Total
3017 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-46616 | 2025-04-29 | 9.9 Critical | ||
| Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage. | ||||
| CVE-2022-44760 | 2025-04-29 | 4.6 Medium | ||
| Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications. | ||||
| CVE-2025-3914 | 2025-04-29 | 8.8 High | ||
| The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropage_media_downloader' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-4006 | 2025-04-29 | 4.7 Medium | ||
| A vulnerability classified as critical has been found in youyiio BeyongCms 1.6.0. Affected is an unknown function of the file /admin/theme/Upload.html of the component Document Management Page. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-40204 | 1 Premio | 1 Folders | 2025-04-29 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Premio Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager.This issue affects Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager: from n/a through 2.9.2. | ||||
| CVE-2021-43258 | 1 Churchdb | 1 Churchinfo | 2025-04-28 | 8.8 High |
| CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email. Uploading an attachment for the email stores the attachment on the site in the /tmp_attach/ folder where it can be accessed with a GET request. There are no limitations on files that can be attached, allowing for malicious PHP code to be uploaded and interpreted by the server. | ||||
| CVE-2022-30529 | 1 Isic.lk Project | 1 Isic.lk | 2025-04-28 | 7.2 High |
| File upload vulnerability in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to upload arbitrary files via /system/application/libs/js/tinymce/plugins/filemanager/dialog.php and /system/application/libs/js/tinymce/plugins/filemanager/upload.php. | ||||
| CVE-2024-48180 | 1 Classcms | 1 Classcms | 2025-04-28 | 9.8 Critical |
| ClassCMS <=4.8 is vulnerable to file inclusion in the nowView method in/class/cms/cms.php, which can include a file uploaded to the/class/template directory to execute PHP code. | ||||
| CVE-2024-9036 | 2 Angeljudesuarez, Itsourcecode | 2 Online Book Store Project, Online Book Store | 2025-04-28 | 6.3 Medium |
| A vulnerability was found in itsourcecode Online Bookstore 1.0. It has been rated as critical. This issue affects some unknown processing of the file admin_add.php. The manipulation of the argument image leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-46101 | 1 Gdidees | 1 Gdidees Cms | 2025-04-28 | 9.8 Critical |
| GDidees CMS <= v3.9.1 has a file upload vulnerability. | ||||
| CVE-2024-55514 | 1 Raisecom | 8 Msg1200, Msg1200 Firmware, Msg2100e and 5 more | 2025-04-28 | 6.3 Medium |
| A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 3.90. The component affected by this issue is /upload_sfmig.php on the web interface. By crafting a suitable form name, arbitrary files can be uploaded, potentially leading to unauthorized access to server permissions. | ||||
| CVE-2024-40425 | 2 Nanjing Xingyuantu Technology, Sparkshop | 2 Sparkshop, Sparkshop | 2025-04-28 | 9.8 Critical |
| File Upload vulnerability in Nanjin Xingyuantu Technology Co Sparkshop (Spark Mall B2C Mall v.1.1.6 and before allows a remote attacker to execute arbitrary code via the contorller/common.php component. | ||||
| CVE-2024-24714 | 1 Bplugins | 1 Icons Font Loader | 2025-04-28 | 7.2 High |
| Unrestricted Upload of File with Dangerous Type vulnerability in bPlugins LLC Icons Font Loader.This issue affects Icons Font Loader: from n/a through 1.1.4. | ||||
| CVE-2022-44400 | 1 Purchase Order Management System Project | 1 Purchase Order Management System | 2025-04-25 | 9.8 Critical |
| Purchase Order Management System v1.0 contains a file upload vulnerability via /purchase_order/admin/?page=system_info. | ||||
| CVE-2022-45039 | 1 Wbce | 1 Wbce Cms | 2025-04-25 | 7.2 High |
| An arbitrary file upload vulnerability in the Server Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2024-3369 | 1 Anisha | 1 Car Rental | 2025-04-25 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in code-projects Car Rental 1.0. Affected by this issue is some unknown functionality of the file add-vehicle.php. The manipulation of the argument Upload Image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-259490 is the identifier assigned to this vulnerability. | ||||
| CVE-2022-44354 | 1 Contec | 2 Solarview Compact, Solarview Compact Firmware | 2025-04-25 | 9.8 Critical |
| SolarView Compact 4.0 and 5.0 is vulnerable to Unrestricted File Upload via a crafted php file. | ||||
| CVE-2025-43946 | 2025-04-25 | 9.8 Critical | ||
| TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal). | ||||
| CVE-2025-3552 | 2025-04-25 | 7.3 High | ||
| A vulnerability was found in Lingxing ERP 2. It has been classified as critical. This affects an unknown part of the file /Api/TinyMce/UploadAjax.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. | ||||
| CVE-2025-3551 | 2025-04-25 | 7.3 High | ||
| A vulnerability was found in Lingxing ERP 2 and classified as critical. Affected by this issue is the function DoUpload of the file /Api/FileUpload.ashx?method=DoUpload. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. | ||||