Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-34257 1Wpanel Cms Project 1Wpanel Cms Jun 17, 2026 Mar 31, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Multiple Remote Code Execution (RCE) vulnerabilities exist in WPanel 4 4.3.1 and below via a malicious PHP file upload to (1) Dashboard's Avatar image, (2) Posts Folder image, (3) Pages Folder image and (4) Gallery Folde...Show more Multiple Remote Code Execution (RCE) vulnerabilities exist in WPanel 4 4.3.1 and below via a malicious PHP file upload to (1) Dashboard's Avatar image, (2) Posts Folder image, (3) Pages Folder image and (4) Gallery Folder image.Show less
CVE-2022-24136 1Hospital Management System Project 1Hospital Management System Jun 17, 2026 Mar 31, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Hospital Management System v1.0 is affected by an unrestricted upload of dangerous file type vulerability in treatmentrecord.php. To exploit, an attacker can upload any PHP file, and then execute it.
CVE-2022-26645 1Oretnom23 1Banking System Jun 17, 2026 Mar 30, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A remote code execution (RCE) vulnerability in Online Banking System Protect v1.0 allows attackers to execute arbitrary code via a crafted PHP file uploaded through the Upload Image function.
CVE-2022-28223 1Tekon 8Kio 1m Firmware Kio 2m FirmwareKio 2md Firmware+5 more Jun 17, 2026 Mar 30, 2022 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin.
CVE-2021-45865 1Student Attendance Management System Project 1Student Attendance Management System Jun 17, 2026 Mar 29, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A File Upload vulnerability exists in Sourcecodester Student Attendance Manageent System 1.0 via the file upload functionality.
CVE-2021-43103 1Diyhi 1Bbs Jun 17, 2026 Mar 28, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A File Upload vulnerability exists in bbs 5.3 is via ForumManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code.
CVE-2021-43102 1Diyhi 1Bbs Jun 17, 2026 Mar 28, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A File Upload vulnerability exists in bbs 5.3 is via HelpManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code.
CVE-2021-43101 1Diyhi 1Bbs Jun 17, 2026 Mar 28, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A File Upload vulnerability exists in bbs 5.3 is via MembershipCardManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code.
CVE-2021-43100 1Diyhi 1Bbs Jun 17, 2026 Mar 28, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A File Upload vulnerability exists in bbs 5.3 is via TopicManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code.
CVE-2021-43098 1Diyhi 1Bbs Jun 17, 2026 Mar 28, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A File Upload vulnerability exists in bbs v5.3 via QuestionManageAction.java in a getType function.
CVE-2022-0499 1Sermon Browser Project 1Sermon Browser Jun 17, 2026 Mar 28, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary fil...Show more The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones.Show less
CVE-2021-40905 2Checkmk Tribe29 2Checkmk Checkmk Jun 17, 2026 Mar 25, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible. Successf...Show more The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session of a user with administrator role. NOTE: the vendor states that this is the intended behavior: admins are supposed to be able to execute code in this mannerShow less
CVE-2022-23880 1Taogogo 1Taocms Jun 17, 2026 Mar 23, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An arbitrary file upload vulnerability in the File Management function module of taoCMS v3.0.2 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-22952 1Vmware 1Carbon Black App Control Jun 17, 2026 Mar 23, 2022 N/A· v4 9.1 CRITICAL· v3 9.0 HIGH· v2 VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2) contains a file upload vulnerability. A malicious actor with administrative access to the VMwar...Show more VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2) contains a file upload vulnerability. A malicious actor with administrative access to the VMware App Control administration interface may be able to execute code on the Windows instance where AppC Server is installed by uploading a specially crafted file.Show less
CVE-2022-0888 1Ninjaforms 1Ninja Forms File Uploads Jun 17, 2026 Mar 23, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypa...Show more The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0Show less
CVE-2021-27428 1Ge 19Multilin B30 Firmware Multilin B90 FirmwareMultilin C30 Firmware+16 more Jun 17, 2026 Mar 23, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before up...Show more GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without appropriate privileges. The weakness is assessed, and mitigation is implemented in firmware Version 8.10.Show less
CVE-2022-1033 1Craterapp 1Crater Jun 17, 2026 Mar 23, 2022 N/A· v4 7.8 HIGH· v3 6.5 MEDIUM· v2 Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0.6.
CVE-2022-1034 1Showdoc 1Showdoc Jun 17, 2026 Mar 22, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 There is a Unrestricted Upload of File vulnerability in ShowDoc v2.10.3 in GitHub repository star7th/showdoc prior to 2.10.4.
CVE-2022-23346 1Bigantsoft 1Bigant Server Jun 17, 2026 Mar 21, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control issues.
CVE-2022-0687 1Tms Outsource 1Amelia Jun 17, 2026 Mar 21, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. This vulnerability can be exploited...Show more The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. This vulnerability can be exploited by logged-in users with the custom "Amelia Manager" role.Show less

Previous 1...148149150...206 Next