Total
3717 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-15067 | 2025-12-29 | N/A | 7.7 HIGH | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Innorix Innorix WP allows Upload a Web Shell to a Web Server.This issue affects Innorix WP from All versions If the "exam" directory exists under the directory where the product is installed (ex: innorix/exam) | |||||
| CVE-2025-2748 | 1 Kentico | 1 Xperience | 2025-12-27 | N/A | 6.1 MEDIUM |
| The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178. | |||||
| CVE-2023-53971 | 1 Webtareas Project | 1 Webtareas | 2025-12-26 | N/A | 8.8 HIGH |
| WebTareas 2.4 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the chat photo upload functionality. Attackers can upload a PHP file with arbitrary code to the /files/Messages/ directory and execute it directly through the generated file path. | |||||
| CVE-2023-53980 | 1 Projectsend | 1 Projectsend | 2025-12-26 | N/A | 9.8 CRITICAL |
| ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server. | |||||
| CVE-2019-25229 | 1 Kentico | 1 Xperience | 2025-12-24 | N/A | 8.8 HIGH |
| An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC form file uploader components. Attackers can manipulate file names and upload potentially malicious files to the system, enabling unauthorized file uploads. | |||||
| CVE-2023-53952 | 1 Dotclear | 1 Dotclear | 2025-12-24 | N/A | 8.8 HIGH |
| Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed, enabling arbitrary code execution on the server. | |||||
| CVE-2023-53933 | 1 S9y | 1 Serendipity | 2025-12-24 | N/A | 8.8 HIGH |
| Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbitrary commands on the server. | |||||
| CVE-2023-53922 | 1 Tinywebgallery | 1 Tinywebgallery | 2025-12-24 | N/A | 9.8 CRITICAL |
| TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL. | |||||
| CVE-2025-14885 | 1 Lerouxyxchire | 1 Client Database Management System | 2025-12-24 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /user_leads.php of the component Leads Generation Module. Executing manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | |||||
| CVE-2024-44598 | 1 Fntsoftware | 1 Fnt Command | 2025-12-23 | N/A | 8.8 HIGH |
| FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module. | |||||
| CVE-2024-44599 | 1 Fntsoftware | 1 Fnt Command | 2025-12-23 | N/A | 8.3 HIGH |
| FNT Command 13.4.0 is vulnerable to Directory Traversal. | |||||
| CVE-2025-14583 | 1 Campcodes | 1 Online Student Enrollment System | 2025-12-23 | 7.5 HIGH | 7.3 HIGH |
| A flaw has been found in campcodes Online Student Enrollment System 1.0. This impacts an unknown function of the file /admin/register.php. Executing manipulation of the argument photo can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | |||||
| CVE-2020-36849 | 1 Ait-themes | 1 Ait Cvs Import Export | 2025-12-23 | N/A | 9.8 CRITICAL |
| The AIT CSV import/export plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-content/plugins/ait-csv-import-export/admin/upload-handler.php file in versions up to, and including, 3.0.3. This makes it possible for unauthorized attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | |||||
| CVE-2023-53956 | 2025-12-23 | N/A | 8.8 HIGH | ||
| Flatnux 2021-03.25 contains an authenticated file upload vulnerability that allows administrative users to upload arbitrary PHP files through the file manager. Attackers with admin credentials can upload malicious PHP scripts to the web root directory, enabling remote code execution on the server. | |||||
| CVE-2023-53950 | 2025-12-23 | N/A | 9.8 CRITICAL | ||
| InnovaStudio WYSIWYG Editor 5.4 contains an unrestricted file upload vulnerability that allows attackers to bypass file extension restrictions through filename manipulation. Attackers can upload malicious ASP shells by using null byte techniques and alternate file extensions to circumvent upload controls in the asset manager. | |||||
| CVE-2025-13329 | 2025-12-23 | N/A | 9.8 CRITICAL | ||
| The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-14800 | 2025-12-23 | N/A | 8.1 HIGH | ||
| The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_file_to_upload' function in all versions up to, and including, 3.2.7. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server. If 'allow_url_fopen' is set to 'On', it is possible to upload a remote file to the server. | |||||
| CVE-2025-6085 | 1 Celonis | 1 Make Connector | 2025-12-22 | N/A | 7.2 HIGH |
| The Make Connector plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'upload_media' function in all versions up to, and including, 1.5.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-14582 | 1 Campcodes | 1 Online Student Enrollment System | 2025-12-22 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was detected in campcodes Online Student Enrollment System 1.0. This affects an unknown function of the file /admin/index.php?page=user-profile. Performing manipulation of the argument userphoto results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. | |||||
| CVE-2023-52324 | 1 Trendmicro | 1 Apex Central | 2025-12-22 | N/A | 8.8 HIGH |
| An unrestricted file upload vulnerability in Trend Micro Apex Central could allow a remote attacker to create arbitrary files on affected installations. Please note: although authentication is required to exploit this vulnerability, this vulnerability could be exploited when the attacker has any valid set of credentials. Also, this vulnerability could be potentially used in combination with another vulnerability to execute arbitrary code. | |||||