Vulnerabilities (CVE)

Filtered by CWE-434
Total 4131 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-46020 1 Wbce 1 Wbce Cms 2026-06-17 N/A 9.8 CRITICAL
WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
CVE-2022-45968 1 Alistgo 1 Alist 2026-06-17 N/A 8.8 HIGH
Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one).
CVE-2022-45966 1 Classcms Project 1 Classcms 2026-06-17 N/A 9.8 CRITICAL
here is an arbitrary file upload vulnerability in the file management function module of Classcms3.5.
CVE-2022-45912 1 Zimbra 1 Collaboration 2026-06-17 N/A 7.2 HIGH
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. Remote code execution can occur through ClientUploader by an authenticated admin user. An authenticated admin user can upload files through the ClientUploader utility, and traverse to any other directory for remote code execution.
CVE-2022-45896 1 Planetestream 1 Planet Estream 2026-06-17 N/A 9.8 CRITICAL
Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads to remote code execution.
CVE-2022-45802 1 Apache 1 Streampark 2026-06-17 N/A 9.8 CRITICAL
Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later
CVE-2022-45771 1 Pwndoc Project 1 Pwndoc 2026-06-17 N/A 8.8 HIGH
An issue in the /api/audits component of Pwndoc v0.5.3 allows attackers to escalate privileges and execute arbitrary code via uploading a crafted audit file.
CVE-2022-45759 1 Sens Project 1 Sens 2026-06-17 N/A 8.8 HIGH
SENS v1.0 has a file upload vulnerability.
CVE-2022-45548 1 Ayacms Project 1 Ayacms 2026-06-17 N/A 8.8 HIGH
AyaCMS v3.1.2 has an Arbitrary File Upload vulnerability.
CVE-2022-45527 1 Institutional Management Website Project 1 Institutional Management Website 2026-06-17 N/A 9.8 CRITICAL
File upload vulnerability in Future-Depth Institutional Management Website (IMS) 1.0, allows unauthorized attackers to directly upload malicious files to the courseimg directory.
CVE-2022-45476 1 Prasathmani 1 Tiny File Manager 2026-06-17 N/A 9.8 CRITICAL
Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.
CVE-2022-45427 1 Dahuasecurity 8 Dhi-dss4004-s2, Dhi-dss4004-s2 Firmware, Dhi-dss7016d-s2 and 5 more 2026-06-17 N/A 7.2 HIGH
Some Dahua software products have a vulnerability of unrestricted upload of file. After obtaining the permissions of administrators, by sending a specific crafted packet to the vulnerable interface, an attacker can upload arbitrary files.
CVE-2022-45415 1 Mozilla 1 Firefox 2026-06-17 N/A 7.8 HIGH
When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. This vulnerability affects Firefox < 107.
CVE-2022-45377 1 Codedropz 1 Drag And Drop Multiple File Upload For Woocommerce 2026-06-17 N/A 6.5 MEDIUM
Unrestricted Upload of File with Dangerous Type vulnerability in Glen Don L. Mongaya Drag and Drop Multiple File Upload for WooCommerce.This issue affects Drag and Drop Multiple File Upload for WooCommerce: from n/a through 1.0.8.
CVE-2022-45359 1 Yithemes 1 Yith Woocommerce Gift Cards 2026-06-17 N/A 9.8 CRITICAL
Unauth. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress.
CVE-2022-45338 1 Exactsoftware 1 Exact Synergy 2026-06-17 N/A 7.8 HIGH
An arbitrary file upload vulnerability in the profile picture upload function of Exact Synergy Enterprise 267 before 267SP13 and Exact Synergy Enterprise 500 before 500SP6 allows attackers to execute arbitrary code via a crafted SVG file.
CVE-2022-45275 1 Dynamic Transaction Queuing System Project 1 Dynamic Transaction Queuing System 2026-06-17 N/A 7.2 HIGH
An arbitrary file upload vulnerability in /queuing/admin/ajax.php?action=save_settings of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-45171 1 Liveboxcloud 1 Vdesk 2026-06-17 N/A 8.8 HIGH
An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Unrestricted Upload of a File with a Dangerous Type can occur under the vShare web site section. A remote user, authenticated to the product, can arbitrarily upload potentially dangerous files without restrictions.
CVE-2022-45039 1 Wbce 1 Wbce Cms 2026-06-17 N/A 7.2 HIGH
An arbitrary file upload vulnerability in the Server Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-45009 1 Online Leave Management System Project 1 Online Leave Management System 2026-06-17 N/A 7.2 HIGH
Online Leave Management System v1.0 was discovered to contain an arbitrary file upload vulnerability at /leave_system/classes/SystemSettings.php?f=update_settings. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.