Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-27349 1Socialcodia 1Social Codia Sms Jun 17, 2026 Apr 8, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Social Codia SMS v1 was discovered to contain an arbitrary file upload vulnerability via addteacher.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-27346 1Ecommerce Website Project 1Ecommerce Website Jun 17, 2026 Apr 8, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Ecommece-Website v1.1.0 was discovered to contain an arbitrary file upload vulnerability via /admin/index.php?slides. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-27064 1Musical World Project 1Musical World Jun 17, 2026 Apr 8, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Musical World v1 was discovered to contain an arbitrary file upload vulnerability via uploaded_songs.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-27061 1Aerocms Project 1Aerocms Jun 17, 2026 Apr 8, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vulnerability via the Post Image function under the Admin panel. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2021-43430 1Bigantsoft 1Bigant Office Messenger 5 Jun 17, 2026 Apr 7, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An Access Control vulnerability exists in BigAntSoft BigAnt office messenger 5.6 via im_webserver, which could let a malicious user upload PHP Trojan files.
CVE-2021-43421 1Std42 1Elfinder Jun 17, 2026 Apr 7, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
CVE-2022-26627 1Online Project Time Management System Project 1Online Project Time Management System Jun 17, 2026 Apr 7, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Online Project Time Management System v1.0 was discovered to contain an arbitrary file write vulnerability which allows attackers to execute arbitrary code via a crafted HTML file.
CVE-2022-26607 1Baigo 1Baigo Cms Jun 17, 2026 Apr 6, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A remote code execution (RCE) vulnerability in baigo CMS v3.0-alpha-2 was discovered to allow attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2022-26605 1Dascomsoft 1Eziosuite Jun 17, 2026 Apr 6, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 eZiosuite v2.0.7 contains an authenticated arbitrary file upload via the Avatar upload functionality.
CVE-2022-26630 1Jellycms 1Jellycms Jun 17, 2026 Apr 5, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Jellycms v3.8.1 and below was discovered to contain an arbitrary file upload vulnerability via \app.\admin\Controllers\db.php.
CVE-2021-28428 1Horizontcms Project 1Horizontcms Jun 17, 2026 Apr 5, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 File upload vulnerability in HorizontCMS before 1.0.0-beta.3 via uploading a .htaccess and .hello files using the Media Files upload functionality. The original file upload vulnerability (CVE-2020-27387) was remediated...Show more File upload vulnerability in HorizontCMS before 1.0.0-beta.3 via uploading a .htaccess and .hello files using the Media Files upload functionality. The original file upload vulnerability (CVE-2020-27387) was remediated by restricting the PHP extensions; however, we confirmed that the filter was bypassed via uploading an arbitrary .htaccess and *.hello files in order to execute PHP code to gain RCE.Show less
CVE-2022-26619 1Halo 1Halo Jun 17, 2026 Apr 5, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Halo Blog CMS v1.4.17 was discovered to allow attackers to upload arbitrary files via the Attachment Upload function.
CVE-2020-28062 1Hisiphp 1Hisiphp Jun 17, 2026 Apr 4, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An Access Control vulnerability exists in HisiPHP 2.0.11 via special packets that are constructed in $files = Dir::getList($decompath. '/ Upload/Plugins /, which could let a remote malicious user execute arbitrary code.
CVE-2022-0537 1Mappresspro 1Mappress Jun 17, 2026 Apr 4, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the "ajax_save" function...Show more The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the "ajax_save" function. The file is written relative to the current 's stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access.Show less
CVE-2022-0403 1Wpjos 1Library File Manager Jun 17, 2026 Apr 4, 2022 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well a...Show more The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders.Show less
CVE-2022-28062 1Online Car Rental System Project 1Online Car Rental System Jun 17, 2026 Apr 4, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Car Rental System v1.0 contains an arbitrary file upload vulnerability via the Add Car component which allows attackers to upload a webshell and execute arbitrary code.
CVE-2022-27435 1Ecommerce Website Project 1Ecommerce Website Jun 17, 2026 Apr 4, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An unrestricted file upload at /public/admin/index.php?add_product of Ecommerce-Website v1.1.0 allows attackers to upload a webshell via the Product Image component.
CVE-2022-27249 1Idearespa 1Reftree Jun 17, 2026 Apr 3, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An unrestricted file upload vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to execute arbitrary code by using UploadDwg to upload a crafted aspx file to the web root, and then visitin...Show more An unrestricted file upload vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to execute arbitrary code by using UploadDwg to upload a crafted aspx file to the web root, and then visiting the URL for this aspx resource.Show less
CVE-2021-32961 1Auvesy Mdt 2Autosave Autosave For System Platform Jun 17, 2026 Apr 1, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A getfile function in MDT AutoSave versions prior to v6.02.06 enables a user to supply an optional parameter, resulting in the processing of a request in a special manner. This can result in the execution of an unzip com...Show more A getfile function in MDT AutoSave versions prior to v6.02.06 enables a user to supply an optional parameter, resulting in the processing of a request in a special manner. This can result in the execution of an unzip command and place a malicious .exe file in one of the locations the function looks for and get execution capabilities.Show less
CVE-2022-23155 1Dell 1Wyse Management Suite Jun 17, 2026 Apr 1, 2022 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Dell Wyse Management Suite versions 2.0 through 3.5.2 contain an unrestricted file upload vulnerability. A malicious user with admin privileges can exploit this vulnerability in order to execute arbitrary code on the sys...Show more Dell Wyse Management Suite versions 2.0 through 3.5.2 contain an unrestricted file upload vulnerability. A malicious user with admin privileges can exploit this vulnerability in order to execute arbitrary code on the system.Show less

Previous 1...147148149...206 Next