Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-28890 1Incsub 1Forminator Apr 4, 2025 Apr 23, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the serve...Show more Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition. Show less
CVE-2024-29368 1Mozilo 1Mozilocms Apr 30, 2025 Apr 22, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An arbitrary file upload vulnerability in the file handling module of moziloCMS v2.0 allows attackers to bypass extension restrictions via file renaming, potentially leading to unauthorized file execution or storage of m...Show more An arbitrary file upload vulnerability in the file handling module of moziloCMS v2.0 allows attackers to bypass extension restrictions via file renaming, potentially leading to unauthorized file execution or storage of malicious content.Show less
CVE-2024-29661 1Dedecms 1Dedecms Apr 1, 2025 Apr 22, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A File Upload vulnerability in DedeCMS v5.7 allows a local attacker to execute arbitrary code via a crafted payload.
CVE-2024-23534 1Ivanti 1Avalanche May 6, 2025 Apr 19, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
CVE-2024-3948 1Library System Project 1Library System Feb 10, 2025 Apr 18, 2024 N/A· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability was found in SourceCodester Home Clean Service System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file \admin\student.add.php of the component Photo Han...Show more A vulnerability was found in SourceCodester Home Clean Service System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file \admin\student.add.php of the component Photo Handler. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-261440.Show less
CVE-2024-32161 1Jizhicms 1Jizhicms Apr 18, 2025 Apr 17, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 jizhiCMS 2.5 suffers from a File upload vulnerability.
CVE-2024-32514 1Infotheme 1Wp Poll Maker Apr 28, 2026 Apr 17, 2024 N/A· v4 9.9 CRITICAL· v3 N/A· v2 Unrestricted Upload of File with Dangerous Type vulnerability in Poll Maker & Voting Plugin Team (InfoTheme) WP Poll Maker.This issue affects WP Poll Maker: from n/a through 3.4.
CVE-2024-31680 - - Nov 21, 2024 Apr 17, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 File Upload vulnerability in Shibang Communications Co., Ltd. IP network intercom broadcasting system v.1.0 allows a local attacker to execute arbitrary code via the my_parser.php component.
CVE-2024-32256 1Phpgurukul 1Tourism Management System Apr 2, 2025 Apr 16, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via /tms/admin/change-image.php. When updating a current package, there are no checks for what types of files are...Show more Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via /tms/admin/change-image.php. When updating a current package, there are no checks for what types of files are uploaded from the image.Show less
CVE-2024-32254 1Phpgurukul 1Tourism Management System Apr 2, 2025 Apr 16, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via tms/admin/create-package.php. When creating a new package, there is no checks for what types of files are upl...Show more Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via tms/admin/create-package.php. When creating a new package, there is no checks for what types of files are uploaded from the image.Show less
CVE-2024-3863 1Mozilla 2Firefox Thunderbird Mar 28, 2025 Apr 16, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The executable file warning was not presented when downloading .xrm-ms files. Note: This issue only affected Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 125...Show more The executable file warning was not presented when downloading .xrm-ms files. Note: This issue only affected Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.Show less
CVE-2020-22539 1Codologic 1Codoforum Apr 18, 2025 Apr 15, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An arbitrary file upload vulnerability in the Add Category function of Codoforum v4.9 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-3804 - - Nov 21, 2024 Apr 15, 2024 N/A· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 A vulnerability, which was classified as critical, has been found in Vesystem Cloud Desktop up to 20240408. This issue affects some unknown processing of the file /Public/webuploader/0.1.5/server/fileupload2.php. The man...Show more A vulnerability, which was classified as critical, has been found in Vesystem Cloud Desktop up to 20240408. This issue affects some unknown processing of the file /Public/webuploader/0.1.5/server/fileupload2.php. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-3803 - - Nov 21, 2024 Apr 15, 2024 N/A· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 A vulnerability classified as critical was found in Vesystem Cloud Desktop up to 20240408. This vulnerability affects unknown code of the file /Public/webuploader/0.1.5/server/fileupload.php. The manipulation of the argu...Show more A vulnerability classified as critical was found in Vesystem Cloud Desktop up to 20240408. This vulnerability affects unknown code of the file /Public/webuploader/0.1.5/server/fileupload.php. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-260776. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-3778 1Ai3 1Qbibot Apr 8, 2025 Apr 15, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 The file upload functionality of Ai3 QbiBot does not properly restrict types of uploaded files, allowing remote attackers with administrator privilege to upload files with dangerous type containing malicious code.
CVE-2024-3736 1Cym1102 1Nginxwebui Aug 21, 2025 Apr 13, 2024 N/A· v4 7.5 HIGH· v3 4.0 MEDIUM· v2 A vulnerability was found in cym1102 nginxWebUI up to 3.9.9. It has been declared as problematic. Affected by this vulnerability is the function upload of the file /adminPage/main/upload. The manipulation leads to unrest...Show more A vulnerability was found in cym1102 nginxWebUI up to 3.9.9. It has been declared as problematic. Affected by this vulnerability is the function upload of the file /adminPage/main/upload. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-260575.Show less
CVE-2024-3705 1Opengnsys 1Opengnsys Nov 4, 2025 Apr 12, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Unrestricted file upload vulnerability in OpenGnsys affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to send a POST request to the endpoint '/opengnsys/images/M_Icons.php' modifying the file exten...Show more Unrestricted file upload vulnerability in OpenGnsys affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to send a POST request to the endpoint '/opengnsys/images/M_Icons.php' modifying the file extension, due to lack of file extension verification, resulting in a webshell injection.Show less
CVE-2023-51409 1Meowapps 1Ai Engine Apr 28, 2026 Apr 12, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98.
CVE-2024-3344 1Themeisle 1Otter Blocks Apr 8, 2026 Apr 11, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.6.8 due to insuff...Show more The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Show less
CVE-2024-31214 1Traccar 1Traccar Jan 9, 2025 Apr 10, 2024 N/A· v4 9.6 CRITICAL· v3 N/A· v2 Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control...Show more Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control over the file extension, and partial control over the file name. While it's not for an attacker to overwrite an existing file, an attacker can create new files with certain names and attacker-controlled extensions anywhere on the file system. This can potentially lead to remote code execution, XSS, DOS, etc. The default install of Traccar makes this vulnerability more severe. Self-registration is enabled by default, allowing anyone to create an account to exploit this vulnerability. Traccar also runs by default with root/system privileges, allowing files to be placed anywhere on the file system. Version 6.0 contains a fix for the issue. One may also turn off self-registration by default, as that would make most vulnerabilities in the application much harder to exploit by default and reduce the severity considerably. Show less

Previous 1...919293...206 Next