Total
4077 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-62016 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in hogash KALLYAS kallyas.This issue affects KALLYAS: from n/a through <= 4.22.0. | |||||
| CVE-2025-61808 | 1 Adobe | 1 Coldfusion | 2026-06-17 | N/A | 9.1 CRITICAL |
| ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could lead to arbitrary code execution by a high priviledged attacker. Exploitation of this issue does not require user interaction and scope is changed. | |||||
| CVE-2025-61768 | 2026-06-17 | N/A | N/A | ||
| KUNO CMS is a fully deployable full-stack blog application. In versions prior to 1.3.15, an SSRF (Server-Side Request Forgery) vulnerability exists in the Media module of the Kuno CMS administrative panel. A logged-in administrator can upload a specially crafted SVG file containing an external image reference, causing the server to initiate an outgoing connection to an arbitrary external URL. This can lead to information disclosure or internal network probing. Version 1.3.15 contains a fix for the issue. | |||||
| CVE-2025-61687 | 1 Flowiseai | 1 Flowise | 2026-06-17 | N/A | 8.3 HIGH |
| Flowise is a drag & drop user interface to build a customized large language model flow. A file upload vulnerability in version 3.0.7 of FlowiseAI allows authenticated users to upload arbitrary files without proper validation. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). The system fails to validate file extensions, MIME types, or file content during uploads. As a result, malicious scripts such as Node.js-based web shells can be uploaded and stored persistently on the server. These shells expose HTTP endpoints capable of executing arbitrary commands if triggered. The uploaded shell does not automatically execute, but its presence allows future exploitation via administrator error or chained vulnerabilities. This presents a high-severity threat to system integrity and confidentiality. As of time of publication, no known patched versions are available. | |||||
| CVE-2025-61681 | 2026-06-17 | N/A | 5.4 MEDIUM | ||
| KUNO CMS is a fully deployable full-stack blog application. Versions 1.3.13 and below contain validation flaws in its file upload functionality that can be exploited for stored XSS. The upload endpoint only validates file types based on Content-Type headers, lacks file content analysis and extension whitelist restrictions, allowing attackers to upload SVG files containing malicious scripts (disguised as images). When users access the uploaded resource pages, arbitrary JavaScript executes in their browsers. This issue is fixed in version 1.3.14. | |||||
| CVE-2025-61678 | 2026-06-17 | N/A | N/A | ||
| FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains an authenticated arbitrary file upload vulnerability affecting the fwbrand parameter. The fwbrand parameter allows an attacker to change the file path. Combined, these issues can result in a webshell being uploaded. Authentication with a known username is required to exploit this vulnerability. Successful exploitation allows authenticated users to upload arbitrary files to attacker-controlled paths on the server, potentially leading to remote code execution. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17. | |||||
| CVE-2025-61506 | 1 Mediacrush | 1 Mediacrush | 2026-06-17 | N/A | 9.8 CRITICAL |
| An issue was discovered in MediaCrush thru 1.0.1 allowing remote unauthenticated attackers to upload arbitrary files of any size to the /upload endpoint. | |||||
| CVE-2025-61417 | 1 Tastyigniter | 1 Tastyigniter | 2026-06-17 | N/A | 8.8 HIGH |
| Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicious SVG file containing JavaScript code. When an administrator previews the file, the code executes in their browser context, allowing the attacker to perform unauthorized actions such as modifying the admin account credentials. | |||||
| CVE-2025-61181 | 1 Daicuo | 1 Daicuo | 2026-06-17 | N/A | 6.5 MEDIUM |
| daicuocms V1.3.13 contains an arbitrary file upload vulnerability in the image upload feature. | |||||
| CVE-2025-60947 | 1 Csprousers | 1 Csweb | 2026-06-17 | N/A | 8.8 HIGH |
| Census CSWeb 8.0.1 allows arbitrary file upload. A remote, authenticated attacker could upload a malicious file, possibly leading to remote code execution. Fixed in 8.1.0 alpha. | |||||
| CVE-2025-60735 | 1 Perfree | 1 Perfreeblog | 2026-06-17 | N/A | 7.6 HIGH |
| PerfreeBlog v4.0.11 has a File Upload vulnerability in the installPlugin function | |||||
| CVE-2025-60731 | 1 Perfree | 1 Perfreeblog | 2026-06-17 | N/A | 7.6 HIGH |
| PerfreeBlog v4.0.11 has a File Upload vulnerability in the installTheme function | |||||
| CVE-2025-60500 | 1 Qdocs | 1 Smart School | 2026-06-17 | N/A | 7.2 HIGH |
| QDocs Smart School Management System 7.1 allows authenticated users with roles such as "accountant" or "admin" to bypass file type restrictions in the media upload feature by abusing the alternate YouTube URL option. This logic flaw permits uploading of arbitrary PHP files, which are stored in a web-accessible directory. | |||||
| CVE-2025-60235 | 2026-06-17 | N/A | 10.0 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Plugify Support Ticket System for WooCommerce (Premium) support-ticket-system-for-woocommerce allows Using Malicious Files.This issue affects Support Ticket System for WooCommerce (Premium): from n/a through <= 2.0.7. | |||||
| CVE-2025-60219 | 2026-06-17 | N/A | 10.0 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in HaruTheme WooCommerce Designer Pro wc-designer-pro allows Upload a Web Shell to a Web Server.This issue affects WooCommerce Designer Pro: from n/a through <= 1.9.24. | |||||
| CVE-2025-60207 | 2026-06-17 | N/A | 10.0 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Addify Custom User Registration Fields for WooCommerce user-registration-plugin-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects Custom User Registration Fields for WooCommerce: from n/a through <= 2.1.2. | |||||
| CVE-2025-60187 | 2026-06-17 | N/A | 4.8 MEDIUM | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Using Malicious Files.This issue affects Atarim: from n/a through <= 4.2.1. | |||||
| CVE-2025-5961 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2026-06-17 | N/A | 7.2 HIGH |
| The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers. | |||||
| CVE-2025-5873 | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was detected in eCharge Hardy Barth Salia PLCC up to 2.3.81. Affected by this issue is some unknown functionality of the file /firmware.php of the component Web UI. Performing a manipulation of the argument media results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-5840 | 1 Lerouxyxchire | 1 Client Database Management System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability, which was classified as critical, was found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /user_update_customer_order.php. The manipulation of the argument uploaded_file leads to unrestricted upload. It is possible to initiate the attack remotely. | |||||