Total
3849 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-10371 | 2026-01-09 | 7.5 HIGH | 7.3 HIGH | ||
| A security flaw has been discovered in eCharge Hardy Barth Salia PLCC up to 2.3.81. This issue affects some unknown processing of the file /api.php. The manipulation of the argument setrfidlist results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-67288 | 1 Umbraco | 1 Umbraco Cms | 2026-01-08 | N/A | 10.0 CRITICAL |
| An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself, a related issue to CVE-2023-49279. | |||||
| CVE-2023-50897 | 2026-01-08 | N/A | 9.1 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7. | |||||
| CVE-2025-30996 | 2026-01-08 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, Themify Slide allows Upload a Web Shell to a Web Server.This issue affects Themify Sidepane WordPress Theme: from n/a through 1.9.8; Themify Newsy: from n/a through 1.9.9; Themify Folo: from n/a through 1.9.6; Themify Edmin: from n/a through 2.0.0; Bloggie: from n/a through 2.0.8; Photobox: from n/a through 2.0.1; Wigi: from n/a through 2.0.1; Rezo: from n/a through 1.9.7; Slide: from n/a through 1.7.5. | |||||
| CVE-2025-14842 | 2026-01-08 | N/A | 6.1 MEDIUM | ||
| The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configured to execute .phar files as PHP. The upload of .svg files allows for Stored Cross-Site Scripting under certain circumstances. | |||||
| CVE-2025-15158 | 2026-01-08 | N/A | 8.8 HIGH | ||
| The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2019-25296 | 2026-01-08 | N/A | 9.8 CRITICAL | ||
| The WP Cost Estimation plugin for WordPress is vulnerable to arbitrary file uploads and deletion due to missing file type validation in the lfb_upload_form and lfb_removeFile AJAX actions in versions up to, and including, 9.642. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. Additionally, the attacker can also delete files on the server such as database configuration files, subsequently uploading their own database files. | |||||
| CVE-2025-0928 | 1 Canonical | 1 Juju | 2026-01-08 | N/A | 8.8 HIGH |
| In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution. | |||||
| CVE-2025-15423 | 1 Phome | 1 Empirecms | 2026-01-07 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in EmpireSoft EmpireCMS up to 8.0. Impacted is the function CheckSaveTranFiletype of the file e/class/connect.php. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15197 | 2 Anirbandutta, Code-projects | 2 News-buzz, Content Management System | 2026-01-07 | 5.8 MEDIUM | 4.7 MEDIUM |
| A security flaw has been discovered in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. This vulnerability affects unknown code of the file /admin/editposts.php. Performing manipulation of the argument image results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-66449 | 1 C4illin | 1 Convertx | 2026-01-07 | N/A | 8.8 HIGH |
| ConvertXis a self-hosted online file converter. In versions prior to 0.16.0, the endpoint `/upload` allows an authenticated user to write arbitrary files on the system, overwriting binaries and allowing code execution. The upload function takes `file.name` directly from user supplied data without doing any sanitization on the name thus allowing for arbitrary file write. This can be used to overwrite system binaries with ones provided from an attacker allowing full code execution. Version 0.16.0 contains a patch for the issue. | |||||
| CVE-2025-15404 | 1 Campcodes | 1 School File Management System | 2026-01-06 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in campcodes School File Management System 1.0. The affected element is an unknown function of the file /save_file.php. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-51511 | 1 Cadmium-cms | 1 Cadmium Cms | 2026-01-06 | N/A | 9.8 CRITICAL |
| Cadmium CMS v.0.4.9 has a background arbitrary file upload vulnerability in /admin/content/filemanager/uploads. | |||||
| CVE-2025-15199 | 1 Code-projects | 1 College Notes Uploading System | 2026-01-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in code-projects College Notes Uploading System 1.0. Impacted is an unknown function of the file /dashboard/userprofile.php. The manipulation of the argument image leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2024-27480 | 1 Vvveb | 1 Vvvebjs | 2026-01-02 | N/A | 9.8 CRITICAL |
| givanz VvvebJs 1.7.2 is vulnerable to Insecure File Upload. | |||||
| CVE-2024-25182 | 1 Vvveb | 1 Vvvebjs | 2026-01-02 | N/A | 9.8 CRITICAL |
| givanz VvvebJs 1.7.2 suffers from a File Upload vulnerability via save.php. | |||||
| CVE-2025-35032 | 1 Mieweb | 1 Enterprise Health | 2026-01-02 | N/A | 3.4 LOW |
| Medical Informatics Engineering Enterprise Health allows authenticated users to upload arbitrary files. The impact of this behavior depends on how files are accessed. This issue is fixed as of 2025-04-08. | |||||
| CVE-2024-24551 | 1 Bludit | 1 Bludit | 2026-01-02 | N/A | 8.8 HIGH |
| A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files. | |||||
| CVE-2024-24550 | 1 Bludit | 1 Bludit | 2026-01-02 | N/A | 8.1 HIGH |
| A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files. | |||||
| CVE-2025-66908 | 1 Turms-im | 1 Turms | 2026-01-02 | N/A | 5.3 MEDIUM |
| Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an improper file type validation vulnerability in the OCR image upload functionality. The OcrController in turms-ai-serving/src/main/java/im/turms/ai/domain/ocr/controller/OcrController.java uses the @FormData(contentType = MediaTypeConst.IMAGE) annotation to restrict uploads to image files, but this constraint is not properly enforced. The system relies solely on client-provided Content-Type headers and file extensions without validating actual file content using magic bytes (file signatures). An attacker can upload arbitrary file types including executables, scripts, HTML, or web shells by setting the Content-Type header to "image/*" or using an image file extension. This bypass enables potential server-side code execution, stored XSS, or information disclosure depending on how uploaded files are processed and served. | |||||