Filtered by CWE-434
Total 3314 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-40695 1 Ibm 1 Cognos Analytics 2025-07-02 8 High
IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.
CVE-2025-5108 1 Shopxo 1 Shopxo 2025-07-02 6.3 Medium
A vulnerability was found in zongzhige ShopXO 6.5.0. It has been rated as critical. This issue affects the function Upload of the file app/admin/controller/Payment.php of the component ZIP File Handler. The manipulation of the argument params leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-25361 1 Publiccms 1 Publiccms 2025-07-01 9.8 Critical
An arbitrary file upload vulnerability in the component /cms/CmsWebFileAdminController.java of PublicCMS v4.0.202406 allows attackers to execute arbitrary code via uploading a crafted svg or xml file.
CVE-2025-27411 1 Redaxo 1 Redaxo 2025-07-01 5.4 Medium
REDAXO is a PHP-based CMS. In Redaxo before 5.18.3, the mediapool/media page is vulnerable to arbitrary file upload. This vulnerability is fixed in 5.18.3.
CVE-2024-44849 1 Qualitor 2 Qalitor, Qualitor 2025-07-01 9.8 Critical
Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.
CVE-2025-6873 1 Oretnom23 1 Simple Company Website 2025-07-01 4.7 Medium
A vulnerability, which was classified as critical, has been found in SourceCodester Simple Company Website 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save. The manipulation of the argument img leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-6872 1 Oretnom23 1 Simple Company Website 2025-07-01 4.7 Medium
A vulnerability classified as critical was found in SourceCodester Simple Company Website 1.0. This vulnerability affects unknown code of the file /classes/SystemSettings.php?f=update_settings. The manipulation of the argument img leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-6870 1 Oretnom23 1 Simple Company Website 2025-07-01 4.7 Medium
A vulnerability was found in SourceCodester Simple Company Website 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Content.php?f=service. The manipulation of the argument img leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-47787 1 Emlog 1 Emlog 2025-07-01 9.8 Critical
Emlog is an open source website building system. Emlog Pro prior to version 2.5.10 contains a file upload vulnerability. The store.php component contains a critical security flaw where it fails to properly validate the contents of remotely downloaded ZIP plugin files. This insufficient validation allows attackers to execute arbitrary code on the vulnerable system. Version 2.5.10 contains a patch for the issue.
CVE-2025-6848 1 Fabianros 1 Simple Forum 2025-07-01 6.3 Medium
A vulnerability, which was classified as critical, has been found in code-projects Simple Forum 1.0. This issue affects some unknown processing of the file /forum1.php. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-53260 2025-06-30 9.1 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in getredhawkstudio File Manager Plugin For Wordpress allows Upload a Web Shell to a Web Server. This issue affects File Manager Plugin For Wordpress: from n/a through 7.5.
CVE-2024-22060 1 Ivanti 1 Neurons For Itsm 2025-06-30 4.9 Medium
An unrestricted file upload vulnerability in web component of Ivanti Neurons for ITSM allows a remote, authenticated, high privileged user to write arbitrary files into sensitive directories of ITSM server.
CVE-2024-3117 1 Youdiancms 1 Youdiancms 2025-06-30 4.7 Medium
A vulnerability classified as critical was found in YouDianCMS up to 9.5.12. This vulnerability affects unknown code of the file App\Lib\Action\Admin\ChannelAction.class.php. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-258778 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-48646 1 Sage 2 1000, Sage Frp 1000 2025-06-27 8.1 High
An Unrestricted File Upload vulnerability exists in Sage 1000 v7.0.0, which allows authorized users to upload files without proper validation. An attacker could exploit this vulnerability by uploading malicious files, such as HTML, scripts, or other executable content, that may be executed on the server, leading to further system compromise.
CVE-2025-0357 1 Iqonic 1 Wpbookit 2025-06-27 9.8 Critical
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'WPB_Profile_controller::handle_image_upload' function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-2115 1 Zzskzy 1 Warehouse Refinement Management System 2025-06-27 6.3 Medium
A vulnerability, which was classified as critical, was found in zzskzy Warehouse Refinement Management System 3.1. Affected is the function ProcessRequest of the file /AcceptZip.ashx. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-50625 1 Digi 7 Connectport Lts 16, Connectport Lts 16 Mei, Connectport Lts 16 Mei 2ac and 4 more 2025-06-27 8 High
An issue was discovered in Digi ConnectPort LTS before 1.4.12. A vulnerability in the file upload handling of a web application allows manipulation of file paths via POST requests. This can lead to arbitrary file uploads within specific directories, potentially enabling privilege escalation when combined with other vulnerabilities.
CVE-2024-4825 1 Agentejo 1 Cockpit 2025-06-27 9.8 Critical
A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.
CVE-2025-32660 2 Joomsky, Wordpress 2 Js Job Manager, Wordpress 2025-06-27 10 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in JoomSky JS Job Manager allows Upload a Web Shell to a Web Server. This issue affects JS Job Manager: from n/a through 2.0.2.
CVE-2025-39380 2 Hospital Management System, Wordpress 2 Hospital Management System, Wordpress 2025-06-27 10 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System allows Upload a Web Shell to a Web Server.This issue affects Hospital Management System: from n/a through 47.0(20-11-2023).