Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-20743 1Cisco 1Secure Firewall Management Center Jun 17, 2026 May 3, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A vulnerability in the web management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to bypass security protections and upload malicious files to the affected...Show more A vulnerability in the web management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to bypass security protections and upload malicious files to the affected system. This vulnerability is due to improper validation of files uploaded to the web management interface of Cisco FMC Software. An attacker could exploit this vulnerability by uploading a maliciously crafted file to a device running affected software. A successful exploit could allow the attacker to store malicious files on the device, which they could access later to conduct additional attacks, including executing arbitrary code on the affected device with root privileges.Show less
CVE-2022-1273 1Importwp 1Import Wp Jun 17, 2026 May 2, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The Import WP WordPress plugin before 2.4.6 does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files (such as PHP), leading to RCE
CVE-2022-29451 1Rarathemes 1Rara One Click Demo Import Jun 17, 2026 Apr 29, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-Site Request Forgery (CSRF) leading to Arbitrary File Upload vulnerability in Rara One Click Demo Import plugin <= 1.2.9 on WordPress allows attackers to trick logged-in admin users into uploading dangerous files i...Show more Cross-Site Request Forgery (CSRF) leading to Arbitrary File Upload vulnerability in Rara One Click Demo Import plugin <= 1.2.9 on WordPress allows attackers to trick logged-in admin users into uploading dangerous files into /wp-content/uploads/ directory.Show less
CVE-2021-43934 1Smartptt 1Smartptt Scada Jun 17, 2026 Apr 28, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Elcomplus SmartPTT is vulnerable as the backup and restore system does not adequately validate upload requests, enabling a malicious user to potentially upload arbitrary files.
CVE-2021-41921 1Xxyopen 1Novel Plus Jun 17, 2026 Apr 28, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 novel-plus V3.6.1 allows unrestricted file uploads. Unrestricted file suffixes and contents can lead to server attacks and arbitrary code execution.
CVE-2022-28528 1Bloofox 1Bloofoxcms Jun 17, 2026 Apr 26, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file upload vulnerability via /admin/index.php?mode=content&page=media&action=edit.
CVE-2022-28525 1Ed01 Cms Project 1Ed01 Cms Jun 17, 2026 Apr 26, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 ED01-CMS v20180505 was discovered to contain an arbitrary file upload vulnerability via /admin/users.php?source=edit_user&id=1.
CVE-2021-26628 1Maxb 1Maxboard Jun 17, 2026 Apr 26, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient script validation of the admin page enables XSS, which causes unauthorized users to steal admin privileges. When uploading file in a specific menu, the verification of the files is insufficient. It allows re...Show more Insufficient script validation of the admin page enables XSS, which causes unauthorized users to steal admin privileges. When uploading file in a specific menu, the verification of the files is insufficient. It allows remote attackers to upload arbitrary files disguising them as image files.Show less
CVE-2022-27468 1Monstaftp 1Monsta Ftp Jun 17, 2026 Apr 26, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Monstaftp v2.10.3 was discovered to contain an arbitrary file upload which allows attackers to execute arbitrary code via a crafted file uploaded to the web server.
CVE-2022-22392 1Ibm 1Planning Analytics Workspace Jun 17, 2026 Apr 25, 2022 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 IBM Planning Analytics Local 2.0 could allow an attacker to upload arbitrary executable files which, when executed by an unsuspecting victim could result in code execution. IBM X-Force ID: 222066.
CVE-2021-4225 1Smartypantsplugins 1Sp Project & Document Manager Jun 17, 2026 Apr 25, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on th...Show more The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that on Windows servers, the security checks in place were insufficient, enabling bad actors to potentially upload backdoors on vulnerable sites.Show less
CVE-2021-39040 1Ibm 1Planning Analytics Workspace Jun 17, 2026 Apr 25, 2022 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 IBM Planning Analytics Workspace 2.0 could be vulnerable to malicious file upload by not validating the file types or sizes. Attackers can make use of this weakness and upload malicious executable files into the system a...Show more IBM Planning Analytics Workspace 2.0 could be vulnerable to malicious file upload by not validating the file types or sizes. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 214025.Show less
CVE-2022-28053 1Typemill 1Typemill Jun 17, 2026 Apr 25, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Typemill v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-28440 1Ucms Project 1Ucms Jun 17, 2026 Apr 21, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An arbitrary file upload vulnerability in UCMS v1.6 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-28021 1Purchase Order Management System Project 1Purchase Order Management System Jun 17, 2026 Apr 21, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Purchase Order Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via /purchase_order/admin/?page=user.
CVE-2022-27478 1Victor Cms Project 1Victor Cms Jun 17, 2026 Apr 21, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Victor v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component admin/profile.php?section=admin.
CVE-2022-27862 1Vikwp 1Vikbooking Hotel Booking Engine & Property Management System Plugin Jun 17, 2026 Apr 19, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Arbitrary File Upload leading to RCE in E4J s.r.l. VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 on WordPress allows attackers to upload and execute dangerous file types (e.g. PHP shell) via the signature upload...Show more Arbitrary File Upload leading to RCE in E4J s.r.l. VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 on WordPress allows attackers to upload and execute dangerous file types (e.g. PHP shell) via the signature upload on the booking form.Show less
CVE-2022-1329 1Elementor 1Website Builder Jun 17, 2026 Apr 19, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possi...Show more The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.Show less
CVE-2021-4096 1Radykal 1Fancy Product Designer Jun 17, 2026 Apr 19, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshel...Show more The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5.Show less
CVE-2022-1345 1Organizr 1Organizr Jun 17, 2026 Apr 13, 2022 N/A· v4 9.0 CRITICAL· v3 3.5 LOW· v2 Stored XSS viva .svg file upload in GitHub repository causefx/organizr prior to 2.1.1810. This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data expo...Show more Stored XSS viva .svg file upload in GitHub repository causefx/organizr prior to 2.1.1810. This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.Show less

Previous 1...145146147...206 Next