Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,098)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-22654 - - Apr 23, 2026 Feb 18, 2025 N/A· v4 10.0 CRITICAL· v3 N/A· v2 Unrestricted Upload of File with Dangerous Type vulnerability in kodeshpa Simplified simplified allows Using Malicious Files.This issue affects Simplified: from n/a through <= 1.0.6.
CVE-2025-1388 1Learningdigital 1Orca Hcm Nov 17, 2025 Feb 17, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and run web shells
CVE-2025-1355 1Needyamin 1Library Card System Feb 25, 2025 Feb 16, 2025 6.9 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability was found in needyamin Library Card System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /signup.php of the component Add Picture. The manip...Show more A vulnerability was found in needyamin Library Card System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /signup.php of the component Add Picture. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-1070 - - Feb 13, 2025 Feb 13, 2025 7.2 HIGH· v4 8.1 HIGH· v3 N/A· v2 CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could render the device inoperable when a malicious file is downloaded.
CVE-2025-26350 1Q Free 1Maxtime Oct 24, 2025 Feb 12, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafte...Show more A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests.Show less
CVE-2024-10960 1Brizy 1Brizy Feb 20, 2025 Feb 12, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'storeUploads' function in all versions up to, and including, 2.6.4. This makes it possible...Show more The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'storeUploads' function in all versions up to, and including, 2.6.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.Show less
CVE-2024-13365 1Cleantalk 1Security & Malware Scan Feb 25, 2025 Feb 12, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchi...Show more The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function in all versions up to, and including, 2.149. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.Show less
CVE-2024-13714 - - Feb 12, 2025 Feb 12, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 The All-Images.ai – IA Image Bank and Custom Image creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_get_image_by_url' function in all versions up to, and...Show more The All-Images.ai – IA Image Bank and Custom Image creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_get_image_by_url' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.Show less
CVE-2025-26411 - - Nov 3, 2025 Feb 11, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 An authenticated attacker is able to use the Plugin Manager of the web interface of the Wattsense Bridge devices to upload malicious Python files to the device. This enables an attacker to gain remote root access to the...Show more An authenticated attacker is able to use the Plugin Manager of the web interface of the Wattsense Bridge devices to upload malicious Python files to the device. This enables an attacker to gain remote root access to the device. An attacker needs a valid user account on the Wattsense web interface to be able to conduct this attack. This issue is fixed in recent firmware versions BSP >= 6.1.0.Show less
CVE-2024-13544 1Amini7 1Zarinpal Paid Download Feb 20, 2025 Feb 11, 2025 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The Zarinpal Paid Download WordPress plugin through 2.3 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed...Show more The Zarinpal Paid Download WordPress plugin through 2.3 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)Show less
CVE-2025-1166 1Remyandrade 1Food Menu Manager Aug 1, 2025 Feb 11, 2025 5.3 MEDIUM· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability has been found in SourceCodester Food Menu Manager 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file endpoint/update.php. The manipulation leads to unr...Show more A vulnerability has been found in SourceCodester Food Menu Manager 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file endpoint/update.php. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-1165 - - Feb 18, 2025 Feb 11, 2025 6.9 MEDIUM· v4 7.3 HIGH· v3 7.5 HIGH· v2 A vulnerability, which was classified as critical, was found in Lumsoft ERP 8. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument file leads to unrestricte...Show more A vulnerability, which was classified as critical, was found in Lumsoft ERP 8. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-13011 - - Feb 10, 2025 Feb 10, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up to, and including, 4.7. This makes i...Show more The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up to, and including, 4.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.Show less
CVE-2024-57408 1Beian.miit 1Cool Admin Java Oct 22, 2025 Feb 10, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 An arbitrary file upload vulnerability in the component /comm/upload of cool-admin-java v1.0 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-57407 - - Feb 19, 2025 Feb 10, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 An arbitrary file upload vulnerability in the component /userPicture of Timo v2.0.3 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-57668 1Fabian 1Shopping Portal Oct 23, 2025 Feb 6, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 In Code-projects Shopping Portal v1.0, the insert-product.php page has an arbitrary file upload vulnerability.
CVE-2025-1025 - - Feb 5, 2025 Feb 5, 2025 7.7 HIGH· v4 7.5 HIGH· v3 N/A· v2 Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.
CVE-2025-1028 - - Feb 5, 2025 Feb 5, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible...Show more The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in specific configurations where the first extension is processed over the final. This vulnerability also requires successfully exploiting a race condition in order to exploit.Show less
CVE-2024-13723 - - Nov 3, 2025 Feb 4, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 The "NagVis" component within Checkmk is vulnerable to remote code execution. An authenticated attacker with administrative level privileges is able to upload a malicious PHP file and modify specific settings to execute...Show more The "NagVis" component within Checkmk is vulnerable to remote code execution. An authenticated attacker with administrative level privileges is able to upload a malicious PHP file and modify specific settings to execute the contents of the file as PHP.Show less
CVE-2024-57968 1Advantive 1Veracore Nov 4, 2025 Feb 3, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Advantive VeraCore before 2024.4.2.1 allows remote authenticated users to upload files to unintended folders (e.g., ones that are accessible during web browsing by other users). upload.aspx can be used for this.

Previous 1...606162...205 Next