Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-28063 1Articlecms Project 1Articlecms Jun 17, 2026 May 13, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A file upload issue exists in all versions of ArticleCMS which allows malicious users to getshell.
CVE-2020-20092 1Articlecms Project 1Articlecms Jun 17, 2026 May 13, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 File Upload vulnerability exists in ArticleCMS 1.0 via the image upload feature at /admin by changing the Content-Type to image/jpeg and placing PHP code after the JPEG data, which could let a remote malicious user execu...Show more File Upload vulnerability exists in ArticleCMS 1.0 via the image upload feature at /admin by changing the Content-Type to image/jpeg and placing PHP code after the JPEG data, which could let a remote malicious user execute arbitrary PHP code.Show less
CVE-2020-23790 1Uxper 1Golo Jun 17, 2026 May 12, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An Arbitrary File Upload vulnerability was discovered in the Golo Laravel theme v 1.1.5.
CVE-2021-32089 1Zebra 1Fx9500 Firmware Jun 17, 2026 May 11, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered on Zebra (formerly Motorola Solutions) Fixed RFID Reader FX9500 devices. An unauthenticated attacker can upload arbitrary files to the filesystem that can then be accessed through the web interfac...Show more An issue was discovered on Zebra (formerly Motorola Solutions) Fixed RFID Reader FX9500 devices. An unauthenticated attacker can upload arbitrary files to the filesystem that can then be accessed through the web interface. This can lead to information disclosure and code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainerShow less
CVE-2021-31207 1Microsoft 1Exchange Server Jun 17, 2026 May 11, 2021 N/A· v4 6.6 MEDIUM· v3 6.5 MEDIUM· v2 Microsoft Exchange Server Security Feature Bypass Vulnerability
CVE-2021-27618 1Sap 1Netweaver Process Integration Jun 17, 2026 May 11, 2021 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not check the file type extension of the file uploaded from local source. An attacker could craft a m...Show more The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not check the file type extension of the file uploaded from local source. An attacker could craft a malicious file and upload it to the application, which could lead to denial of service and impact the availability of the application.Show less
CVE-2021-29022 1Invoiceplane 1Invoiceplane Jun 17, 2026 May 10, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory.
CVE-2021-32094 1Nsa 1Emissary Jun 17, 2026 May 7, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to upload arbitrary files.
CVE-2021-31737 1Emlog 1Emlog Jun 17, 2026 May 6, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 emlog v5.3.1 and emlog v6.0.0 have a Remote Code Execution vulnerability due to upload of database backup file in admin/data.php.
CVE-2021-24254 1College Publisher Import Project 1College Publisher Import Jun 17, 2026 May 6, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The College publisher Import WordPress plugin through 0.1 does not check for the uploaded CSV file to import, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. Due to the lack of CSRF...Show more The College publisher Import WordPress plugin through 0.1 does not check for the uploaded CSV file to import, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. Due to the lack of CSRF check, the issue could also be exploited via a CSRF attack.Show less
CVE-2021-24253 1Classyfrieds Project 1Classyfrieds Jun 17, 2026 May 6, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The Classyfrieds WordPress plugin through 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to uplo...Show more The Classyfrieds WordPress plugin through 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature of the plugin, leading to RCE.Show less
CVE-2021-24252 1Wp Eventmanager 1Event Banner Jun 17, 2026 May 6, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF...Show more The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)Show less
CVE-2021-24248 1Strategy11 1Business Directory Plugin Easy Listing Directories Jun 17, 2026 May 6, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 did not properly check for imported files, forbidding certain extension via a blacklist approach, allowing administrat...Show more The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 did not properly check for imported files, forbidding certain extension via a blacklist approach, allowing administrator to import an archive with a .php4 inside for example, leading to RCEShow less
CVE-2021-24236 1Imagements Project 1Imagements Jun 17, 2026 May 6, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only checks for the Content-Type in the request to forbid dangerous files. This allows unauthenticated attackers to upload a...Show more The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only checks for the Content-Type in the request to forbid dangerous files. This allows unauthenticated attackers to upload arbitrary files by using a valid image Content-Type along with a PHP filename and code, leading to RCE.Show less
CVE-2020-19113 1Projectworlds 1Online Book Store Project In Php Jun 17, 2026 May 6, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Arbitrary File Upload vulnerability in Online Book Store v1.0 in admin_add.php, which may lead to remote code execution.
CVE-2020-23083 1Guojusoft 1Jeecg Jun 17, 2026 May 3, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Unrestricted File Upload in JEECG v4.0 and earlier allows remote attackers to execute arbitrary code or gain privileges by uploading a crafted file to the component "jeecgFormDemoController.do?commonUpload".
CVE-2020-21452 1Uniview 1Isc2500 S Firmware Jun 17, 2026 Apr 29, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in uniview ISC2500-S. This is an upload vulnerability where an attacker can upload malicious code via /Interface/DevManage/EC.php?cmd=upload
CVE-2021-24240 1Aivahthemes 1Business Hours Pro Jun 17, 2026 Apr 22, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Business Hours Pro WordPress plugin through 5.5.0 allows a remote attacker to upload arbitrary files using its manual update functionality, leading to an unauthenticated remote code execution vulnerability.
CVE-2021-30209 1Textpattern 1Textpattern Jun 17, 2026 Apr 15, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions.
CVE-2020-29592 1Orchardproject 1Orchard Jun 17, 2026 Apr 14, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in Orchard before 1.10. A broken access control issue in Orchard components that use the TinyMCE HTML editor's file upload allows an attacker to upload dangerous executables that bypass the file t...Show more An issue was discovered in Orchard before 1.10. A broken access control issue in Orchard components that use the TinyMCE HTML editor's file upload allows an attacker to upload dangerous executables that bypass the file types allowed (regardless of the file types allowed list in Media settings).Show less

Previous 1...164165166...206 Next