Vulnerabilities (CVE)

Filtered by CWE-434
Total 4131 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-42201 1 Simple Exam Reviewer Management System Project 1 Simple Exam Reviewer Management System 2026-06-17 N/A 7.2 HIGH
Simple Exam Reviewer Management System v1.0 is vulnerable to Insecure file upload.
CVE-2022-42198 1 Simple Exam Reviewer Management System Project 1 Simple Exam Reviewer Management System 2026-06-17 N/A 8.8 HIGH
In Simple Exam Reviewer Management System v1.0 the User List function suffers from insecure file upload.
CVE-2022-42189 1 Emlog 1 Emlog 2026-06-17 N/A 7.2 HIGH
Emlog Pro 1.6.0 plugins upload suffers from a remote code execution (RCE) vulnerability.
CVE-2022-42154 1 74cms 1 74cmsse 2026-06-17 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in the component /apiadmin/upload/attach of 74cmsSE v3.13.0 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-42092 1 Backdropcms 1 Backdrop Cms 2026-06-17 N/A 7.2 HIGH
Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that allows attackers to Remote Code Execution. Note: Third parties dispute this and argue that advanced permissions are required.
CVE-2022-42044 1 Democritus 1 D8s-asns 2026-06-17 N/A 9.8 CRITICAL
The d8s-asns package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-html package. The affected version is 0.1.0.
CVE-2022-42043 1 Democritus 1 D8s-xml 2026-06-17 N/A 9.8 CRITICAL
The d8s-xml package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-html package. The affected version is 0.1.0.
CVE-2022-42040 1 Democritus 1 D8s-algorithms 2026-06-17 N/A 9.8 CRITICAL
The d8s-algorithms package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-dicts package. The affected version is 0.1.0.
CVE-2022-42039 1 Democritus 1 D8s-lists 2026-06-17 N/A 9.8 CRITICAL
The d8s-lists package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-dicts package. The affected version is 0.1.0.
CVE-2022-42038 1 Democritus 1 D8s-ip-addresses 2026-06-17 N/A 9.8 CRITICAL
The d8s-ip-addresses package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package. The affected version is 0.1.0.
CVE-2022-42037 1 Democritus 1 D8s-asns 2026-06-17 N/A 9.8 CRITICAL
The d8s-asns package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package. The affected version is 0.1.0.
CVE-2022-42036 1 Democritus 1 D8s-urls 2026-06-17 N/A 9.8 CRITICAL
The d8s-urls package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package. The affected version is 0.1.0.
CVE-2022-42034 1 Wedding Planner Project 1 Wedding Planner 2026-06-17 N/A 8.8 HIGH
Wedding Planner v1.0 is vulnerable to arbitrary code execution via users_profile.php.
CVE-2022-42029 1 Chamilo 1 Chamilo 2026-06-17 N/A 8.8 HIGH
Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory.
CVE-2022-41711 1 Uatech 1 Badaso 2026-06-17 N/A 9.8 CRITICAL
Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.
CVE-2022-41705 1 Uatech 1 Badaso 2026-06-17 N/A 9.8 CRITICAL
Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.
CVE-2022-41681 1 Formalms 1 Formalms 2026-06-17 N/A 9.9 CRITICAL
There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the SCORM importer feature. The exploitation of this vulnerability could lead to a remote code injection.
CVE-2022-41573 2026-06-17 N/A 9.8 CRITICAL
An issue was discovered in Ovidentia 8.3. The file upload feature does not prevent the uploading of executable files. A user can upload a .png file containing PHP code and then rename it to have the .php extension. It will then be accessible at an images/common/ URI for remote code execution.
CVE-2022-41539 1 Wedding Planner Project 1 Wedding Planner 2026-06-17 N/A 8.8 HIGH
Wedding Planner v1.0 was discovered to contain an arbitrary file upload vulnerability in the component /admin/users_add.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-41538 1 Wedding Planner Project 1 Wedding Planner 2026-06-17 N/A 8.8 HIGH
Wedding Planner v1.0 was discovered to contain an arbitrary file upload vulnerability in the component /Wedding-Management-PHP/admin/photos_add.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.