Total
3053 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-25414 | 1 Cszcms | 1 Csz Cms | 2025-03-14 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in /admin/upgrade of CSZ CMS v1.3.0 allows attackers to execute arbitrary code via uploading a crafted Zip file. | |||||
| CVE-2019-8394 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2025-03-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. | |||||
| CVE-2025-26411 | 2025-03-14 | N/A | 8.8 HIGH | ||
| An authenticated attacker is able to use the Plugin Manager of the web interface of the Wattsense Bridge devices to upload malicious Python files to the device. This enables an attacker to gain remote root access to the device. An attacker needs a valid user account on the Wattsense web interface to be able to conduct this attack. This issue is fixed in recent firmware versions BSP >= 6.1.0. | |||||
| CVE-2020-25213 | 1 Webdesi9 | 1 File Manager | 2025-03-14 | 7.5 HIGH | 10.0 CRITICAL |
| The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020. | |||||
| CVE-2021-20022 | 1 Sonicwall | 2 Email Security, Hosted Email Security | 2025-03-14 | 6.5 MEDIUM | 7.2 HIGH |
| SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host. | |||||
| CVE-2024-57668 | 1 Fabianros | 1 Shopping Portal | 2025-03-13 | N/A | 8.8 HIGH |
| In Code-projects Shopping Portal v1.0, the insert-product.php page has an arbitrary file upload vulnerability. | |||||
| CVE-2024-51208 | 1 Phpgurukul | 1 Boat Booking System | 2025-03-13 | N/A | 7.2 HIGH |
| File Upload vulnerability in change-image.php in Anuj Kumar's Boat Booking System version 1.0 allows local attackers to upload a malicious PHP script via the Image Upload Mechanism parameter. | |||||
| CVE-2021-31207 | 1 Microsoft | 1 Exchange Server | 2025-03-13 | 6.5 MEDIUM | 6.6 MEDIUM |
| Microsoft Exchange Server Security Feature Bypass Vulnerability | |||||
| CVE-2021-36741 | 2 Microsoft, Trendmicro | 5 Windows, Apex One, Officescan and 2 more | 2025-03-13 | 6.5 MEDIUM | 8.8 HIGH |
| An improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1 allows a remote attached to upload arbitrary files on affected installations. Please note: an attacker must first obtain the ability to logon to the product�s management console in order to exploit this vulnerability. | |||||
| CVE-2024-52677 | 1 Hkcms | 1 Hkcms | 2025-03-13 | N/A | 9.8 CRITICAL |
| HkCms <= v2.3.2.240702 is vulnerable to file upload in the getFileName method in /app/common/library/Upload.php. | |||||
| CVE-2024-42778 | 1 Lopalopa | 1 Music Management System | 2025-03-13 | N/A | 8.8 HIGH |
| An Unrestricted file upload vulnerability was found in "/music/ajax.php?action=save_playlist" in Kashipara Music Management System v1.0. This allows attackers to execute arbitrary code via uploading a crafted PHP file. | |||||
| CVE-2024-25801 | 1 Skinsoft | 1 S-museum | 2025-03-13 | N/A | 6.1 MEDIUM |
| SKINsoft S-Museum 7.02.3 allows XSS via the filename of an uploaded file. Unlike in CVE-2024-25802, the attack payload is in the name (not the content) of a file. | |||||
| CVE-2024-13359 | 1 Tychesoftwares | 1 Product Input Fields For Woocommerce | 2025-03-13 | N/A | 8.1 HIGH |
| The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the add_product_input_fields_to_order_item_meta() function in all versions up to, and including, 1.12.0. This may make it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that by default the plugin is only vulnerable to a double extension file upload attack, unless an administrators leaves the accepted file extensions field blank which can make .php file uploads possible. Please note 1.12.2 was mistakenly marked as patched while 1.12.1 was marked as vulnerable for a short period of time, this is not the case and 1.12.1 is fully patched. | |||||
| CVE-2024-57968 | 1 Advantive | 1 Veracore | 2025-03-13 | N/A | 9.9 CRITICAL |
| Advantive VeraCore before 2024.4.2.1 allows remote authenticated users to upload files to unintended folders (e.g., ones that are accessible during web browsing by other users). upload.aspx can be used for this. | |||||
| CVE-2024-13908 | 1 Bestwebsoft | 1 Smtp | 2025-03-13 | N/A | 7.2 HIGH |
| The SMTP by BestWebSoft plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-13882 | 1 Coderevolution | 1 Aiomatic | 2025-03-13 | N/A | 8.8 HIGH |
| The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aiomatic_generate_featured_image' function in all versions up to, and including, 2.3.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-3022 | 1 Reputeinfosystems | 1 Bookingpress | 2025-03-13 | N/A | 7.2 HIGH |
| The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient filename validation in the 'bookingpress_process_upload' function in all versions up to, and including 1.0.87. This allows an authenticated attacker with administrator-level capabilities or higher to upload arbitrary files on the affected site's server, enabling remote code execution. | |||||
| CVE-2024-2268 | 1 Keerti1924 | 1 Online Bookstore Website | 2025-03-12 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in keerti1924 Online-Book-Store-Website 1.0. It has been classified as critical. Affected is an unknown function of the file /product_update.php?update=1. The manipulation of the argument update_image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-256038 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-28915 | 2025-03-11 | N/A | 9.1 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Theme Egg ThemeEgg ToolKit allows Upload a Web Shell to a Web Server. This issue affects ThemeEgg ToolKit: from n/a through 1.2.9. | |||||
| CVE-2022-2883 | 1 Octopus | 1 Octopus Server | 2025-03-11 | N/A | 7.5 HIGH |
| In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | |||||