Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-25003 1Wptaskforce 1Wpcargo Track & Trace Jun 17, 2026 Mar 14, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE
CVE-2022-24387 1Smartertools 1Smartertrack Jun 17, 2026 Mar 14, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 With administrator or admin privileges the application can be tricked into overwriting files in app_data/Config folder, e.g. the systemsettings.xml file. THis is possible in SmarterTrack v100.0.8019.14010
CVE-2022-0930 1Microweber 1Microweber Jun 17, 2026 Mar 12, 2022 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
CVE-2022-0921 1Microweber 1Microweber Jun 17, 2026 Mar 11, 2022 N/A· v4 6.7 MEDIUM· v3 6.5 MEDIUM· v2 Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12.
CVE-2022-0912 1Microweber 1Microweber Jun 17, 2026 Mar 11, 2022 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.2.11.
CVE-2021-44673 1Croogo 1Croogo Jun 17, 2026 Mar 10, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A Remote Code Execution (RCE) vulnerability exists in Croogo 3.0.2via admin/file-manager/attachments, which lets a malicoius user upload a web shell script.
CVE-2022-26521 1Abantecart 1Abantecart Jun 17, 2026 Mar 10, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Abantecart through 1.3.2 allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Catalog>Media Manager>Images settings can be changed by an administrator (e.g., b...Show more Abantecart through 1.3.2 allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Catalog>Media Manager>Images settings can be changed by an administrator (e.g., by configuring .php to be a valid image file type).Show less
CVE-2022-24652 1Sentcms 1Sentcms Jun 17, 2026 Mar 10, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in php code execution in /admin/upload/upload.
CVE-2022-24651 1Sentcms 1Sentcms Jun 17, 2026 Mar 10, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in PHP code execution through /user/upload/upload.
CVE-2021-43970 1Quicklert 1Quicklert Jun 17, 2026 Mar 10, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An arbitrary file upload vulnerability exists in albumimages.jsp in Quicklert for Digium 10.0.0 (1043) via a .mp3;.jsp filename for a file that begins with audio data bytes. It allows an authenticated (low privileged) at...Show more An arbitrary file upload vulnerability exists in albumimages.jsp in Quicklert for Digium 10.0.0 (1043) via a .mp3;.jsp filename for a file that begins with audio data bytes. It allows an authenticated (low privileged) attacker to execute remote code on the target server within the context of application's permissions (SYSTEM).Show less
CVE-2022-0440 1Catchplugins 1Catch Themes Demo Import Jun 17, 2026 Mar 7, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The Catch Themes Demo Import WordPress plugin before 2.1.1 does not validate one of the file to be imported, which could allow high privivilege admin to upload an arbitrary PHP file and gain RCE even in the case of an ha...Show more The Catch Themes Demo Import WordPress plugin before 2.1.1 does not validate one of the file to be imported, which could allow high privivilege admin to upload an arbitrary PHP file and gain RCE even in the case of an hardened blog (ie DISALLOW_UNFILTERED_HTML, DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS constants set to true)Show less
CVE-2021-24960 1Iptanus 2Wordpress File Upload Wordpress File Upload Pro Jun 17, 2026 Mar 7, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploadin...Show more The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacksShow less
CVE-2021-24216 1Servmask 1One Stop Wp Migration Jun 17, 2026 Mar 7, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The All-in-One WP Migration WordPress plugin before 7.41 does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations.
CVE-2022-25115 1Home Owners Collection Management System Project 1Home Owners Collection Management System Jun 17, 2026 Mar 2, 2022 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 A remote code execution (RCE) vulnerability in the Avatar parameter under /admin/?page=user/manage_user of Home Owners Collection Management System v1.0 allows attackers to execute arbitrary code via a crafted PNG file.
CVE-2022-25016 1Home Owners Collection Management System Project 1Home Owners Collection Management System Jun 17, 2026 Mar 2, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Home Owners Collection Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /student_attendance/index.php. This vulnerability allows attackers to execute arbitrary cod...Show more Home Owners Collection Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /student_attendance/index.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.Show less
CVE-2022-24254 1Extensis 1Portfolio Jun 17, 2026 Mar 1, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An unrestricted file upload vulnerability in the Backup/Restore Archive component of Extensis Portfolio v4.0 allows remote attackers to execute arbitrary code via a crafted ZIP file.
CVE-2022-24253 1Extensis 1Portfolio Jun 17, 2026 Mar 1, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Extensis Portfolio v4.0 was discovered to contain an authenticated unrestricted file upload vulnerability via the component AdminFileTransferServlet.
CVE-2022-24252 1Extensis 1Portfolio Jun 17, 2026 Mar 1, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An unrestricted file upload vulnerability in the FileTransferServlet component of Extensis Portfolio v4.0 allows remote attackers to execute arbitrary code via a crafted file.
CVE-2022-24251 1Extensis 1Portfolio Jun 17, 2026 Mar 1, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Extensis Portfolio v4.0 was discovered to contain an authenticated unrestricted file upload vulnerability via the Catalog Asset Upload function.
CVE-2022-25411 1Max 3000 1Maxsite Cms Jun 17, 2026 Feb 28, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Remote Code Execution (RCE) vulnerability at /admin/options in Maxsite CMS v180 allows attackers to execute arbitrary code via a crafted PHP file.

Previous 1...150151152...206 Next