Total
3416 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9846 | 2025-09-24 | N/A | 10.0 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in TalentSys Consulting Information Technology Industry Inc. Inka.Net allows Command Injection.This issue affects Inka.Net: before 6.7.1. | |||||
| CVE-2025-10147 | 2025-09-24 | N/A | 9.8 CRITICAL | ||
| The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_as_original_file' function in all versions up to, and including, 4.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-36174 | 1 Ibm | 1 Integrated Analytics System | 2025-09-23 | N/A | 8.0 HIGH |
| IBM Integrated Analytics System 1.0.0.0 through 1.0.30.0 could allow an authenticated user to upload a file with dangerous types that could be executed by another user if opened. | |||||
| CVE-2013-10032 | 1 Get-simple | 1 Getsimplecms | 2025-09-23 | N/A | 8.8 HIGH |
| An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The applicationās upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist. | |||||
| CVE-2013-10040 | 1 Clip-bucket | 1 Clipbucket | 2025-09-23 | N/A | 9.8 CRITICAL |
| ClipBucket version 2.6 and earlier contains a critical vulnerability in the ofc_upload_image.php script located at /admin_area/charts/ofc-library/. This endpoint allows unauthenticated users to upload arbitrary files, including executable PHP scripts. Once uploaded, the attacker can access the file via a predictable path and trigger remote code execution. | |||||
| CVE-2024-53564 | 1 Sangoma | 1 Freepbx | 2025-09-23 | N/A | 2.2 LOW |
| A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no risk beyond what high-privilege administrators are intentionally allowed to do. | |||||
| CVE-2024-28713 | 1 Mtons | 1 Mblog | 2025-09-23 | N/A | 9.8 CRITICAL |
| An issue in Mblog Blog system v.3.5.0 allows an attacker to execute arbitrary code via a crafted file to the theme management feature. | |||||
| CVE-2025-10755 | 2025-09-22 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was detected in Selleo Mentingo 2025.08.27. The impacted element is an unknown function of the component Content-Type Handler. The manipulation of the argument userAvatar results in unrestricted upload. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10763 | 2025-09-22 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was determined in academico-sis academico up to d9a9e2636fbf7e5845ee086bcb03ca62faceb6ab. Affected by this issue is some unknown functionality of the file /edit-photo of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10741 | 2025-09-22 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security vulnerability has been detected in Selleo Mentingo up to 2025.08.27. The affected element is an unknown function of the component Profile Picture Handler. The manipulation of the argument userAvatar leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10009 | 2025-09-22 | N/A | N/A | ||
| Incorrect handling of uploaded files in the admin "Restore" function in Invoice Ninja <= 5.11.72 allows attackers with admin credentials to execute arbitrary code on the server via uploaded .php files. | |||||
| CVE-2025-2748 | 1 Kentico | 1 Xperience | 2025-09-22 | N/A | 6.5 MEDIUM |
| TheĀ Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178. | |||||
| CVE-2025-10480 | 1 Janobe | 1 Online Student File Management System | 2025-09-22 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in SourceCodester Online Student File Management System 1.0. This affects an unknown function of the file /save_file.php. Executing manipulation can lead to unrestricted upload. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-57642 | 2025-09-22 | N/A | 7.2 HIGH | ||
| A Shell Upload vulnerability in Tourism Management System 2.0 allows an attacker to upload and execute arbitrary PHP shell scripts on the server, leading to remote code execution and unauthorized access to the system. This can result in the compromise of sensitive data and system functionality. | |||||
| CVE-2025-10600 | 1 Janobe | 1 Online Exam Form Submission | 2025-09-22 | 7.5 HIGH | 7.3 HIGH |
| A flaw has been found in SourceCodester Online Exam Form Submission 1.0. This impacts an unknown function of the file /register.php. This manipulation of the argument img causes unrestricted upload. It is possible to initiate the attack remotely. The exploit has been published and may be used. | |||||
| CVE-2025-48953 | 1 Umbraco | 1 Umbraco Cms | 2025-09-22 | N/A | 5.5 MEDIUM |
| Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that doesn't adhere with the configured allowable file extensions via a manipulated API request. The issue is patched in versions 15.4.2 and 16.0.0. No known workarounds are available. | |||||
| CVE-2025-10447 | 1 Campcodes | 1 Online Job Finder System | 2025-09-20 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was detected in Campcodes Online Job Finder System 1.0. The impacted element is an unknown function of the file /eris/applicationform.php. The manipulation of the argument picture results in unrestricted upload. It is possible to launch the attack remotely. The exploit is now public and may be used. | |||||
| CVE-2025-10615 | 1 Angeljudesuarez | 1 E-commerce Website | 2025-09-20 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was identified in itsourcecode E-Commerce Website 1.0. This impacts an unknown function of the file /admin/products.php. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit is publicly available and might be used. | |||||
| CVE-2025-10616 | 1 Angeljudesuarez | 1 E-commerce Website | 2025-09-20 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in itsourcecode E-Commerce Website 1.0. Affected is an unknown function of the file /admin/users.php. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2012-10054 | 1 Umbraco | 1 Umbraco Cms | 2025-09-19 | N/A | 9.8 CRITICAL |
| Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits arbitrary file uploads without authentication. By exploiting a path traversal flaw in the fileName parameter, attackers can write malicious ASPX scripts directly into the web-accessible /umbraco/ directory and execute them remotely. | |||||