Total
3127 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-3444 | 1 Zohocorp | 2 Manageengine Servicedesk Plus Msp, Manageengine Supportcenter Plus | 2025-06-17 | 6.5 Medium |
| Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded. | ||||
| CVE-2024-34982 | 1 Lylme | 1 Lylme Spage | 2025-06-17 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2025-3234 | 2025-06-17 | 7.2 High | ||
| The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.8.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Administrators have the ability to extend file manager usage privileges to lower-level users including subscribers, which would make this vulnerability more severe on such sites. | ||||
| CVE-2024-22567 | 1 Mingsoft | 1 Mcms | 2025-06-17 | 8.8 High |
| File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do. | ||||
| CVE-2023-25365 | 1 Octobercms | 1 October | 2025-06-17 | 7.8 High |
| Cross Site Scripting vulnerability found in October CMS v.3.2.0 allows local attacker to execute arbitrary code via the file type .mp3 | ||||
| CVE-2024-28441 | 1 Magicflue | 1 Magicflue | 2025-06-17 | 9.8 Critical |
| File Upload vulnerability in magicflue v.7.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the messageid parameter of the mail/mailupdate.jsp endpoint. | ||||
| CVE-2024-23630 | 1 Motorola | 2 Mr2600, Mr2600 Firmware | 2025-06-17 | 9 Critical |
| An arbitrary firmware upload vulnerability exists in the Motorola MR2600. An attacker can exploit this vulnerability to achieve code execution on the device. Authentication is required, however can be bypassed. | ||||
| CVE-2025-28168 | 1 Multiple File Upload Project | 1 Multiple File Upload | 2025-06-17 | 6.4 Medium |
| The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems. | ||||
| CVE-2021-23814 | 1 Unisharp | 1 Laravel-filemanager | 2025-06-17 | 6.7 Medium |
| This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: 1. Install a package with a web Laravel application. 2. Navigate to the Upload window 3. Upload an image file, then capture the request 4. Edit the request contents with a malicious file (webshell) 5. Enter the path of file uploaded on URL - Remote Code Execution **Note:** Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories). | ||||
| CVE-2023-51928 | 1 Yonyou | 1 Yonbip | 2025-06-16 | 9.8 Critical |
| An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2023-51924 | 1 Yonyou | 1 Yonbip | 2025-06-16 | 9.8 Critical |
| An arbitrary file upload vulnerability in the uap.framework.rc.itf.IResourceManager interface of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2025-4538 | 1 Keking | 1 Kkfileview | 2025-06-16 | 6.3 Medium |
| A vulnerability was found in kkFileView 4.4.0. It has been classified as critical. This affects an unknown part of the file /fileUpload. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-5130 | 1 Project Team | 1 Tmall Demo | 2025-06-16 | 4.7 Medium |
| A vulnerability was found in Tmall Demo up to 20250505. It has been classified as critical. This affects the function uploadProductImage of the file tmall/admin/uploadProductImage. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-5491 | 1 Byzoro | 2 Smart S45f, Smart S45f Firmware | 2025-06-16 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in Byzoro Smart S45F Multi-Service Secure Gateway Intelligent Management Platform up to 20230928. This issue affects some unknown processing of the file /sysmanage/updatelib.php. The manipulation of the argument file_upload leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-241643. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-3835 | 2025-06-14 | 9.6 Critical | ||
| Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior are vulnerable to Remote code execution in the Content Search module. | ||||
| CVE-2024-46210 | 1 Redaxo | 1 Redaxo | 2025-06-13 | 7.2 High |
| An arbitrary file upload vulnerability in the MediaPool module of Redaxo CMS v5.17.1 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2024-52769 | 1 Dedebiz | 1 Dedebiz | 2025-06-13 | 7.2 High |
| An arbitrary file upload vulnerability in the component /admin/friendlink_edit of DedeBIZ v6.3.0 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2024-40553 | 2 Mini, Project Team | 2 Mini-tmall, Tmall Demo | 2025-06-13 | 4.9 Medium |
| Tmall_demo v2024.07.03 was discovered to contain an arbitrary file upload via the component uploadUserHeadImage. | ||||
| CVE-2024-40555 | 1 Project Team | 1 Tmall Demo | 2025-06-13 | 5.3 Medium |
| Tmall_demo v2024.07.03 was discovered to contain an arbitrary file upload vulnerability. | ||||
| CVE-2025-1791 | 1 Skycaiji | 1 Skycaiji | 2025-06-12 | 6.3 Medium |
| A vulnerability has been found in Zorlan SkyCaiji 2.9 and classified as critical. This vulnerability affects the function fileAction of the file vendor/skycaiji/app/admin/controller/Tool.php. The manipulation of the argument save_data leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||