Total
3028 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5450 | 1 Bug Library Project | 1 Bug Library | 2025-05-13 | N/A | 9.1 CRITICAL |
| The Bug Library WordPress plugin before 2.1.1 does not check the file type on user-submitted bug reports, allowing an unauthenticated user to upload PHP files | |||||
| CVE-2023-31585 | 2025-05-12 | N/A | 9.8 CRITICAL | ||
| Grocery-CMS-PHP-Restful-API v1.3 is vulnerable to File Upload via /admin/add-category.php. | |||||
| CVE-2025-2031 | 1 1000mz | 1 Chestnutcms | 2025-05-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in ChestnutCMS up to 1.5.2. This affects the function uploadFile of the file /dev-api/cms/file/upload. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-47549 | 1 Themefic | 1 Ultimate Before After Image Slider \& Gallery | 2025-05-12 | N/A | 9.1 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF allows Upload a Web Shell to a Web Server. This issue affects BEAF: from n/a through 4.6.10. | |||||
| CVE-2025-47550 | 1 Themefic | 1 Instantio | 2025-05-12 | N/A | 6.6 MEDIUM |
| Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio allows Upload a Web Shell to a Web Server. This issue affects Instantio: from n/a through 3.3.16. | |||||
| CVE-2024-11617 | 2025-05-12 | N/A | 9.8 CRITICAL | ||
| The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'zetra_languageUpload' and 'zetra_fontsUpload' functions in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-4403 | 2025-05-12 | N/A | 9.8 CRITICAL | ||
| The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user‐supplied supported_type string and the uploaded filename without enforcing real extension or MIME checks within the upload() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-3455 | 2025-05-12 | N/A | 8.8 HIGH | ||
| The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'start_restore' function in all versions up to, and including, 2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-4538 | 2025-05-12 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in kkFileView 4.4.0. It has been classified as critical. This affects an unknown part of the file /fileUpload. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-4556 | 2025-05-12 | N/A | 9.8 CRITICAL | ||
| The web management interface of Okcat Parking Management Platform from ZONG YU has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | |||||
| CVE-2025-4561 | 2025-05-12 | N/A | 8.8 HIGH | ||
| The KFOX from KingFor has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privilege to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | |||||
| CVE-2022-32176 | 1 Gin-vue-admin Project | 1 Gin-vue-admin | 2025-05-10 | N/A | 9.0 CRITICAL |
| In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3b are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the "Compress Upload" functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin's cookie leading to account takeover. | |||||
| CVE-2020-26629 | 1 Phpgurukul | 1 Hospital Management System | 2025-05-09 | N/A | 9.8 CRITICAL |
| A JQuery Unrestricted Arbitrary File Upload vulnerability was discovered in Hospital Management System V4.0 which allows an unauthenticated attacker to upload any file to the server. | |||||
| CVE-2022-43283 | 1 Webassembly | 1 Wabt | 2025-05-08 | N/A | 5.5 MEDIUM |
| wasm2c v1.0.29 was discovered to contain an abort in CWriter::Write. | |||||
| CVE-2024-24350 | 1 Softwarepublico | 1 E-sic Livre | 2025-05-08 | N/A | 8.8 HIGH |
| File Upload vulnerability in Software Publico e-Sic Livre v.2.0 and before allows a remote attacker to execute arbitrary code via the extension filtering component. | |||||
| CVE-2024-22515 | 1 Ispyconnect | 1 Agent Dvr | 2025-05-08 | N/A | 8.8 HIGH |
| Unrestricted File Upload vulnerability in iSpyConnect.com Agent DVR 5.1.6.0 allows attackers to upload arbitrary files via the upload audio component. | |||||
| CVE-2025-23213 | 1 Tandoor | 1 Recipes | 2025-05-08 | N/A | 8.7 HIGH |
| Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The file upload feature allows to upload arbitrary files, including html and svg. Both can contain malicious content (XSS Payloads). This vulnerability is fixed in 1.5.28. | |||||
| CVE-2025-28168 | 2025-05-08 | N/A | 6.4 MEDIUM | ||
| The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems. | |||||
| CVE-2024-25925 | 1 Sysbasics | 1 Easy Checkout Field Editor | 2025-05-08 | N/A | 10.0 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in SYSBASICS WooCommerce Easy Checkout Field Editor, Fees & Discounts.This issue affects WooCommerce Easy Checkout Field Editor, Fees & Discounts: from n/a through 3.5.12. | |||||
| CVE-2024-25913 | 1 Skymoonlabs | 1 Moveto | 2025-05-08 | N/A | 10.0 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in Skymoonlabs MoveTo.This issue affects MoveTo: from n/a through 6.2. | |||||