CWE-434
4,107 CVEs • Abstraction: Base • Likelihood of Exploit: Medium
Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CVEs (4,107)
CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS |
|---|
An issue was discovered in Manolo GWTUpload 1.0.3. server/UploadServlet.java (the servlet for handling file upload) accepts a delay parameter that causes a thread to sleep. It can be abused to cause all of a server's thr...Show more |
1Elementor 1Elementor Page Builder Jun 17, 2026 May 17, 2020 N/A· v4 9.9 CRITICAL· v3 6.5 MEDIUM· v2 An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executabl...Show more |
Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Ty...Show more |
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in...Show more |
1F5 11Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Analytics+8 moreJun 17, 2026 Apr 30, 2020 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 Om BIG-IP 15.0.0-15.0.1.3 and 14.1.0-14.1.2.3, the restjavad process may expose a way for attackers to upload arbitrary files on the BIG-IP system, bypassing the authorization system. Resulting error messages may also re...Show more |
An issue was discovered in Open-AudIT 3.2.2. There is Arbitrary file upload. |
An issue was discovered in Gigamon GigaVUE 5.5.01.11. The upload functionality allows an arbitrary file upload for an authenticated user. If an executable file is uploaded into the www-root directory, then it could yield...Show more |
In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs...Show more |
The mappress-google-maps-for-wordpress plugin before 2.53.9 for WordPress does not correctly implement AJAX functions with nonces (or capability checks), leading to remote code execution. |
1Elementor 1Elementor Page Builder Jun 17, 2026 Apr 22, 2020 N/A· v4 9.9 CRITICAL· v3 9.0 HIGH· v2 An issue was discovered in Elementor 2.7.4. Arbitrary file upload is possible in the Elementor Import Templates function, allowing an attacker to execute code via a crafted ZIP archive. |
In Phproject before version 1.7.8, there's a vulnerability which allows users with access to file uploads to execute arbitrary code. This is patched in version 1.7.8. |
SysAid On-Premise 20.1.11, by default, allows the AJP protocol port, which is vulnerable to a GhostCat attack. Additionally, it allows unauthenticated access to upload files, which can be used to execute commands on the...Show more |
In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with...Show more |
In qdPM 9.1, an attacker can upload a malicious .php file to the server by exploiting the Add Profile Photo capability with a crafted content-type value. After that, the attacker can execute an arbitrary command on the s...Show more |
In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection v...Show more |
1Microsoft 2Sharepoint Enterprise Server Sharepoint ServerJun 17, 2026 Apr 15, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE...Show more |
1Microsoft 3Sharepoint Enterprise Server Sharepoint FoundationSharepoint ServerJun 17, 2026 Apr 15, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE...Show more |
1Microsoft 3Sharepoint Enterprise Server Sharepoint FoundationSharepoint ServerJun 17, 2026 Apr 15, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE...Show more |
1Microsoft 4Business Productivity Servers Sharepoint Enterprise ServerSharepoint Foundation+1 moreJun 17, 2026 Apr 15, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE...Show more |
1Microsoft 3Sharepoint Enterprise Server Sharepoint FoundationSharepoint ServerJun 17, 2026 Apr 15, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE...Show more |