Total
3027 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-25846 | 1 Simpleimportproduct Project | 1 Simpleimportproduct | 2025-04-30 | 9.1 Critical |
| In the module "Product Catalog (CSV, Excel) Import" (simpleimportproduct) <= 6.7.0 from MyPrestaModules for PrestaShop, a guest can upload files with extensions .php. | ||||
| CVE-2024-42767 | 2 Jayesh, Kashipara | 2 Hotel Management System, Hotel Management System | 2025-04-30 | 7.2 High |
| Kashipara Hotel Management System v1.0 is vulnerable to Unrestricted File Upload RCE via /admin/add_room_controller.php. | ||||
| CVE-2024-29368 | 1 Mozilo | 1 Mozilocms | 2025-04-30 | 6.5 Medium |
| An arbitrary file upload vulnerability in the file handling module of moziloCMS v2.0 allows attackers to bypass extension restrictions via file renaming, potentially leading to unauthorized file execution or storage of malicious content. | ||||
| CVE-2024-42991 | 1 Mingsoft | 1 Mcms | 2025-04-30 | 8.1 High |
| MCMS v5.4.1 has front-end file upload vulnerability which can lead to remote command execution. | ||||
| CVE-2025-29017 | 1 Codeastro | 1 Internet Banking System | 2025-04-30 | 8.8 High |
| A Remote Code Execution (RCE) vulnerability exists in Code Astro Internet Banking System 2.0.0 due to improper file upload validation in the profile_pic parameter within pages_view_client.php. | ||||
| CVE-2024-37762 | 1 Machform | 1 Machform | 2025-04-30 | 9.9 Critical |
| MachForm up to version 21 is affected by an authenticated unrestricted file upload which leads to a remote code execution. | ||||
| CVE-2024-34833 | 1 Oretnom23 | 1 Payroll Management System | 2025-04-30 | 9.8 Critical |
| Sourcecodester Payroll Management System v1.0 is vulnerable to File Upload. Users can upload images via the "save_settings" page. An unauthenticated attacker can leverage this functionality to upload a malicious PHP file instead. Successful exploitation of this vulnerability results in the ability to execute arbitrary code as the user running the web server. | ||||
| CVE-2022-43234 | 1 Hoosk | 1 Hoosk | 2025-04-30 | 9.8 Critical |
| An arbitrary file upload vulnerability in the /attachments component of Hoosk v1.8 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2022-43265 | 1 Canteen Management System Project | 1 Canteen Management System | 2025-04-30 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component /pages/save_user.php of Canteen Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2024-4349 | 1 Donbermoy | 1 Pisay Online E-learning System | 2025-04-29 | 7.3 High |
| A vulnerability has been found in SourceCodester Pisay Online E-Learning System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /lesson/controller.php. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-262489 was assigned to this vulnerability. | ||||
| CVE-2022-43192 | 1 Dedecms | 1 Dedecms | 2025-04-29 | 6.7 Medium |
| An arbitrary file upload vulnerability in the component /dede/file_manage_control.php of Dedecms v5.7.101 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is related to an incomplete fix for CVE-2022-40886. | ||||
| CVE-2020-23591 | 1 Optilinknetwork | 2 Op-xt71000n, Op-xt71000n Firmware | 2025-04-29 | 9.8 Critical |
| A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an attacker to upload arbitrary files through " /mgm_dev_upgrade.asp " which can "delete every file for Denial of Service (using 'rm -rf *.*' in the code), reverse connection (using '.asp' webshell), backdoor. | ||||
| CVE-2022-44384 | 1 Rconfig | 1 Rconfig | 2025-04-29 | 8.8 High |
| An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2022-41705 | 1 Uatech | 1 Badaso | 2025-04-29 | 9.8 Critical |
| Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users. | ||||
| CVE-2022-45476 | 1 Tiny File Manager Project | 1 Tiny File Manager | 2025-04-29 | 9.8 Critical |
| Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload. | ||||
| CVE-2022-44401 | 1 Online Tours \& Travels Management System Project | 1 Online Tours \& Travels Management System | 2025-04-29 | 9.8 Critical |
| Online Tours & Travels Management System v1.0 contains an arbitrary file upload vulnerability via /tour/admin/file.php. | ||||
| CVE-2025-46264 | 2025-04-29 | 9.9 Critical | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Angelo Mandato PowerPress Podcasting allows Upload a Web Shell to a Web Server. This issue affects PowerPress Podcasting: from n/a through 11.12.5. | ||||
| CVE-2025-46616 | 2025-04-29 | 9.9 Critical | ||
| Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage. | ||||
| CVE-2022-44760 | 2025-04-29 | 4.6 Medium | ||
| Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications. | ||||
| CVE-2025-4006 | 2025-04-29 | 4.7 Medium | ||
| A vulnerability classified as critical has been found in youyiio BeyongCms 1.6.0. Affected is an unknown function of the file /admin/theme/Upload.html of the component Document Management Page. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||