Vulnerabilities (CVE)

Filtered by CWE-434
Total 4125 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-36431 1 Rocketsoftware 1 Trufusion 2026-06-17 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in Rocket TRUfusion Enterprise before 7.9.6.1 allows unauthenticated attackers to execute arbitrary code via a crafted JSP file. Issue fixed in version 7.9.6.1.
CVE-2022-36386 1 Soflyy 1 Wp All Import 2026-06-17 N/A 9.1 CRITICAL
Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin <= 3.6.7 at WordPress.
CVE-2022-36285 1 Uploading Svg\, Webp And Ico Files Project 1 Uploading Svg\, Webp And Ico Files 2026-06-17 N/A 7.2 HIGH
Authenticated Arbitrary File Upload vulnerability in dmitrylitvinov Uploading SVG, WEBP and ICO files plugin <= 1.0.1 at WordPress.
CVE-2022-36264 1 Airspan 2 Airspot 5410, Airspot 5410 Firmware 2026-06-17 N/A 9.1 CRITICAL
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists an Unauthenticated remote Arbitrary File Upload vulnerability which allows overwriting arbitrary files. A malicious actor can remotely upload a file of their choice and overwrite any file in the system by manipulating the filename and append a relative path that will be interpreted during the upload process. Using this method, it is possible to rewrite any file in the system or upload a new file.
CVE-2022-36066 1 Discourse 1 Discourse 2026-06-17 N/A 9.1 CRITICAL
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigger remote code execution. The problem is patched in version 2.8.9 on the `stable` branch and version 2.9.0.beta10 on the `beta` and `tests-passed` branches. There are no known workarounds.
CVE-2022-35426 1 Ucms Project 1 Ucms 2026-06-17 N/A 9.8 CRITICAL
UCMS 1.6 is vulnerable to arbitrary file upload via ucms/sadmin/file PHP file.
CVE-2022-35150 1 Baijiacms Project 1 Baijiacms 2026-06-17 N/A 9.8 CRITICAL
Baijicms v4 was discovered to contain an arbitrary file upload vulnerability.
CVE-2022-34971 1 Feehi 1 Feehi Cms 2026-06-17 N/A 8.8 HIGH
An arbitrary file upload vulnerability in the Advertising Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-34965 1 Openteknik 1 Open Source Social Network 2026-06-17 N/A 7.2 HIGH
OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain an arbitrary file upload vulnerability via the component /ossn/administrator/com_installer. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. Note: The project owner believes this is intended behavior of the application as it only allows authenticated admins to upload files.
CVE-2022-34613 1 Mealie Project 1 Mealie 2026-06-17 N/A 9.8 CRITICAL
Mealie 1.0.0beta3 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file.
CVE-2022-34578 1 Opensourcepos 1 Open Source Point Of Sale 2026-06-17 N/A 7.2 HIGH
Open Source Point of Sale v3.3.7 was discovered to contain an arbitrary file upload vulnerability via the Update Branding Settings page.
CVE-2022-34549 1 Sims Project 1 Sims 2026-06-17 N/A 8.8 HIGH
Sims v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /uploadServlet. This vulnerability allows attackers to escalate privileges and execute arbitrary commands via a crafted file.
CVE-2022-34496 1 Hiby 4 Hiby R3 Pro, Hiby R3 Pro Firmware, Hiby R3 Pro Saber and 1 more 2026-06-17 N/A 9.8 CRITICAL
Hiby R3 PRO firmware v1.5 to v1.7 was discovered to contain a file upload vulnerability via the file upload feature.
CVE-2022-34483 1 Mozilla 1 Firefox 2026-06-17 N/A 8.8 HIGH
An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34482. This vulnerability affects Firefox < 102.
CVE-2022-34482 1 Mozilla 1 Firefox 2026-06-17 N/A 8.8 HIGH
An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483. This vulnerability affects Firefox < 102.
CVE-2022-34154 1 Ideastocode 1 Enable Svg\, Webp \& Ico Upload 2026-06-17 N/A 7.2 HIGH
Authenticated (author or higher user role) Arbitrary File Upload vulnerability in ideasToCode Enable SVG, WebP & ICO Upload plugin <= 1.0.1 at WordPress.
CVE-2022-34128 1 Glpi-project 1 Positions 2026-06-17 N/A 9.8 CRITICAL
The Cartography (aka positions) plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php.
CVE-2022-34120 1 Barangay Management System Project 1 Barangay Management System 2026-06-17 N/A 7.2 HIGH
Barangay Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the module editing function at /pages/activity/activity.php.
CVE-2022-34115 1 Dataease 1 Dataease 2026-06-17 N/A 9.8 CRITICAL
DataEase v1.11.1 was discovered to contain a arbitrary file write vulnerability via the parameter dataSourceId.
CVE-2022-34024 1 Barangay Management System Project 1 Barangay Management System 2026-06-17 N/A 7.2 HIGH
Barangay Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the resident module editing function at /bmis/pages/resident/resident.php.