliance 3300 and 17 more | 2025-11-10 | 7.2 High |
| SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host. | ||||
| CVE-2025-62618 | 2 Elog, Elog Project | 2 Elog, Elog | 2025-11-10 | 8 High |
| ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or crack the password hash offline. In ELOG 3.1.5-20251014 release, HTML files are rendered as plain text. | ||||
| CVE-2020-25213 | 1 Filemanagerpro | 1 File Manager | 2025-11-07 | 10 Critical |
| The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020. | ||||
| CVE-2019-8394 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2025-11-07 | 7.5 High |
| Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. | ||||
| CVE-2025-7627 | 1 Yijiusmile | 1 Kkfileviewofficeedit | 2025-11-07 | 6.3 Medium |
| A vulnerability was found in YiJiuSmile kkFileViewOfficeEdit up to 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd and classified as critical. Affected by this issue is the function fileUpload of the file /fileUpload. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | ||||
| CVE-2025-50286 | 1 Getgrav | 1 Grav | 2025-11-07 | 8.1 High |
| A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access. | ||||
| CVE-2023-7305 | 1 Guangzhou Smart Software | 1 Smartbi | 2025-11-07 | N/A |
| SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or execute arbitrary code on the host. The vendor released a fix in July 2023 to address the underlying flaw. VulnCheck has observed this vulnerability being exploited in the wild. | ||||