Vulnerabilities (CVE)

Filtered by CWE-434
Total 4128 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-25411 1 Max-3000 1 Maxsite Cms 2026-06-17 7.5 HIGH 9.8 CRITICAL
A Remote Code Execution (RCE) vulnerability at /admin/options in Maxsite CMS v180 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-25360 1 Watchguard 1 Fireware 2026-06-17 6.5 MEDIUM 8.8 HIGH
WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to upload files to arbitrary locations. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.
CVE-2022-25277 1 Drupal 1 Drupal 2026-06-17 N/A 7.2 HIGH
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.
CVE-2022-25115 1 Home Owners Collection Management System Project 1 Home Owners Collection Management System 2026-06-17 6.8 MEDIUM 7.8 HIGH
A remote code execution (RCE) vulnerability in the Avatar parameter under /admin/?page=user/manage_user of Home Owners Collection Management System v1.0 allows attackers to execute arbitrary code via a crafted PNG file.
CVE-2022-25016 1 Home Owners Collection Management System Project 1 Home Owners Collection Management System 2026-06-17 7.5 HIGH 9.8 CRITICAL
Home Owners Collection Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /student_attendance/index.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-24984 1 Jqueryform 1 Jqueryform 2026-06-17 6.8 MEDIUM 9.8 CRITICAL
Forms generated by JQueryForm.com before 2022-02-05 (if file-upload capability is enabled) allow remote unauthenticated attackers to upload executable files and achieve remote code execution. This occurs because file-extension checks occur on the client side, and because not all executable content (e.g., .phtml or .php.bak) is blocked.
CVE-2022-24837 1 Hedgedoc 1 Hedgedoc 2026-06-17 5.0 MEDIUM 5.3 MEDIUM
HedgeDoc is an open-source, web-based, self-hosted, collaborative markdown editor. Images uploaded with HedgeDoc version 1.9.1 and later have an enumerable filename after the upload, resulting in potential information leakage of uploaded documents. This is especially relevant for private notes and affects all upload backends, except Lutim and imgur. This issue is patched in version 1.9.3 by replacing the filename generation with UUIDv4. If you cannot upgrade to HedgeDoc 1.9.3, it is possible to block POST requests to `/uploadimage`, which will disable future uploads.
CVE-2022-24688 1 Dsk 1 Dsknet 2026-06-17 N/A 8.8 HIGH
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The Touch settings allow unrestricted file upload (and consequently Remote Code Execution) via PDF upload with PHP content and a .php extension. The attacker must hijack or obtain privileged user access to the Parameters page in order to exploit this issue. (That can be easily achieved by exploiting the Broken Access Control with further Brute-force attack or SQL Injection.) The uploaded file is stored within the database and copied to the sync web folder if the attacker visits a certain .php?action= page.
CVE-2022-24676 1 Hyphp 1 Hybbs2 2026-06-17 6.5 MEDIUM 8.8 HIGH
update_code in Admin.php in HYBBS2 through 2.3.2 allows arbitrary file upload via a crafted ZIP archive.
CVE-2022-24652 1 Sentcms 1 Sentcms 2026-06-17 7.5 HIGH 9.8 CRITICAL
sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in php code execution in /admin/upload/upload.
CVE-2022-24651 1 Sentcms 1 Sentcms 2026-06-17 7.5 HIGH 9.8 CRITICAL
sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in PHP code execution through /user/upload/upload.
CVE-2022-24553 1 Zfaka Project 1 Zfaka 2026-06-17 7.5 HIGH 9.8 CRITICAL
An issue was found in Zfaka <= 1.4.5. The verification of the background file upload function check is not strict, resulting in remote command execution.
CVE-2022-24387 1 Smartertools 1 Smartertrack 2026-06-17 6.5 MEDIUM 9.1 CRITICAL
With administrator or admin privileges the application can be tricked into overwriting files in app_data/Config folder, e.g. the systemsettings.xml file. THis is possible in SmarterTrack v100.0.8019.14010
CVE-2022-24262 1 Voipmonitor 1 Voipmonitor 2026-06-17 6.5 MEDIUM 8.8 HIGH
The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root.
CVE-2022-24136 1 Hospital Management System Project 1 Hospital Management System 2026-06-17 7.5 HIGH 9.8 CRITICAL
Hospital Management System v1.0 is affected by an unrestricted upload of dangerous file type vulerability in treatmentrecord.php. To exploit, an attacker can upload any PHP file, and then execute it.
CVE-2022-23906 1 Cmsmadesimple 1 Cms Made Simple 2026-06-17 6.5 MEDIUM 7.2 HIGH
CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file.
CVE-2022-23880 1 Taogogo 1 Taocms 2026-06-17 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability in the File Management function module of taoCMS v3.0.2 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-23390 1 Diyhi 1 Bbs Forum 2026-06-17 7.5 HIGH 9.8 CRITICAL
An issue in the getType function of BBS Forum v5.3 and below allows attackers to upload arbitrary files.
CVE-2022-23375 1 Wikidocs 1 Wikidocs 2026-06-17 6.5 MEDIUM 8.8 HIGH
WikiDocs version 0.1.18 has an authenticated remote code execution vulnerability. An attacker can upload a malicious file using the image upload form through index.php.
CVE-2022-23329 1 Ujcms 1 Jspxcms 2026-06-17 7.5 HIGH 9.8 CRITICAL
A vulnerability in ${"freemarker.template.utility.Execute"?new() of UJCMS Jspxcms v10.2.0 allows attackers to execute arbitrary commands via uploading malicious files.