Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-29623 1Connect Multiparty Project 1Connect Multiparty Jun 17, 2026 May 16, 2022 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 An arbitrary file upload vulnerability in the file upload module of Express Connect-Multiparty 2.2.0 allows attackers to execute arbitrary code via a crafted PDF file. NOTE: the Supplier has not verified this vulnerabili...Show more An arbitrary file upload vulnerability in the file upload module of Express Connect-Multiparty 2.2.0 allows attackers to execute arbitrary code via a crafted PDF file. NOTE: the Supplier has not verified this vulnerability report.Show less
CVE-2022-29622 1Formidable Project 1Formidable Jun 17, 2026 May 16, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which...Show more An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled. Strapi does not consider this to be a valid vulnerability.Show less
CVE-2022-29354 1Keystonejs 1Keystone Jun 17, 2026 May 16, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An arbitrary file upload vulnerability in the file upload module of Keystone v4.2.1 allows attackers to execute arbitrary code via a crafted file.
CVE-2022-29353 1Graphql Upload Project 1Graphql Upload Jun 17, 2026 May 16, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename.
CVE-2022-29351 1Tiddlywiki 1Tiddlywiki5 Jun 17, 2026 May 16, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An arbitrary file upload vulnerability in the file upload module of Tiddlywiki5 v5.2.2 allows attackers to execute arbitrary code via a crafted SVG file. Note: The vendor argues that this is not a legitimate issue and th...Show more An arbitrary file upload vulnerability in the file upload module of Tiddlywiki5 v5.2.2 allows attackers to execute arbitrary code via a crafted SVG file. Note: The vendor argues that this is not a legitimate issue and there is no vulnerability here.Show less
CVE-2021-33009 1Myscada 1Mypro Jun 17, 2026 May 13, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to the file system.
CVE-2021-42967 1Xxyopen 1Novel Plus Jun 17, 2026 May 13, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Unrestricted file upload in /novel-admin/src/main/java/com/java2nb/common/controller/FileController.java in novel-plus all versions allows allows an attacker to upload malicious JSP files.
CVE-2021-27771 1Hcltech 1Sametime Jun 17, 2026 May 12, 2022 N/A· v4 7.6 HIGH· v3 6.5 MEDIUM· v2 User SID can be modified resulting in an Arbitrary File Upload or deletion of directories causing a Denial of Service. When interacting in a normal matter with the Sametime chat application, users hold a cookie containin...Show more User SID can be modified resulting in an Arbitrary File Upload or deletion of directories causing a Denial of Service. When interacting in a normal matter with the Sametime chat application, users hold a cookie containing their session ID (SID). This value is also used when sending chat messages, receiving notifications and/or transferring files.Show less
CVE-2022-21809 1Inhandnetworks 1Inrouter302 Firmware Jun 17, 2026 May 12, 2022 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 A file write vulnerability exists in the httpd upload.cgi functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can upload a malicious file t...Show more A file write vulnerability exists in the httpd upload.cgi functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can upload a malicious file to trigger this vulnerability.Show less
CVE-2022-30448 1Hospital Management System Project 1Hospital Management System Jun 17, 2026 May 11, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Hospital Management System in PHP with Source Code (HMS) 1.0 was discovered to contain a File upload vulnerability in treatmentrecord.php.
CVE-2022-29655 1Wedding Management System Project 1Wedding Management System Jun 17, 2026 May 11, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An arbitrary file upload vulnerability in the Upload Photos module of Wedding Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-29318 1Car Rental Management System Project 1Car Rental Management System Jun 17, 2026 May 11, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An arbitrary file upload vulnerability in the New Entry module of Car Rental Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2020-19228 1Bludit 1Bludit Jun 17, 2026 May 11, 2022 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 An issue was found in bludit v3.13.0, unsafe implementation of the backup plugin allows attackers to upload arbitrary files.
CVE-2021-42645 1Cmsimple Xh 1Cmsimple Xh Jun 17, 2026 May 10, 2022 N/A· v4 10.0 CRITICAL· v3 10.0 HIGH· v2 CMSimple_XH 1.7.4 is affected by a remote code execution (RCE) vulnerability. To exploit this vulnerability, an attacker must use the "File" parameter to upload a PHP payload to get a reverse shell from the vulnerable ho...Show more CMSimple_XH 1.7.4 is affected by a remote code execution (RCE) vulnerability. To exploit this vulnerability, an attacker must use the "File" parameter to upload a PHP payload to get a reverse shell from the vulnerable host.Show less
CVE-2022-28606 1Bosscms 1Bosscms Jun 17, 2026 May 5, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An arbitrary file upload vulnerability exists in Wenzhou Huoyin Information Technology Co., Ltd. BossCMS 1.0, which can be exploited by an attacker to gain control of the server.
CVE-2022-28120 1Rainier 1Open Virtual Simulation Experiment Teaching Management Platform Jun 17, 2026 May 5, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Beijing Runnier Network Technology Co., Ltd Open virtual simulation experiment teaching management platform software 2.0 has a file upload vulnerability, which can be exploited by an attacker to gain control of the serve...Show more Beijing Runnier Network Technology Co., Ltd Open virtual simulation experiment teaching management platform software 2.0 has a file upload vulnerability, which can be exploited by an attacker to gain control of the server.Show less
CVE-2022-1411 1Yetiforce 1Yetiforce Customer Relationship Management Jun 17, 2026 May 5, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Unrestructed file upload in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. Attacker can send malicious files to the victims is able to retrieve the stored data from the web application without that data...Show more Unrestructed file upload in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. Attacker can send malicious files to the victims is able to retrieve the stored data from the web application without that data being made safe to render in the browser and steals victim's cookie leads to account takeover.Show less
CVE-2022-29347 1Web@rchiv Project 1Web@rchiv Jun 17, 2026 May 4, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An arbitrary file upload vulnerability in Web@rchiv 1.0 allows attackers to execute arbitrary commands via a crafted PHP file.
CVE-2022-28568 1Simple Doctor's Appointment System Project 1Simple Doctor's Appointment System Jun 17, 2026 May 4, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Sourcecodester Doctor's Appointment System 1.0 is vulnerable to File Upload to RCE via Image upload from the administrator panel. An attacker can obtain remote command execution just by knowing the path where the images...Show more Sourcecodester Doctor's Appointment System 1.0 is vulnerable to File Upload to RCE via Image upload from the administrator panel. An attacker can obtain remote command execution just by knowing the path where the images are stored.Show less
CVE-2022-29001 1Springbootmovie Project 1Springbootmovie Jun 17, 2026 May 3, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 In SpringBootMovie <=1.2, the uploaded file suffix parameter is not filtered, resulting in arbitrary file upload vulnerability

Previous 1...144145146...206 Next