Vulnerabilities (CVE)

Filtered by CWE-434
Total 4115 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-46386 1 Mingsoft 1 Mcms 2026-06-17 7.5 HIGH 9.8 CRITICAL
File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitrary code via a crafted jspx webshell to net.mingsoft.basic.action.web.FileAction#upload.
CVE-2021-46367 1 Ritecms 1 Ritecms 2026-06-17 9.0 HIGH 7.2 HIGH
RiteCMS version 3.1.0 and below suffers from a remote code execution vulnerability in the admin panel. An authenticated attacker can upload a PHP file and bypass the .htacess configuration to deny execution of .php files in media and files directory by default.
CVE-2021-46360 1 Ocproducts 1 Composr 2026-06-17 6.5 MEDIUM 8.8 HIGH
Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.
CVE-2021-46113 1 Kea-hotel-erp Project 1 Kea-hotel-erp 2026-06-17 6.5 MEDIUM 8.8 HIGH
In MartDevelopers KEA-Hotel-ERP open source as of 12-31-2021, a remote code execution vulnerability can be exploited by uploading PHP files using the file upload vulnerability in this service.
CVE-2021-46097 1 Dolphinphp 1 Dolphinphp 2026-06-17 6.5 MEDIUM 8.8 HIGH
Dolphinphp v1.5.0 contains a remote code execution vulnerability in /application/common.php#action_log
CVE-2021-46079 1 Vehicle Service Management System Project 1 Vehicle Service Management System 2026-06-17 6.5 MEDIUM 7.2 HIGH
An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to Html Injection.
CVE-2021-46078 1 Vehicle Service Management System Project 1 Vehicle Service Management System 2026-06-17 3.5 LOW 4.8 MEDIUM
An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to a Stored Cross-Site Scripting vulnerability.
CVE-2021-46076 1 Vehicle Service Management System Project 1 Vehicle Service Management System 2026-06-17 6.5 MEDIUM 8.8 HIGH
Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload. An attacker can upload a malicious php file in multiple endpoints it leading to Code Execution.
CVE-2021-46036 1 Mingsoft 1 Mcms 2026-06-17 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability in the component /ms/file/uploadTemplate.do of MCMS v5.2.4 allows attackers to execute arbitrary code.
CVE-2021-46033 1 Forestblog Project 1 Forestblog 2026-06-17 7.5 HIGH 9.8 CRITICAL
In ForestBlog, as of 2021-12-28, File upload can bypass verification.
CVE-2021-46013 1 Free School Management Software Project 1 Free School Management Software 2026-06-17 7.5 HIGH 9.8 CRITICAL
An unrestricted file upload vulnerability exists in Sourcecodester Free school management software 1.0. An attacker can leverage this vulnerability to enable remote code execution on the affected web server. Once a php webshell containing "<?php system($_GET["cmd"]); ?>" gets uploaded it is saved into /uploads/exam_question/ directory, and is accessible by all users.
CVE-2021-45982 1 Netscout 1 Ngeniusone 2026-06-17 6.5 MEDIUM 8.8 HIGH
NetScout nGeniusONE 6.3.2 allows Arbitrary File Upload by a privileged user.
CVE-2021-45865 1 Student Attendance Management System Project 1 Student Attendance Management System 2026-06-17 7.5 HIGH 9.8 CRITICAL
A File Upload vulnerability exists in Sourcecodester Student Attendance Manageent System 1.0 via the file upload functionality.
CVE-2021-45835 1 Online Admission System Project 1 Online Admissions System 2026-06-17 7.5 HIGH 9.8 CRITICAL
The Online Admission System 1.0 allows an unauthenticated attacker to upload or transfer files of dangerous types to the application through documents.php, which may be used to execute malicious code or lead to code execution.
CVE-2021-45790 1 Metersphere 1 Metersphere 2026-06-17 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability was found in Metersphere v1.15.4. Unauthenticated users can upload any file to arbitrary directory, where attackers can write a cron job to execute commands.
CVE-2021-45411 1 Printable Staff Id Card Creator System Project 1 Printable Staff Id Card Creator System 2026-06-17 7.5 HIGH 9.8 CRITICAL
In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution.
CVE-2021-45040 1 Spatie 1 Laravel Media Library 2026-06-17 10.0 HIGH 9.8 CRITICAL
The Spatie media-library-pro library through 1.17.10 and 2.x through 2.1.6 for Laravel allows remote attackers to upload executable files via the uploads route.
CVE-2021-44967 1 Limesurvey 1 Limesurvey 2026-06-17 9.0 HIGH 8.8 HIGH
A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP code, and can only be installed by a superadmin, and therefore the security model is not violated by this finding.
CVE-2021-44673 1 Croogo 1 Croogo 2026-06-17 6.5 MEDIUM 8.8 HIGH
A Remote Code Execution (RCE) vulnerability exists in Croogo 3.0.2via admin/file-manager/attachments, which lets a malicoius user upload a web shell script.
CVE-2021-44664 1 Xerte 1 Xerte 2026-06-17 6.5 MEDIUM 8.8 HIGH
An Authenticated Remote Code Exection (RCE) vulnerability exists in Xerte through 3.9 in website_code/php/import/fileupload.php by uploading a maliciously crafted PHP file though the project interface disguised as a language file to bypasses the upload filters. Attackers can manipulate the files destination by abusing path traversal in the 'mediapath' variable.