Total
2952 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-31324 | 2025-04-30 | N/A | 10.0 CRITICAL | ||
| SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. | |||||
| CVE-2024-4349 | 1 Donbermoy | 1 Pisay Online E-learning System | 2025-04-29 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in SourceCodester Pisay Online E-Learning System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /lesson/controller.php. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-262489 was assigned to this vulnerability. | |||||
| CVE-2025-0520 | 2025-04-29 | N/A | N/A | ||
| An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.This issue affects ShowDoc: before 2.8.7. | |||||
| CVE-2022-43192 | 1 Dedecms | 1 Dedecms | 2025-04-29 | N/A | 6.7 MEDIUM |
| An arbitrary file upload vulnerability in the component /dede/file_manage_control.php of Dedecms v5.7.101 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is related to an incomplete fix for CVE-2022-40886. | |||||
| CVE-2020-23591 | 1 Optilinknetwork | 2 Op-xt71000n, Op-xt71000n Firmware | 2025-04-29 | N/A | 9.8 CRITICAL |
| A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an attacker to upload arbitrary files through " /mgm_dev_upgrade.asp " which can "delete every file for Denial of Service (using 'rm -rf *.*' in the code), reverse connection (using '.asp' webshell), backdoor. | |||||
| CVE-2022-44384 | 1 Rconfig | 1 Rconfig | 2025-04-29 | N/A | 8.8 HIGH |
| An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-41705 | 1 Uatech | 1 Badaso | 2025-04-29 | N/A | 9.8 CRITICAL |
| Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users. | |||||
| CVE-2022-45476 | 1 Tiny File Manager Project | 1 Tiny File Manager | 2025-04-29 | N/A | 9.8 CRITICAL |
| Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload. | |||||
| CVE-2022-44401 | 1 Online Tours \& Travels Management System Project | 1 Online Tours \& Travels Management System | 2025-04-29 | N/A | 9.8 CRITICAL |
| Online Tours & Travels Management System v1.0 contains an arbitrary file upload vulnerability via /tour/admin/file.php. | |||||
| CVE-2022-44760 | 2025-04-29 | N/A | 4.6 MEDIUM | ||
| Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications. | |||||
| CVE-2025-46616 | 2025-04-29 | N/A | 9.9 CRITICAL | ||
| Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage. | |||||
| CVE-2025-46264 | 2025-04-29 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Angelo Mandato PowerPress Podcasting allows Upload a Web Shell to a Web Server. This issue affects PowerPress Podcasting: from n/a through 11.12.5. | |||||
| CVE-2025-3914 | 2025-04-29 | N/A | 8.8 HIGH | ||
| The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropage_media_downloader' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-3969 | 2025-04-29 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in codeprojects News Publishing Site Dashboard 1.0. It has been rated as critical. This issue affects some unknown processing of the file /edit-category.php of the component Edit Category Page. The manipulation of the argument category_image leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4006 | 2025-04-29 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A vulnerability classified as critical has been found in youyiio BeyongCms 1.6.0. Affected is an unknown function of the file /admin/theme/Upload.html of the component Document Management Page. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2021-43258 | 1 Churchdb | 1 Churchinfo | 2025-04-28 | N/A | 8.8 HIGH |
| CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email. Uploading an attachment for the email stores the attachment on the site in the /tmp_attach/ folder where it can be accessed with a GET request. There are no limitations on files that can be attached, allowing for malicious PHP code to be uploaded and interpreted by the server. | |||||
| CVE-2022-30529 | 1 Isic.lk Project | 1 Isic.lk | 2025-04-28 | N/A | 7.2 HIGH |
| File upload vulnerability in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to upload arbitrary files via /system/application/libs/js/tinymce/plugins/filemanager/dialog.php and /system/application/libs/js/tinymce/plugins/filemanager/upload.php. | |||||
| CVE-2024-48180 | 1 Classcms | 1 Classcms | 2025-04-28 | N/A | 9.8 CRITICAL |
| ClassCMS <=4.8 is vulnerable to file inclusion in the nowView method in/class/cms/cms.php, which can include a file uploaded to the/class/template directory to execute PHP code. | |||||
| CVE-2024-9036 | 1 Angeljudesuarez | 1 Online Book Store Project | 2025-04-28 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in itsourcecode Online Bookstore 1.0. It has been rated as critical. This issue affects some unknown processing of the file admin_add.php. The manipulation of the argument image leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-46101 | 1 Gdidees | 1 Gdidees Cms | 2025-04-28 | N/A | 9.8 CRITICAL |
| GDidees CMS <= v3.9.1 has a file upload vulnerability. | |||||