Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,098)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-1834 1Zframeworks 1Zz May 26, 2025 Mar 2, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability, which was classified as critical, was found in zj1983 zz up to 2024-8. This affects an unknown part of the file /resolve. The manipulation of the argument file leads to unrestricted upload. It is possibl...Show more A vulnerability, which was classified as critical, was found in zj1983 zz up to 2024-8. This affects an unknown part of the file /resolve. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-1818 1Zframeworks 1Zz May 26, 2025 Mar 2, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability, which was classified as critical, has been found in zj1983 zz up to 2024-8. This issue affects some unknown processing of the file src/main/java/com/futvan/z/system/zfile/ZfileAction.upload. The manipula...Show more A vulnerability, which was classified as critical, has been found in zj1983 zz up to 2024-8. This issue affects some unknown processing of the file src/main/java/com/futvan/z/system/zfile/ZfileAction.upload. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-1791 1Skycaiji 1Skycaiji Jun 12, 2025 Mar 1, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability has been found in Zorlan SkyCaiji 2.9 and classified as critical. This vulnerability affects the function fileAction of the file vendor/skycaiji/app/admin/controller/Tool.php. The manipulation of the argu...Show more A vulnerability has been found in Zorlan SkyCaiji 2.9 and classified as critical. This vulnerability affects the function fileAction of the file vendor/skycaiji/app/admin/controller/Tool.php. The manipulation of the argument save_data leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-8425 1Wpswings 1Woocommerce Ultimate Gift Card Apr 8, 2026 Feb 28, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' function...Show more The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.9.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that this may have been patched on an older version than 2.9.2, however, we do not have access to older versions of the software to confirm when the patch was added. The only patched version we have confirmed is 2.9.3.Show less
CVE-2025-26325 1Shopxo 1Shopxo Apr 10, 2025 Feb 27, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 ShopXO 6.4.0 is vulnerable to File Upload in ThemeDataService.php.
CVE-2024-41340 1Draytek 20Vigor165 Firmware Vigor166 FirmwareVigor2133 Firmware+17 more Jun 3, 2025 Feb 27, 2025 N/A· v4 8.4 HIGH· v3 N/A· v2 An issue in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2...Show more An issue in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to upload crafted APP Enforcement modules, leading to arbitrary code execution.Show less
CVE-2024-41339 1Draytek 20Vigor165 Firmware Vigor166 FirmwareVigor2133 Firmware+17 more Jun 3, 2025 Feb 27, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue in the CGI endpoint used to upload configurations in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor...Show more An issue in the CGI endpoint used to upload configurations in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to upload a crafted kernel module, allowing for arbitrary code execution.Show less
CVE-2025-25790 1Foxcms 1Foxcms Apr 9, 2025 Feb 26, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An arbitrary file upload vulnerability in the component \controller\LocalTemplate.php of FoxCMS v1.2.5 allows attackers to execute arbitrary code via uploading a crafted Zip file.
CVE-2025-25784 1Jizhicms 1Jizhicms Apr 10, 2025 Feb 26, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An arbitrary file upload vulnerability in the component \c\TemplateController.php of Jizhicms v2.5.4 allows attackers to execute arbitrary code via uploading a crafted Zip file.
CVE-2025-25783 1Emlog 1Emlog Apr 7, 2025 Feb 26, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An arbitrary file upload vulnerability in the component admin\plugin.php of Emlog Pro v2.5.3 allows attackers to execute arbitrary code via uploading a crafted Zip file.
CVE-2025-0731 - - Feb 26, 2025 Feb 26, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An unauthenticated remote attacker can upload a .aspx file instead of a PV system picture through the demo account. The code can only be executed in the security context of the user.
CVE-2025-1128 1Wpeverest 1Everest Forms Feb 28, 2025 Feb 25, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validatio...Show more The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.Show less
CVE-2025-1646 - - Feb 25, 2025 Feb 25, 2025 6.9 MEDIUM· v4 7.3 HIGH· v3 7.5 HIGH· v2 A vulnerability, which was classified as critical, has been found in Lumsoft ERP 8. Affected by this issue is some unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx of the component ASPX File Handler. The...Show more A vulnerability, which was classified as critical, has been found in Lumsoft ERP 8. Affected by this issue is some unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx of the component ASPX File Handler. The manipulation of the argument file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-56897 1Yitechnology 1Yi Car Dashcam Firmware Mar 3, 2025 Feb 24, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, s...Show more Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds, factory reset.Show less
CVE-2025-1598 1Mayurik 1Best Church Management Software Feb 28, 2025 Feb 24, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/asset_crud.php. The man...Show more A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/asset_crud.php. The manipulation of the argument photo1 leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-1593 1Mayurik 1Best Employee Management System Feb 28, 2025 Feb 23, 2025 5.1 MEDIUM· v4 9.8 CRITICAL· v3 5.8 MEDIUM· v2 A vulnerability classified as critical has been found in SourceCodester Best Employee Management System 1.0. This affects an unknown part of the file /_hr_soft/assets/uploadImage/Profile/ of the component Profile Picture...Show more A vulnerability classified as critical has been found in SourceCodester Best Employee Management System 1.0. This affects an unknown part of the file /_hr_soft/assets/uploadImage/Profile/ of the component Profile Picture Handler. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely.Show less
CVE-2025-1590 1Janobe 1E Learning System Feb 28, 2025 Feb 23, 2025 5.1 MEDIUM· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability was found in SourceCodester E-Learning System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/modules/lesson/index.php of the component List of Lessons Page. Th...Show more A vulnerability was found in SourceCodester E-Learning System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/modules/lesson/index.php of the component List of Lessons Page. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely.Show less
CVE-2025-26776 - - Apr 28, 2026 Feb 22, 2025 N/A· v4 10.0 CRITICAL· v3 N/A· v2 Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Chaty Pro allows Upload a Web Shell to a Web Server. This issue affects Chaty Pro: from n/a through 3.3.3.
CVE-2024-13869 1Wpvivid 1Wpvivid Backup & Migration Mar 5, 2025 Feb 22, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all versions up to, and inclu...Show more The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all versions up to, and including, 0.9.112. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.Show less
CVE-2025-1555 1Hzmanyun 1Education And Training System Jan 29, 2026 Feb 21, 2025 6.9 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. This vulnerability affects the function saveImage. The manipulation of the argument file leads to unrestricted upload. The...Show more A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. This vulnerability affects the function saveImage. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less

Previous 1...596061...205 Next