Vulnerabilities (CVE)

Filtered by CWE-434
Total 4108 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-29281 1 Gfi 1 Archiver 2026-06-17 7.5 HIGH 9.8 CRITICAL
File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317.
CVE-2021-29092 1 Synology 1 Photo Station 2026-06-17 6.5 MEDIUM 8.8 HIGH
Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-29022 1 Invoiceplane 1 Invoiceplane 2026-06-17 5.0 MEDIUM 5.3 MEDIUM
In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory.
CVE-2021-28998 1 Cmsmadesimple 1 Cms Made Simple 2026-06-17 N/A 7.2 HIGH
File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file.
CVE-2021-28976 1 Get-simple 1 Getsimplecms 2026-06-17 6.5 MEDIUM 7.2 HIGH
Remote Code Execution vulnerability in GetSimpleCMS before 3.3.16 in admin/upload.php via phar filess.
CVE-2021-28931 1 Fork-cms 1 Fork Cms 2026-06-17 6.5 MEDIUM 8.8 HIGH
Arbitrary file upload vulnerability in Fork CMS 5.9.2 allows attackers to create or replace arbitrary files in the /themes directory via a crafted zip file uploaded to the Themes panel.
CVE-2021-28428 1 Horizontcms Project 1 Horizontcms 2026-06-17 7.5 HIGH 9.8 CRITICAL
File upload vulnerability in HorizontCMS before 1.0.0-beta.3 via uploading a .htaccess and *.hello files using the Media Files upload functionality. The original file upload vulnerability (CVE-2020-27387) was remediated by restricting the PHP extensions; however, we confirmed that the filter was bypassed via uploading an arbitrary .htaccess and *.hello files in order to execute PHP code to gain RCE.
CVE-2021-28379 2 Myvestacp, Vestacp 2 Myvesta, Vesta Control Panel 2026-06-17 6.8 MEDIUM 8.8 HIGH
web/upload/UploadHandler.php in Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39 allows uploads from a different origin.
CVE-2021-28294 1 Online Ordering System Project 1 Online Ordering System 2026-06-17 7.5 HIGH 9.8 CRITICAL
Online Ordering System 1.0 is vulnerable to arbitrary file upload through /onlineordering/GPST/store/initiateorder.php, which may lead to remote code execution (RCE).
CVE-2021-28173 1 Deltaflow Project 1 Deltaflow 2026-06-17 7.5 HIGH 9.8 CRITICAL
The file upload function of Vangene deltaFlow E-platform does not perform access controlled properly. Remote attackers can upload and execute arbitrary files without login.
CVE-2021-28023 1 Servicetonic 1 Servicetonic 2026-06-17 7.5 HIGH 9.8 CRITICAL
Arbitrary file upload in Service import feature in ServiceTonic Helpdesk software version < 9.0.35937 allows a malicious user to execute JSP code by uploading a zip that extracts files in relative paths.
CVE-2021-27984 1 Pluck-cms 1 Pluck 2026-06-17 7.5 HIGH 8.1 HIGH
In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files.
CVE-2021-27964 1 Sfcyazilim 1 Sonlogger 2026-06-17 7.5 HIGH 9.8 CRITICAL
SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file.
CVE-2021-27860 1 Fatpipeinc 6 Ipvpn, Ipvpn Firmware, Mpvpn and 3 more 2026-06-17 9.3 HIGH 9.8 CRITICAL
A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for this vulnerability is FPSA006.
CVE-2021-27817 1 Shopxo 1 Shopxo 2026-06-17 7.5 HIGH 9.8 CRITICAL
A remote command execution vulnerability in shopxo 1.9.3 allows an attacker to upload malicious code generated by phar where the suffix is JPG, which is uploaded after modifying the phar suffix.
CVE-2021-27771 1 Hcltech 1 Sametime 2026-06-17 6.5 MEDIUM 8.2 HIGH
User SID can be modified resulting in an Arbitrary File Upload or deletion of directories causing a Denial of Service. When interacting in a normal matter with the Sametime chat application, users hold a cookie containing their session ID (SID). This value is also used when sending chat messages, receiving notifications and/or transferring files.
CVE-2021-27618 1 Sap 1 Netweaver Process Integration 2026-06-17 4.0 MEDIUM 4.9 MEDIUM
The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not check the file type extension of the file uploaded from local source. An attacker could craft a malicious file and upload it to the application, which could lead to denial of service and impact the availability of the application.
CVE-2021-27513 1 Eyesofnetwork 1 Eyesofnetwork 2026-06-17 6.5 MEDIUM 8.8 HIGH
The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside."
CVE-2021-27489 1 Zoll 1 Defibrillator Dashboard 2026-06-17 6.5 MEDIUM 8.8 HIGH
ZOLL Defibrillator Dashboard, v prior to 2.2, The web application allows a non-administrative user to upload a malicious file. This file could allow an attacker to remotely execute arbitrary commands.
CVE-2021-27459 1 Emerson 8 X-stream Enhanced Xefd, X-stream Enhanced Xefd Firmware, X-stream Enhanced Xegk and 5 more 2026-06-17 7.5 HIGH 9.8 CRITICAL
A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The webserver of the affected products allows unvalidated files to be uploaded, which an attacker could utilize to execute arbitrary code.