Vulnerabilities (CVE)

Filtered by CWE-434
Total 4131 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-44760 1 Hcltech 1 Hcl Leap 2026-06-17 N/A 4.6 MEDIUM
Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications.
CVE-2022-44401 1 Online Tours \& Travels Management System Project 1 Online Tours \& Travels Management System 2026-06-17 N/A 9.8 CRITICAL
Online Tours & Travels Management System v1.0 contains an arbitrary file upload vulnerability via /tour/admin/file.php.
CVE-2022-44400 1 Purchase Order Management System Project 1 Purchase Order Management System 2026-06-17 N/A 9.8 CRITICAL
Purchase Order Management System v1.0 contains a file upload vulnerability via /purchase_order/admin/?page=system_info.
CVE-2022-44384 1 Rconfig 1 Rconfig 2026-06-17 N/A 8.8 HIGH
An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-44354 1 Contec 2 Solarview Compact, Solarview Compact Firmware 2026-06-17 N/A 9.8 CRITICAL
SolarView Compact 4.0 and 5.0 is vulnerable to Unrestricted File Upload via a crafted php file.
CVE-2022-44289 1 Thinkphp 1 Thinkphp 2026-06-17 N/A 8.8 HIGH
Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.
CVE-2022-44276 1 Tecrail 1 Responsive Filemanager 2026-06-17 N/A 9.8 CRITICAL
In Responsive Filemanager < 9.12.0, an attacker can bypass upload restrictions resulting in RCE.
CVE-2022-44054 1 Democritus 1 D8s-xml 2026-06-17 N/A 9.8 CRITICAL
The d8s-xml for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-utility package. The affected version of d8s-htm is 0.1.0.
CVE-2022-44053 1 Democritus 1 D8s-networking 2026-06-17 N/A 9.8 CRITICAL
The d8s-networking for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-user-agents package. The affected version of d8s-htm is 0.1.0.
CVE-2022-44052 1 Democritus 1 D8s-dates 2026-06-17 N/A 9.8 CRITICAL
The d8s-dates for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-timezones package. The affected version of d8s-htm is 0.1.0.
CVE-2022-44051 1 Democritus 1 D8s-stats 2026-06-17 N/A 9.8 CRITICAL
The d8s-stats for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-math package. The affected version of d8s-htm is 0.1.0.
CVE-2022-44050 1 Democritus 1 D8s-networking 2026-06-17 N/A 9.8 CRITICAL
The d8s-networking for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-json package. The affected version of d8s-htm is 0.1.0.
CVE-2022-44049 1 Democritus 1 D8s-python 2026-06-17 N/A 9.8 CRITICAL
The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-grammars package. The affected version of d8s-htm is 0.1.0.
CVE-2022-44048 1 Democritus 1 D8s-urls 2026-06-17 N/A 9.8 CRITICAL
The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-domains package. The affected version of d8s-htm is 0.1.0.
CVE-2022-44036 1 B2evolution 1 B2evolution Cms 2026-06-17 N/A 7.2 HIGH
In b2evolution 7.2.5, if configured with admins_can_manipulate_sensitive_files, arbitrary file upload is allowed for admins, leading to command execution. NOTE: the vendor's position is that this is "very obviously a feature not an issue and if you don't like that feature it is very obvious how to disable it."
CVE-2022-43436 1 Easy Test Project 1 Easy Test 2026-06-17 N/A 8.8 HIGH
The File Upload function of EasyTest has insufficient filtering for special characters and file type. A remote attacker authenticated as a general user can upload and execute arbitrary files, to manipulate system or disrupt service.
CVE-2022-43306 1 Democritus 1 D8s-timer 2026-06-17 N/A 8.8 HIGH
The d8s-timer for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-dates package. The affected version of d8s-htm is 0.1.0.
CVE-2022-43305 1 Democritus 1 D8s-python 2026-06-17 N/A 9.8 CRITICAL
The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-algorithms package. The affected version of d8s-htm is 0.1.0.
CVE-2022-43304 1 Democritus 1 D8s-timer 2026-06-17 N/A 9.8 CRITICAL
The d8s-timer for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-uuids package. The affected version of d8s-htm is 0.1.0.
CVE-2022-43303 1 Democritus 1 D8s-strings 2026-06-17 N/A 9.8 CRITICAL
The d8s-strings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-uuids package. The affected version of d8s-htm is 0.1.0.