Total
3976 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-35570 | 1 Inxedu | 1 Inxedu | 2025-06-20 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component \controller\ImageUploadController.class of inxedu v2.0.6 allows attackers to execute arbitrary code via uploading a crafted jsp file. | ||||
| CVE-2023-51925 | 1 Yonyou | 1 Yonbip | 2025-06-20 | 9.8 Critical |
| An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2021-31314 | 1 Ejinshan | 1 Terminal Security System | 2025-06-20 | 9.8 Critical |
| File upload vulnerability in ejinshan v8+ terminal security system allows attackers to upload arbitrary files to arbitrary locations on the server. | ||||
| CVE-2023-51806 | 1 Ujcms | 1 Ujcms | 2025-06-20 | 7.8 High |
| File Upload vulnerability in Ujcms v.8.0.2 allows a local attacker to execute arbitrary code via a crafted file. | ||||
| CVE-2023-4536 | 1 Koalaapps | 1 My Account Page Editor | 2025-06-20 | 8.8 High |
| The My Account Page Editor WordPress plugin before 1.3.2 does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE | ||||
| CVE-2022-1538 | 1 Themely | 1 Theme Demo Import | 2025-06-20 | 7.2 High |
| Theme Demo Import WordPress plugin before 1.1.1 does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed. | ||||
| CVE-2024-31777 | 1 Openeclass | 1 Openeclass | 2025-06-18 | 9.8 Critical |
| File Upload vulnerability in openeclass v.3.15 and before allows an attacker to execute arbitrary code via a crafted file to the certbadge.php endpoint. | ||||
| CVE-2023-5957 | 1 Naziinfotech | 1 Ni Purchase Order\(po\) For Woocommerce | 2025-06-18 | 7.2 High |
| The Ni Purchase Order(PO) For WooCommerce WordPress plugin through 1.2.1 does not validate logo and signature image files uploaded in the settings, allowing high privileged user to upload arbitrary files to the web server, triggering an RCE vulnerability by uploading a web shell. | ||||
| CVE-2023-45724 | 1 Hcltech | 1 Dryice Myxalytics | 2025-06-18 | 8.2 High |
| HCL DRYiCE MyXalytics product is impacted by unauthenticated file upload vulnerability. The web application permits the upload of a certain file without requiring user authentication. | ||||
| CVE-2023-5150 | 1 Dlink | 4 Dar-7000, Dar-7000 Firmware, Dar-8000 and 1 more | 2025-06-18 | 6.3 Medium |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical has been found in D-Link DAR-7000 and DAR-8000 up to 20151231. Affected is an unknown function of the file /useratte/web.php. The manipulation of the argument file_upload leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-240246 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. | ||||
| CVE-2023-5277 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2025-06-18 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in SourceCodester Engineers Online Portal 1.0. This issue affects some unknown processing of the file student_avatar.php. The manipulation of the argument change leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-240905 was assigned to this vulnerability. | ||||
| CVE-2024-22135 | 1 Webtoffee | 1 Order Export \& Order Import For Woocommerce | 2025-06-17 | 8 High |
| Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Order Export & Order Import for WooCommerce.This issue affects Order Export & Order Import for WooCommerce: from n/a through 2.4.3. | ||||
| CVE-2024-0648 | 1 Yunyou Cms Project | 1 Yunyou Cms | 2025-06-17 | 7.3 High |
| A vulnerability has been found in Yunyou CMS up to 2.2.6 and classified as critical. This vulnerability affects unknown code of the file /app/index/controller/Common.php. The manipulation of the argument templateFile leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-251374 is the identifier assigned to this vulnerability. | ||||
| CVE-2023-50729 | 1 Traccar | 1 Traccar | 2025-06-17 | 8.5 High |
| Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file upload vulnerability in File feature allows attackers to execute arbitrary code on the server. This vulnerability is more prevalent because Traccar is recommended to run web servers as root user. It is also more dangerous because it can write or overwrite files in arbitrary locations. Version 5.11 was published to fix this vulnerability. | ||||
| CVE-2023-39462 | 1 Trianglemicroworks | 1 Scada Data Gateway | 2025-06-17 | N/A |
| Triangle MicroWorks SCADA Data Gateway Workspace Unrestricted Upload Vulnerability. This vulnerability allows remote attackers to upload arbitrary files on affected installations of Triangle MicroWorks SCADA Data Gateway. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of workspace files. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilitites to execute arbitrary code in the context of root. Was ZDI-CAN-20536. | ||||
| CVE-2023-39463 | 1 Trianglemicroworks | 1 Scada Data Gateway | 2025-06-17 | N/A |
| Triangle MicroWorks SCADA Data Gateway Trusted Certification Unrestricted Upload of File Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Triangle MicroWorks SCADA Data Gateway. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the trusted certification feature. The issue lies in the handling of the OpcUaSecurityCertificateAuthorityTrustDir variable, which allows an arbitrary file write with attacker-controlled data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20537. | ||||
| CVE-2024-0192 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2025-06-17 | 6.3 Medium |
| A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file downloadable.php of the component Add Downloadable. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249505 was assigned to this vulnerability. | ||||
| CVE-2025-3444 | 1 Zohocorp | 2 Manageengine Servicedesk Plus Msp, Manageengine Supportcenter Plus | 2025-06-17 | 6.5 Medium |
| Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded. | ||||
| CVE-2024-34982 | 1 Lylme | 1 Lylme Spage | 2025-06-17 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2024-22567 | 1 Mingsoft | 1 Mcms | 2025-06-17 | 8.8 High |
| File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do. | ||||