Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,098)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-54525 1Apple 6Ipados Iphone OsMacos+3 more Apr 2, 2026 Mar 17, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 A logic issue was addressed with improved file handling. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, tvOS 18.2, visionOS 2.2, watchOS 11.2. Restoring a maliciously crafted backup file may lead to...Show more A logic issue was addressed with improved file handling. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, tvOS 18.2, visionOS 2.2, watchOS 11.2. Restoring a maliciously crafted backup file may lead to modification of protected system files.Show less
CVE-2025-2396 1Edetw 1U Office Force Nov 18, 2025 Mar 17, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 The U-Office Force from e-Excellence has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and execute web shell backdoors, thereby enabling arbitrary code execution on t...Show more The U-Office Force from e-Excellence has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.Show less
CVE-2025-2350 1Iroadau 1Fx2 Firmware Nov 6, 2025 Mar 16, 2025 5.3 MEDIUM· v4 7.8 HIGH· v3 5.8 MEDIUM· v2 A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been rated as critical. Affected by this issue is some unknown functionality of the file /action/upload_file. The manipulation leads to unrestricted...Show more A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been rated as critical. Affected by this issue is some unknown functionality of the file /action/upload_file. The manipulation leads to unrestricted upload. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-2219 1Lovecards 1Lovecards Mar 25, 2025 Mar 12, 2025 6.9 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability was found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. This issue affects some unknown processing of the file /api/upload/image. The manipulation of the argument file leads to unrestri...Show more A vulnerability was found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. This issue affects some unknown processing of the file /api/upload/image. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-2216 1Zzskzy 1Warehouse Refinement Management System Mar 25, 2025 Mar 12, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability, which was classified as critical, has been found in zzskzy Warehouse Refinement Management System 1.3. Affected by this issue is the function UploadCrash of the file /crash/log/SaveCrash.ashx. The manipu...Show more A vulnerability, which was classified as critical, has been found in zzskzy Warehouse Refinement Management System 1.3. Affected by this issue is the function UploadCrash of the file /crash/log/SaveCrash.ashx. The manipulation of the argument file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-28915 - - Apr 23, 2026 Mar 11, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Unrestricted Upload of File with Dangerous Type vulnerability in Theme Egg ThemeEgg ToolKit themeegg-toolkit allows Upload a Web Shell to a Web Server.This issue affects ThemeEgg ToolKit: from n/a through <= 1.2.9.
CVE-2025-22213 - - Mar 11, 2025 Mar 11, 2025 7.1 HIGH· v4 N/A· v3 N/A· v2 Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions.
CVE-2025-2115 1Zzskzy 1Warehouse Refinement Management System Jun 27, 2025 Mar 9, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability, which was classified as critical, was found in zzskzy Warehouse Refinement Management System 3.1. Affected is the function ProcessRequest of the file /AcceptZip.ashx. The manipulation of the argument fil...Show more A vulnerability, which was classified as critical, was found in zzskzy Warehouse Refinement Management System 3.1. Affected is the function ProcessRequest of the file /AcceptZip.ashx. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-13359 1Tychesoftwares 1Product Input Fields For Woocommerce Mar 13, 2025 Mar 8, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the add_product_input_fields_to_order_item_meta() function in all versions...Show more The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the add_product_input_fields_to_order_item_meta() function in all versions up to, and including, 1.12.0. This may make it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that by default the plugin is only vulnerable to a double extension file upload attack, unless an administrators leaves the accepted file extensions field blank which can make .php file uploads possible. Please note 1.12.2 was mistakenly marked as patched while 1.12.1 was marked as vulnerable for a short period of time, this is not the case and 1.12.1 is fully patched.Show less
CVE-2024-13882 1Coderevolution 1Aiomatic Mar 13, 2025 Mar 8, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aiomatic_generate_...Show more The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aiomatic_generate_featured_image' function in all versions up to, and including, 2.3.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.Show less
CVE-2024-13908 1Bestwebsoft 1Smtp Mar 13, 2025 Mar 8, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 The SMTP by BestWebSoft plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 1.1.9. This makes it possible...Show more The SMTP by BestWebSoft plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.Show less
CVE-2025-25361 1Publiccms 1Publiccms Jul 1, 2025 Mar 6, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An arbitrary file upload vulnerability in the component /cms/CmsWebFileAdminController.java of PublicCMS v4.0.202406 allows attackers to execute arbitrary code via uploading a crafted svg or xml file.
CVE-2025-2035 1S A Zhd 1Ecommerce Website Using Php Oct 15, 2025 Mar 6, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability was found in s-a-zhd Ecommerce-Website-using-PHP 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /customer_register.php. The manipulation of the argument n...Show more A vulnerability was found in s-a-zhd Ecommerce-Website-using-PHP 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /customer_register.php. The manipulation of the argument name leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-2031 11000mz 1Chestnutcms May 12, 2025 Mar 6, 2025 5.3 MEDIUM· v4 7.6 HIGH· v3 6.5 MEDIUM· v2 A vulnerability classified as critical has been found in ChestnutCMS up to 1.5.2. This affects the function uploadFile of the file /dev-api/cms/file/upload. The manipulation of the argument file leads to unrestricted upl...Show more A vulnerability classified as critical has been found in ChestnutCMS up to 1.5.2. This affects the function uploadFile of the file /dev-api/cms/file/upload. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-27411 1Redaxo 1Redaxo Jul 1, 2025 Mar 5, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 REDAXO is a PHP-based CMS. In Redaxo before 5.18.3, the mediapool/media page is vulnerable to arbitrary file upload. This vulnerability is fixed in 5.18.3.
CVE-2025-27683 1Printerlogic 2Vasion Print Virtual Appliance Nov 3, 2025 Mar 5, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 1.0.735 Application 20.0.1330 allows Driver Unrestricted Upload of File with Dangerous Type V-2022-006.
CVE-2025-26319 1Flowiseai 1Flowise Jun 24, 2025 Mar 4, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.
CVE-2024-47259 1Axis 2Axis Os Axis Os 2024 Jan 22, 2026 Mar 4, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to trans...Show more Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.Show less
CVE-2025-1890 1Shishuocms Project 1Shishuocms Mar 5, 2025 Mar 4, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability has been found in shishuocms 1.1 and classified as critical. This vulnerability affects the function handleRequest of the file src/main/java/com/shishuo/cms/action/manage/ManageUpLoadAction.java. The mani...Show more A vulnerability has been found in shishuocms 1.1 and classified as critical. This vulnerability affects the function handleRequest of the file src/main/java/com/shishuo/cms/action/manage/ManageUpLoadAction.java. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-1835 - - Mar 3, 2025 Mar 2, 2025 5.3 MEDIUM· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 A vulnerability has been found in osuuu LightPicture 1.2.2 and classified as critical. This vulnerability affects the function upload of the file /app/controller/Api.php. The manipulation of the argument file leads to un...Show more A vulnerability has been found in osuuu LightPicture 1.2.2 and classified as critical. This vulnerability affects the function upload of the file /app/controller/Api.php. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.Show less

Previous 1...585960...205 Next