Total
3662 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14530 | 2 Remyandrade, Sourcecodester | 2 Real Estate Property Listing App, Real Estate Property Listing App | 2025-12-16 | 4.7 Medium |
| A vulnerability has been found in SourceCodester Real Estate Property Listing App 1.0. The impacted element is an unknown function of the file /admin/property.php. Such manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-39539 | 1 Ami | 1 Aptio V | 2025-12-16 | 7.5 High |
| AMI AptioV contains a vulnerability in BIOS where a User may cause an unrestricted upload of a PNG Logo file with dangerous type by Local access. A successful exploit of this vulnerability may lead to a loss of Confidentiality, Integrity, and/or Availability. | ||||
| CVE-2024-0800 | 1 Arcserve | 2 Arcserve Unified Data Protection, Udp | 2025-12-16 | 8.8 High |
| A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet. | ||||
| CVE-2024-23534 | 1 Ivanti | 1 Avalanche | 2025-12-16 | 8.8 High |
| An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ||||
| CVE-2024-33006 | 1 Sap | 1 Netweaver | 2025-12-16 | 9.6 Critical |
| An unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise system. | ||||
| CVE-2023-53869 | 1 Webigniter | 1 Webigniter | 2025-12-16 | N/A |
| WEBIGniter 28.7.23 contains a file upload vulnerability that allows authenticated attackers to upload and execute dangerous PHP files through the media function. Attackers can leverage any created account to upload malicious PHP scripts that enable remote code execution on the application server. | ||||
| CVE-2015-10135 | 2 Eoxia, Wordpress | 2 Wpshop 2, Wordpress | 2025-12-16 | 9.8 Critical |
| The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in versions before 1.3.9.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2016-15043 | 2 Wordpress, Wp Mobile Detector Project | 2 Wordpress, Wp Mobile Detector | 2025-12-16 | 9.8 Critical |
| The WP Mobile Detector plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in resize.php file in versions up to, and including, 3.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2024-58295 | 1 Elkarte | 1 Forum | 2025-12-16 | N/A |
| ElkArte Forum 1.1.9 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the theme installation process. Attackers can upload a ZIP archive with a PHP file containing system commands, which can then be executed by accessing the uploaded file in the theme directory. | ||||
| CVE-2024-58313 | 1 Xbtitfm | 1 Xbtitfm | 2025-12-16 | N/A |
| xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands. | ||||
| CVE-2015-10138 | 1 Lynton Reed | 1 Work The Flow File Upload | 2025-12-16 | 9.8 Critical |
| The Work The Flow File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2012-10020 | 2 Webmovementllc, Wordpress | 2 Foxypress, Wordpress | 2025-12-16 | 9.8 Critical |
| The FoxyPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadify.php file in versions up to, and including, 0.4.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2015-10137 | 2 Najeebmedia, Wordpress | 2 Website Contact Form With File Upload, Wordpress | 2025-12-16 | 9.8 Critical |
| The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_file()' function in versions up to, and including, 1.3.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2024-58283 | 1 Wbce | 1 Wbce Cms | 2025-12-16 | 8.8 High |
| WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter. | ||||
| CVE-2015-10144 | 2 I13websolution, Wordpress | 2 Thumbnail Carousel Slider, Wordpress | 2025-12-16 | 8.8 High |
| The Responsive Thumbnail Slider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type sanitization in the via the image uploader in versions up to 1.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected sites server using a double extension which may make remote code execution possible. | ||||
| CVE-2024-58298 | 1 Bmc | 1 Compuware Istrobe Web | 2025-12-15 | N/A |
| Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web shell and execute arbitrary commands by sending POST requests to the uploaded JSP endpoint. | ||||
| CVE-2025-13094 | 1 Wordpress | 1 Wordpress | 2025-12-15 | 8.8 High |
| The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-12968 | 2 Infility, Wordpress | 2 Infility Global, Wordpress | 2025-12-15 | 8.8 High |
| The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.23. This is due to the `upload_file` function in the `infility_import_file` class only validating the MIME type which can be easily spoofed, and the `import_data` function missing capability checks. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-34506 | 1 Wbce | 1 Wbce Cms | 2025-12-15 | 8.8 High |
| WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed. | ||||
| CVE-2025-13646 | 2 Wordpress, Wpchill | 3 Wordpress, Image Gallery, Modula Image Gallery | 2025-12-15 | 7.5 High |
| The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files with race condition on the affected site's server which may make remote code execution possible. | ||||