Total
3534 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-57169 | 1 Soplanning | 1 Soplanning | 2025-04-02 | 9.8 Critical |
| A file upload bypass vulnerability exists in SOPlanning 1.53.00, specifically in /process/upload.php. This vulnerability allows remote attackers to bypass upload restrictions and potentially achieve remote code execution by uploading malicious files. | ||||
| CVE-2024-8958 | 1 Composio | 1 Composio | 2025-04-01 | 9.8 Critical |
| In composiohq/composio version 0.4.3, there is an unrestricted file write and read vulnerability in the filetools actions. Due to improper validation of file paths, an attacker can read and write files anywhere on the server, potentially leading to privilege escalation or remote code execution. | ||||
| CVE-2025-31577 | 2025-04-01 | 6.6 Medium | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in appointify Appointify allows Upload a Web Shell to a Web Server. This issue affects Appointify: from n/a through 1.0.8. | ||||
| CVE-2025-2891 | 2025-04-01 | 8.8 High | ||
| The Real Estate 7 WordPress theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'template-submit-listing.php' file in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with Seller-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible if front-end listing submission has been enabled. | ||||
| CVE-2025-2008 | 2025-04-01 | 8.8 High | ||
| The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-2606 | 1 Mayurik | 1 Best Church Management Software | 2025-04-01 | 6.3 Medium |
| A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/soulwinning_crud.php. The manipulation of the argument photo/photo1 leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-2607 | 1 Phplaozhang | 1 Lzcms-laozhangbokexitong | 2025-04-01 | 6.3 Medium |
| A vulnerability was found in phplaozhang LzCMS-LaoZhangBoKeXiTong up to 1.1.4. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/upload/upimage.html of the component HTTP POST Request Handler. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-29661 | 1 Dedecms | 1 Dedecms | 2025-04-01 | 9.8 Critical |
| A File Upload vulnerability in DedeCMS v5.7 allows a local attacker to execute arbitrary code via a crafted payload. | ||||
| CVE-2024-35375 | 1 Dedecms | 1 Dedecms | 2025-04-01 | 9.8 Critical |
| There is an arbitrary file upload vulnerability on the media add .php page in the backend of the website in version 5.7.114 of DedeCMS | ||||
| CVE-2024-35510 | 1 Dedecms | 1 Dedecms | 2025-04-01 | 9.8 Critical |
| An arbitrary file upload vulnerability in /dede/file_manage_control.php of DedeCMS v5.7.114 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2022-40035 | 1 Blog-ssm Project | 1 Blog-ssm | 2025-04-01 | 8.8 High |
| File Upload Vulnerability found in Rawchen Blog-ssm v1.0 allowing attackers to execute arbitrary commands and gain escalated privileges via the /uploadFileList component. | ||||
| CVE-2024-25869 | 1 Codeastro | 1 Membership Management System | 2025-04-01 | 8.8 High |
| An Unrestricted File Upload vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary code via upload of a crafted php file in the settings.php component. | ||||
| CVE-2022-41217 | 1 Hybridsoftware | 1 Cloudflow | 2025-04-01 | 9.8 Critical |
| Cloudflow contains a unauthenticated file upload vulnerability, which makes it possible for an attacker to upload malicious files to the CLOUDFLOW PROOFSCOPE built-in storage. | ||||
| CVE-2024-46373 | 1 Dedecms | 1 Dedecms | 2025-03-31 | 8.8 High |
| Dedecms V5.7.115 contains an arbitrary code execution via file upload vulnerability in the backend. | ||||
| CVE-2023-0455 | 1 Bumsys Project | 1 Bumsys | 2025-03-31 | 8.8 High |
| Unrestricted Upload of File with Dangerous Type in GitHub repository unilogies/bumsys prior to v1.0.3-beta. | ||||
| CVE-2025-29411 | 1 Martmbithi | 1 Ibanking | 2025-03-28 | 9.8 Critical |
| An arbitrary file upload vulnerability in the Client Profile Update section of Mart Developers iBanking v2.0.0 allows attackers to execute arbitrary code via uploading a crafted PHP file. | ||||
| CVE-2022-48008 | 1 Limesurvey | 1 Limesurvey | 2025-03-28 | 9.8 Critical |
| An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2022-48006 | 1 Taogogo | 1 Taocms | 2025-03-28 | 9.8 Critical |
| An arbitrary file upload vulnerability in taocms v3.0.2 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploited via manipulation of the upext variable at /include/Model/Upload.php. | ||||
| CVE-2024-27747 | 1 Mayurik | 1 Petrol Pump Management | 2025-03-28 | 9.8 Critical |
| File Upload vulnerability in Petrol Pump Mangement Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email Image parameter in the profile.php component. | ||||
| CVE-2024-47259 | 2025-03-28 | 3.5 Low | ||
| Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | ||||