Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-34623 1Properfraction 1Profilepress Jun 17, 2026 Jul 7, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or duri...Show more A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. .Show less
CVE-2020-22249 1Phplist 1Phplist Jun 17, 2026 Jul 6, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Remote Code Execution vulnerability in phplist 3.5.1. The application does not check any file extensions stored in the plugin zip file, Uploading a malicious plugin which contains the php files with extensions like PHP,p...Show more Remote Code Execution vulnerability in phplist 3.5.1. The application does not check any file extensions stored in the plugin zip file, Uploading a malicious plugin which contains the php files with extensions like PHP,phtml,php7 will be copied to the plugins directory which would lead to the remote code executionShow less
CVE-2021-20104 1Machform 1Machform Jun 17, 2026 Jun 29, 2021 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 Machform prior to version 16 is vulnerable to unauthenticated remote code execution due to insufficient sanitization of file attachments uploaded with forms through upload.php.
CVE-2021-34427 1Eclipse 1Business Intelligence And Reporting Tools Jun 17, 2026 Jun 25, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running instance.
CVE-2021-34074 1Pandorafms 1Pandora Fms Jun 17, 2026 Jun 25, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 PandoraFMS <=7.54 allows arbitrary file upload, it leading to remote command execution via the File Manager. To bypass the built-in protection, a relative path is used in the requests.
CVE-2020-21786 1Ibos 1Ibos Jun 17, 2026 Jun 24, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In IBOS 4.5.4 Open, Arbitrary File Inclusion causes getshell via /system/modules/dashboard/controllers/CronController.php.
CVE-2020-21787 1Crmeb 1Crmeb Jun 17, 2026 Jun 24, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 CRMEB 3.1.0+ is vulnerable to File Upload Getshell via /crmeb/crmeb/services/UploadService.php.
CVE-2021-28976 1Get Simple 1Getsimplecms Jun 17, 2026 Jun 23, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Remote Code Execution vulnerability in GetSimpleCMS before 3.3.16 in admin/upload.php via phar filess.
CVE-2010-1433 1Joomla 1Joomla Nov 21, 2024 Jun 21, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary cod...Show more Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.Show less
CVE-2021-24376 1Autoptimize 1Autoptimize Jun 17, 2026 Jun 21, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not ch...Show more The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the "Import Settings" functionality to achieve Remote Code Execution.Show less
CVE-2021-24370 1Radykal 1Fancy Product Designer Jun 17, 2026 Jun 21, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.
CVE-2020-19510 1Textpattern 1Textpattern Jun 17, 2026 Jun 21, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
CVE-2020-36388 1Civicrm 1Civicrm Jun 17, 2026 Jun 17, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
CVE-2013-20002 1Themify 1Framework Nov 21, 2024 Jun 17, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
CVE-2021-32243 1Fogproject 1Fogproject Jun 17, 2026 Jun 16, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).
CVE-2021-34551 2Fedoraproject Phpmailer Project 2Fedora Phpmailer Jun 17, 2026 Jun 16, 2021 N/A· v4 8.1 HIGH· v3 5.1 MEDIUM· v2 PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname.
CVE-2020-35760 1Bloofox 1Bloofoxcms Jun 17, 2026 Jun 16, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 bloofoxCMS 0.5.2.1 is infected with Unrestricted File Upload that allows attackers to upload malicious files (ex: php files).
CVE-2021-27489 1Zoll 1Defibrillator Dashboard Jun 17, 2026 Jun 16, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 ZOLL Defibrillator Dashboard, v prior to 2.2, The web application allows a non-administrative user to upload a malicious file. This file could allow an attacker to remotely execute arbitrary commands.
CVE-2021-34128 1Laiketui 1Laiketui Jun 17, 2026 Jun 15, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 LaikeTui 3.5.0 allows remote authenticated users to execute arbitrary PHP code by using index.php?module=system&action=pay to upload a ZIP archive containing a .php file, as demonstrated by the ../../../../phpinfo.php pa...Show more LaikeTui 3.5.0 allows remote authenticated users to execute arbitrary PHP code by using index.php?module=system&action=pay to upload a ZIP archive containing a .php file, as demonstrated by the ../../../../phpinfo.php pathname.Show less
CVE-2020-7864 1Dext5 1Dext5 Editor Jun 17, 2026 Jun 15, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Parameter manipulation can bypass authentication to cause file upload and execution. This will execute the remote code. This issue affects: Raonwiz DEXT5Editor versions prior to 3.5.1405747.1100.03.

Previous 1...162163164...206 Next