Vulnerabilities (CVE)

Filtered by CWE-434
Total 4125 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-3537 1 Addify 1 Role Based Pricing For Woocommerce 2026-06-17 N/A 8.8 HIGH
The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP
CVE-2022-3478 1 Gitlab 1 Gitlab 2026-06-17 N/A 4.3 MEDIUM
An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible to trigger a DoS attack by uploading a malicious nuget package.
CVE-2022-3458 1 Oretnom23 1 Human Resource Management System 2026-06-17 N/A 6.3 MEDIUM
A vulnerability has been found in SourceCodester Human Resource Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /employeeview.php of the component Image File Handler. The manipulation leads to unrestricted upload. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-210559.
CVE-2022-3436 1 Web-based Student Clearance System Project 1 Web-based Student Clearance System 2026-06-17 N/A 6.3 MEDIUM
A vulnerability classified as critical was found in SourceCodester Web-Based Student Clearance System 1.0. Affected by this vulnerability is an unknown functionality of the file edit-photo.php of the component Photo Handler. The manipulation leads to unrestricted upload. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-210367.
CVE-2022-3257 1 Mattermost 1 Mattermost Server 2026-06-17 N/A 3.1 LOW
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.
CVE-2022-3129 1 Online Driving School Project Project 1 Online Driving School Project 2026-06-17 N/A 6.3 MEDIUM
A vulnerability was found in codeprojects Online Driving School. It has been rated as critical. Affected by this issue is some unknown functionality of the file /registration.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-207872.
CVE-2022-3125 1 Najeebmedia 1 Frontend File Manager 2026-06-17 N/A 8.8 HIGH
The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE
CVE-2022-3076 1 Cminds 1 Cm Download Manager 2026-06-17 N/A 7.2 HIGH
The CM Download Manager WordPress plugin before 2.8.6 allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example.
CVE-2022-39983 1 Instantdeveloper 1 Rd3 2026-06-17 N/A 9.8 CRITICAL
File upload vulnerability in Pro Gamma Instant Developer RD3 22.5 r23, r30, and possibly earlier versions, allows attackers to execute arbitrary code.
CVE-2022-39978 1 Online Pet Shop We App Project 1 Online Pet Shop We App 2026-06-17 N/A 7.2 HIGH
Online Pet Shop We App v1.0 was discovered to contain an arbitrary file upload vulnerability via the Editing function in the Product List module. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file uploaded through the picture upload point.
CVE-2022-39977 1 Online Pet Shop We App Project 1 Online Pet Shop We App 2026-06-17 N/A 7.2 HIGH
Online Pet Shop We App v1.0 was discovered to contain an arbitrary file upload vulnerability via the Editing function in the User module. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file uploaded through the picture upload point.
CVE-2022-39305 1 Gin-vue-admin Project 1 Gin-vue-admin 2026-06-17 N/A 9.8 CRITICAL
Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Versions prior to 2.5.4 contain a file upload ability. The affected code fails to validate fileMd5 and fileName parameters, resulting in an arbitrary file being read. This issue is patched in 2.5.4b. There are no known workarounds.
CVE-2022-39301 1 Sra-admin Project 1 Sra-admin 2026-06-17 N/A 8.2 HIGH
sra-admin is a background rights management system that separates the front and back end. sra-admin version 1.1.1 has a storage cross-site scripting (XSS) vulnerability. After logging into the sra-admin background, an attacker can upload an html page containing xss attack code in "Personal Center" - "Profile Picture Upload" allowing theft of the user's personal information. This issue has been patched in 1.1.2. There are no known workarounds.
CVE-2022-39036 1 Flowring 1 Agentflow 2026-06-17 N/A 9.8 CRITICAL
The file upload function of Agentflow BPM has insufficient filtering for special characters in URLs. An unauthenticated remote attacker can exploit this vulnerability to upload arbitrary file and execute arbitrary code to manipulate system or disrupt service.
CVE-2022-38916 1 Pagekit 1 Pagekit 2026-06-17 N/A 9.8 CRITICAL
A file upload vulnerability exists in the storage feature of pagekit 1.0.18, which allows an attacker to upload malicious files
CVE-2022-38887 1 D8s-python Project 1 D8s-python 2026-06-17 N/A 9.8 CRITICAL
The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The democritus-strings package. The affected version is 0.1.0.
CVE-2022-38886 1 D8s-xml Project 1 D8s-xml 2026-06-17 N/A 9.8 CRITICAL
The d8s-xml for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0.
CVE-2022-38885 1 D8s-netstrings Project 1 D8s-netstrings 2026-06-17 N/A 9.8 CRITICAL
The d8s-netstrings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0.
CVE-2022-38884 1 D8s-grammars Project 1 D8s-grammars 2026-06-17 N/A 9.8 CRITICAL
The d8s-grammars for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0.
CVE-2022-38883 1 D8s-math Project 1 D8s-math 2026-06-17 N/A 9.8 CRITICAL
The d8s-math for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0.