Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-31576 1S9y 1Serendipity Jun 17, 2026 May 16, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An arbitrary file upload vulnerability in Serendipity 2.4-beta1 allows attackers to execute arbitrary code via a crafted HTML or Javascript file.
CVE-2023-30247 1Storage Unit Rental Management System Project 1Storage Unit Rental Management System Jun 17, 2026 May 12, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 File Upload vulnerability found in Oretnom23 Storage Unit Rental Management System v.1.0 allows a remote attacker to execute arbitrary code via the update_settings parameter.
CVE-2023-29657 1Extplorer 1Extplorer Jun 17, 2026 May 12, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 eXtplorer 2.1.15 is vulnerable to Insecure Permissions. File upload in file manager allows uploading zip file containing php pages with arbitrary code executions.
CVE-2021-34076 1Phpok 1Phpok Jun 17, 2026 May 11, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 File Upload vulnerability in PHPOK 5.7.140 allows remote attackers to run arbitrary code and gain escalated privileges via crafted zip file upload.
CVE-2023-2648 1Weaver 1E Office Jun 17, 2026 May 11, 2023 N/A· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unres...Show more A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2023-29930 1Genesys 1Tftp Server Jun 17, 2026 May 10, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue was found in Genesys CIC Polycom phone provisioning TFTP Server all version allows a remote attacker to execute arbitrary code via the login crednetials to the TFTP server configuration page.
CVE-2023-28128 1Ivanti 1Avalanche Jun 17, 2026 May 9, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution.
CVE-2023-24507 1Agilepoint 1Agilepoint Nx Jun 17, 2026 May 8, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 AgilePoint NX v8.0 SU2.2 & SU2.3 – Insecure File Upload - Vulnerability allows insecure file upload, by an unspecified request.
CVE-2021-28998 1Cmsmadesimple 1Cms Made Simple Jun 17, 2026 May 8, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file.
CVE-2021-27280 1Mblog Project 1Mblog Jun 17, 2026 May 8, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 OS Command injection vulnerability in mblog 3.5.0 allows attackers to execute arbitrary code via crafted theme when it gets selected.
CVE-2020-22755 1Mingsoft 1Mcms Jun 17, 2026 May 8, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 File upload vulnerability in MCMS 5.0 allows attackers to execute arbitrary code via a crafted thumbnail. A different vulnerability than CVE-2022-31943.
CVE-2023-30185 1Crmeb 1Crmeb Jun 17, 2026 May 8, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file upload vulnerability via the component \attachment\SystemAttachmentServices.php.
CVE-2023-30090 1Sem Cms 1Semcms Jun 17, 2026 May 5, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Semcms Shop v4.2 was discovered to contain an arbitrary file uplaod vulnerability via the component SEMCMS_Upfile.php. This vulnerability allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2023-30122 2Online Food Ordering System Project Oretnom23 2Online Food Ordering System Online Food Ordering System Jun 17, 2026 May 5, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An arbitrary file upload vulnerability in the component /admin/ajax.php?action=save_menu of Online Food Ordering System v2.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2023-30264 1Cltphp 1Cltphp Jun 17, 2026 May 4, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 CLTPHP <=6.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via application/admin/controller/Template.php:update.
CVE-2023-2523 1E Office 1E Office Jun 17, 2026 May 4, 2023 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability was found in Weaver E-Office 9.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file App/Ajax/ajax.php?action=mobile_upload_save. The manipulation of the argum...Show more A vulnerability was found in Weaver E-Office 9.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file App/Ajax/ajax.php?action=mobile_upload_save. The manipulation of the argument upload_quwan leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-228014 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2022-47878 1Jedox 1Jedox Jun 17, 2026 May 2, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect input validation for the default-storage-path in the settings page in Jedox 2020.2.5 allows remote, authenticated users to specify the location as Webroot directory. Consecutive file uploads can lead to the exe...Show more Incorrect input validation for the default-storage-path in the settings page in Jedox 2020.2.5 allows remote, authenticated users to specify the location as Webroot directory. Consecutive file uploads can lead to the execution of arbitrary code. NOTE: The vendor states that the vulnerability affects installations running version 22.2 or earlier. The issue was resolved with the version 22.3 and later versions are not affected. Additionally, the vendor states that this vulnerability affects on-premises deployments only and that it does not impact cloud-hosted or SaaS environments.Show less
CVE-2023-0924 1Zyrex 1Popup Jun 17, 2026 May 2, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 The ZYREX POPUP WordPress plugin through 1.0 does not validate the type of files uploaded when creating a popup, allowing a high privileged user (such as an Administrator) to upload arbitrary files, even when modifying t...Show more The ZYREX POPUP WordPress plugin through 1.0 does not validate the type of files uploaded when creating a popup, allowing a high privileged user (such as an Administrator) to upload arbitrary files, even when modifying the file system is disallowed, such as in a multisite install.Show less
CVE-2023-29635 1Antabot White Jotter Project 1Antabot White Jotter Jun 17, 2026 May 1, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 File upload vulnerability in Antabot White-Jotter v0.2.2, allows remote attackers to execute malicious code via the file parameter to function coversUpload.
CVE-2022-45802 1Apache 1Streampark Jun 17, 2026 May 1, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of t...Show more Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later Show less

Previous 1...121122123...206 Next