Total
3295 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-45527 | 1 Institutional Management Website Project | 1 Institutional Management Website | 2025-03-25 | N/A | 9.8 CRITICAL |
| File upload vulnerability in Future-Depth Institutional Management Website (IMS) 1.0, allows unauthorized attackers to directly upload malicious files to the courseimg directory. | |||||
| CVE-2025-2687 | 1 Janobe | 1 Elearning System | 2025-03-24 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in PHPGurukul eLearning System 1.0. Affected is an unknown function of the file /user/index.php of the component Image Handler. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-54525 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2025-03-24 | N/A | 8.8 HIGH |
| A logic issue was addressed with improved file handling. This issue is fixed in visionOS 2.2, watchOS 11.2, tvOS 18.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2. Restoring a maliciously crafted backup file may lead to modification of protected system files. | |||||
| CVE-2025-2702 | 2025-03-24 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability, which was classified as critical, has been found in Softwin WMX3 3.1. This issue affects the function ImageAdd of the file /ImageAdd.ashx. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-2671 | 2025-03-23 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in Yue Lao Blind Box 月老盲盒 up to 4.0. It has been declared as critical. This vulnerability affects the function base64image of the file /app/controller/Upload.php. The manipulation of the argument data leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-24646 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2025-03-21 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the component /fos/admin/ajax.php of Food Ordering System v2.0 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2023-0255 | 1 Shortpixel | 1 Enable Media Replace | 2025-03-21 | N/A | 8.8 HIGH |
| The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites. | |||||
| CVE-2021-34639 | 1 W3eden | 1 Download Manager | 2025-03-21 | 6.5 MEDIUM | 7.5 HIGH |
| Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. "payload.php.png" which is executable in some configurations. This issue affects: WordPress Download Manager version 3.1.24 and prior versions. | |||||
| CVE-2024-9920 | 2025-03-20 | N/A | 6.6 MEDIUM | ||
| In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with malicious content and then using the '/open_file' API endpoint to execute these files. The vulnerability arises from the use of 'subprocess.Popen' to open files without proper validation, leading to potential remote code execution. | |||||
| CVE-2024-8060 | 2025-03-20 | N/A | 8.1 HIGH | ||
| OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint `/audio/api/v1/transcriptions` that allows for arbitrary file upload. The application performs insufficient validation on the `file.content_type` and allows user-controlled filenames, leading to a path traversal vulnerability. This can be exploited by an authenticated user to overwrite critical files within the Docker container, potentially leading to remote code execution as the root user. | |||||
| CVE-2023-47873 | 1 Wensolutions | 1 Wp Child Theme Generator | 2025-03-19 | N/A | 9.1 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in WEN Solutions WP Child Theme Generator.This issue affects WP Child Theme Generator: from n/a through 1.0.9. | |||||
| CVE-2023-47846 | 1 Terryl | 1 Wp Githuber Md | 2025-03-19 | N/A | 9.1 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in Terry Lin WP Githuber MD.This issue affects WP Githuber MD: from n/a through 1.16.2. | |||||
| CVE-2024-41913 | 1 Hp | 2 Poly Clariti Manager, Poly Clariti Manager Firmware | 2025-03-19 | N/A | 8.8 HIGH |
| A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices. The firmware flaw does not properly sanitize User input. | |||||
| CVE-2023-38388 | 1 Artbees | 1 Jupiter X Core | 2025-03-19 | N/A | 9.0 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in Artbees JupiterX Core.This issue affects JupiterX Core: from n/a through 3.3.5. | |||||
| CVE-2024-23762 | 1 Gambio | 1 Gambio | 2025-03-18 | N/A | 7.8 HIGH |
| Unrestricted File Upload vulnerability in Content Manager feature in Gambio 4.9.2.0 allows attackers to execute arbitrary code via upload of crafted PHP file. | |||||
| CVE-2021-35261 | 1 Bearadmin Project | 1 Bearadmin | 2025-03-18 | N/A | 9.8 CRITICAL |
| File Upload Vulnerability in Yupoxion BearAdmin before commit 10176153528b0a914eb4d726e200fd506b73b075 allows attacker to execute arbitrary remote code via the Upfile function of the extend/tools/Ueditor endpoint. | |||||
| CVE-2025-2494 | 2025-03-18 | N/A | N/A | ||
| Unrestricted file upload to Softdial Contact Center of Sytel Ltd. This vulnerability could allow an attacker to upload files to the server via the ‘/softdial/phpconsole/upload.php’ endpoint, which is protected by basic HTTP authentication. The files are uploaded to a directory exposed by the web application, which could result in code execution, giving the attacker full control over the server. | |||||
| CVE-2022-0959 | 1 Pgadmin | 1 Pgadmin 4 | 2025-03-17 | 3.5 LOW | 6.5 MEDIUM |
| A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write. | |||||
| CVE-2025-2396 | 2025-03-17 | N/A | 8.8 HIGH | ||
| The U-Office Force from e-Excellence has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | |||||
| CVE-2025-2350 | 2025-03-16 | 5.8 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been rated as critical. Affected by this issue is some unknown functionality of the file /action/upload_file. The manipulation leads to unrestricted upload. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. | |||||