Total
3719 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-20375 | 1 Cisco | 1 Unified Contact Center Express | 2025-11-17 | N/A | 6.5 MEDIUM |
| A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to upload and execute arbitrary files. This vulnerability is due to an insufficient input validation associated to specific UI features. An attacker could exploit this vulnerability by uploading a crafted file to the web UI. A successful exploit could allow the attacker to upload arbitrary files to a vulnerable system and execute them, gaining access to the underlying operating system. To exploit this vulnerability, the attacker must have valid administrative credentials. | |||||
| CVE-2025-20376 | 1 Cisco | 1 Unified Contact Center Express | 2025-11-17 | N/A | 6.5 MEDIUM |
| A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to upload and execute arbitrary files. This vulnerability is due to an insufficient input validation associated to file upload mechanisms. An attacker could exploit this vulnerability by uploading a malicious file to the web UI and executing it. A successful exploit could allow the attacker to execute arbitrary commands on the underlying system and elevate privileges to root. To exploit this vulnerability, the attacker must have valid administrative credentials. | |||||
| CVE-2025-10081 | 1 Mayurik | 1 Pet Grooming Management Software | 2025-11-17 | 5.8 MEDIUM | 4.7 MEDIUM |
| A flaw has been found in SourceCodester Pet Management System 1.0. This impacts an unknown function of the file /admin/profile.php. This manipulation of the argument website_image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. | |||||
| CVE-2025-10085 | 1 Mayurik | 1 Pet Grooming Management Software | 2025-11-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code of the file manage_website.php. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-10083 | 1 Mayurik | 1 Pet Grooming Management Software | 2025-11-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was determined in SourceCodester Pet Grooming Management Software 1.0. Affected by this issue is some unknown functionality of the file /admin/profile.php. Executing manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2025-1388 | 1 Learningdigital | 1 Orca Hcm | 2025-11-17 | N/A | 8.8 HIGH |
| Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and run web shells | |||||
| CVE-2025-60500 | 1 Qdocs | 1 Smart School | 2025-11-17 | N/A | 7.2 HIGH |
| QDocs Smart School Management System 7.1 allows authenticated users with roles such as "accountant" or "admin" to bypass file type restrictions in the media upload feature by abusing the alternate YouTube URL option. This logic flaw permits uploading of arbitrary PHP files, which are stored in a web-accessible directory. | |||||
| CVE-2025-13061 | 1 Angeljudesuarez | 1 Online Voting System | 2025-11-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in itsourcecode Online Voting System 1.0. This impacts an unknown function of the file /index.php?page=manage_voting. Performing manipulation results in unrestricted upload. The attack is possible to be carried out remotely. The exploit is now public and may be used. | |||||
| CVE-2025-9800 | 1 Sim | 1 Sim | 2025-11-14 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in SimStudioAI sim up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. Affected by this issue is the function Import of the file apps/sim/app/api/files/upload/route.ts of the component HTML File Parser. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. This patch is called 45372aece5e05e04b417442417416a52e90ba174. A patch should be applied to remediate this issue. | |||||
| CVE-2025-12048 | 2025-11-14 | N/A | 7.5 HIGH | ||
| An arbitrary file upload vulnerability was reported in the Lenovo Scanner Pro client during an internal security assessment that could allow remote code execution or unauthorized control of the affected system. | |||||
| CVE-2025-7114 | 1 Sim | 1 Sim | 2025-11-14 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in SimStudioAI sim up to 37786d371e17d35e0764e1b5cd519d873d90d97b. It has been declared as critical. Affected by this vulnerability is the function POST of the file apps/sim/app/api/files/upload/route.ts of the component Session Handler. The manipulation of the argument Request leads to missing authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-6435 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-13 | N/A | 8.1 HIGH |
| If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability affects Firefox < 140 and Thunderbird < 140. | |||||
| CVE-2025-59118 | 1 Apache | 1 Ofbiz | 2025-11-13 | N/A | 7.3 HIGH |
| Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue. | |||||
| CVE-2024-45965 | 1 Contao | 1 Contao | 2025-11-13 | N/A | 6.4 MEDIUM |
| Contao before 5.5.6 allows XSS via an SVG document. This affects (in contao/core-bundle in Composer) 4.x before 4.13.54, 5.0.x through 5.3.x before 5.3.30, and 5.4.x and 5.5..x before 5.5.6. | |||||
| CVE-2025-27082 | 1 Arubanetworks | 1 Arubaos | 2025-11-12 | N/A | 7.2 HIGH |
| Arbitrary File Write vulnerabilities exist in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an Authenticated attacker to upload arbitrary files and execute arbitrary commands on the underlying host operating system. | |||||
| CVE-2025-61417 | 1 Tastyigniter | 1 Tastyigniter | 2025-11-12 | N/A | 8.8 HIGH |
| Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicious SVG file containing JavaScript code. When an administrator previews the file, the code executes in their browser context, allowing the attacker to perform unauthorized actions such as modifying the admin account credentials. | |||||
| CVE-2025-12867 | 2025-11-12 | N/A | 7.2 HIGH | ||
| EIP Plus developed by Hundred Plus has an Arbitrary File Uplaod vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | |||||
| CVE-2025-11948 | 2025-11-12 | N/A | 9.8 CRITICAL | ||
| Document Management System developed by Excellent Infotek has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | |||||
| CVE-2025-37132 | 1 Arubanetworks | 1 Arubaos | 2025-11-12 | N/A | 7.2 HIGH |
| An arbitrary file write vulnerability exists in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files and execute arbitrary commands on the underlying operating system. | |||||
| CVE-2025-12352 | 2025-11-12 | N/A | 9.8 CRITICAL | ||
| The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the copy_post_image() function in all versions up to, and including, 2.9.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This only impacts sites that have allow_url_fopen set to `On`, the post creation form enabled along with a file upload field for the post | |||||