Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,098)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-60731 1Perfree 1Perfreeblog Oct 27, 2025 Oct 24, 2025 N/A· v4 7.6 HIGH· v3 N/A· v2 PerfreeBlog v4.0.11 has a File Upload vulnerability in the installTheme function
CVE-2025-11889 - - Apr 8, 2026 Oct 24, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.18. This m...Show more The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.18. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.Show less
CVE-2025-6440 - - Oct 27, 2025 Oct 24, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'wcdp_save_ca...Show more The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.Show less
CVE-2025-58963 - - Apr 27, 2026 Oct 22, 2025 N/A· v4 10.0 CRITICAL· v3 N/A· v2 Unrestricted Upload of File with Dangerous Type vulnerability in 7oroof Medcity medcity allows Upload a Web Shell to a Web Server.This issue affects Medcity: from n/a through < 1.1.9.
CVE-2025-52758 - - Apr 27, 2026 Oct 22, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy zippy allows Using Malicious Files.This issue affects Zippy: from n/a through <= 1.7.0.
CVE-2025-49060 - - Jan 20, 2026 Oct 22, 2025 N/A· v4 10.0 CRITICAL· v3 N/A· v2 Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Wastia wastia allows Upload a Web Shell to a Web Server.This issue affects Wastia: from n/a through < 1.1.3.
CVE-2025-48106 - - Jan 20, 2026 Oct 22, 2025 N/A· v4 10.0 CRITICAL· v3 N/A· v2 Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Clanora clanora allows Using Malicious Files.This issue affects Clanora: from n/a through < 1.3.1.
CVE-2025-60500 1Qdocs 1Smart School Nov 17, 2025 Oct 21, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 QDocs Smart School Management System 7.1 allows authenticated users with roles such as "accountant" or "admin" to bypass file type restrictions in the media upload feature by abusing the alternate YouTube URL option. Thi...Show more QDocs Smart School Management System 7.1 allows authenticated users with roles such as "accountant" or "admin" to bypass file type restrictions in the media upload feature by abusing the alternate YouTube URL option. This logic flaw permits uploading of arbitrary PHP files, which are stored in a web-accessible directory.Show less
CVE-2025-61181 1Daicuo 1Daicuo Oct 23, 2025 Oct 21, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 daicuocms V1.3.13 contains an arbitrary file upload vulnerability in the image upload feature.
CVE-2025-61417 1Tastyigniter 1Tastyigniter Nov 12, 2025 Oct 20, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicious SVG file containing JavaScript code. When an administrator previews th...Show more Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicious SVG file containing JavaScript code. When an administrator previews the file, the code executes in their browser context, allowing the attacker to perform unauthorized actions such as modifying the admin account credentials.Show less
CVE-2025-31342 - - Jan 30, 2026 Oct 20, 2025 9.3 CRITICAL· v4 N/A· v3 N/A· v2 An unrestricted upload of file with dangerous type vulnerability in the upload file function of Galaxy Software Services Corporation Vitals ESP Forum Module through 1.3 version allows remote authenticated users to execut...Show more An unrestricted upload of file with dangerous type vulnerability in the upload file function of Galaxy Software Services Corporation Vitals ESP Forum Module through 1.3 version allows remote authenticated users to execute arbitrary system commands via a malicious file.Show less
CVE-2025-11948 - - Nov 12, 2025 Oct 20, 2025 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 Document Management System developed by Excellent Infotek has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code e...Show more Document Management System developed by Excellent Infotek has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.Show less
CVE-2025-11391 - - Oct 21, 2025 Oct 18, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and inc...Show more The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the vulnerable code is in the free version, this only affected users with the paid version of the software installed and activated.Show less
CVE-2025-56218 1Ascertia 1Signinghub Oct 27, 2025 Oct 17, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An arbitrary file upload vulnerability in SigningHub v8.6.8 allows attackers to execute arbitrary code via uploading a crafted PDF file.
CVE-2025-11908 1Streamax 1Streamax Crocus Apr 29, 2026 Oct 17, 2025 2.1 LOW· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A security flaw has been discovered in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. The affected element is the function uploadFile of the file /FileDir.do?Action=Upload. Performing manipulation of the argument Fi...Show more A security flaw has been discovered in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. The affected element is the function uploadFile of the file /FileDir.do?Action=Upload. Performing manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2023-28814 - - Oct 21, 2025 Oct 17, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Some versions of Hikvision's iSecure Center Product have an improper file upload control vulnerability. Due to the improper verification of file to be uploaded, attackers may upload malicious files to the server. iSecure...Show more Some versions of Hikvision's iSecure Center Product have an improper file upload control vulnerability. Due to the improper verification of file to be uploaded, attackers may upload malicious files to the server. iSecure Center is software released for China's domestic market only, with no overseas release.Show less
CVE-2025-10754 - - Oct 16, 2025 Oct 15, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 The DocoDoco Store Locator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 1.0.1. This makes it possi...Show more The DocoDoco Store Locator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.Show less
CVE-2025-10051 - - Oct 16, 2025 Oct 15, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 The Demo Import Kit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.1.0 via the import functionality. This makes it possible for au...Show more The Demo Import Kit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.1.0 via the import functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.Show less
CVE-2025-10041 - - Apr 8, 2026 Oct 15, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.2.5. This makes it p...Show more The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.Show less
CVE-2023-7305 - - Nov 7, 2025 Oct 15, 2025 9.2 CRITICAL· v4 N/A· v3 N/A· v2 SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that caus...Show more SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or execute arbitrary code on the host. The vendor released a fix in July 2023 to address the underlying flaw. VulnCheck has observed this vulnerability being exploited in the wild.Show less

Previous 1...303132...205 Next