Total
4078 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-56263 | 1 By-night | 1 Sms | 2026-06-17 | N/A | 8.8 HIGH |
| by-night sms V1.0 has an Arbitrary File Upload vulnerability. The /api/sms/upload/headImg endpoint allows uploading arbitrary files. Users can upload files of any size and type. | |||||
| CVE-2025-56218 | 1 Ascertia | 1 Signinghub | 2026-06-17 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in SigningHub v8.6.8 allows attackers to execute arbitrary code via uploading a crafted PDF file. | |||||
| CVE-2025-55912 | 1 Oxygenz | 1 Clipbucket | 2026-06-17 | N/A | 7.3 HIGH |
| An issue in ClipBucket 5.5.0 and prior versions allows an unauthenticated attacker can exploit the plupload endpoint in photo_uploader.php to upload arbitrary files without any authentication, due to missing access controls in the upload handler | |||||
| CVE-2025-55835 | 1 Sueamcms Project | 1 Sueamcms | 2026-06-17 | N/A | 9.8 CRITICAL |
| File Upload vulnerability in SueamCMS v.0.1.2 allows a remote attacker to execute arbitrary code via the lack of filtering. | |||||
| CVE-2025-55810 | 1 Alagaai | 2 S-cw2503c-h, S-cw2503c-h Firmware | 2026-06-17 | N/A | 6.8 MEDIUM |
| A vulnerability was found in Alaga Home Security WiFi Camera 3K (model S-CW2503C-H) with hardware version V03 and firmware version 1.4.2, which allows physical attackers to execute commands as root via script file with a specific name on a SD card. | |||||
| CVE-2025-55746 | 1 Monospace | 1 Directus | 2026-06-17 | N/A | 9.3 CRITICAL |
| Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3. | |||||
| CVE-2025-55743 | 1 Webkul | 1 Unopim | 2026-06-17 | N/A | 8.8 HIGH |
| UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, the image upload at the user creation feature performs only client side file type validation. A user can capture the request by uploading an image, capture the request through a Proxy like Burp suite. Make changes to the file extension and content. The vulnerability is fixed in 0.2.1. | |||||
| CVE-2025-55455 | 1 Dootask | 1 Dootask | 2026-06-17 | N/A | 3.5 LOW |
| DooTask v1.0.51 was dicovered to contain an authenticated arbitrary download vulnerability via the component /msg/sendtext. | |||||
| CVE-2025-55454 | 1 Dootask | 1 Dootask | 2026-06-17 | N/A | 8.8 HIGH |
| An authenticated arbitrary file upload vulnerability in the component /msg/sendfiles of DooTask v1.0.51 allows attackers to execute arbitrary code via uploading a crafted file. | |||||
| CVE-2025-55383 | 2026-06-17 | N/A | 8.6 HIGH | ||
| Moss before v0.15 has a file upload vulnerability. The "upload" function configuration allows attackers to upload files of any extension to any location on the target server. | |||||
| CVE-2025-55267 | 1 Hcltech | 1 Aftermarket Cloud | 2026-06-17 | N/A | 5.7 MEDIUM |
| HCL Aftermarket DPC is affected by Unrestricted File Upload vulnerability, allows attacker to upload and execute malicious scripts, gaining full control over the server. | |||||
| CVE-2025-55251 | 1 Hcltech | 1 Aion | 2026-06-17 | N/A | 3.1 LOW |
| HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. | |||||
| CVE-2025-55135 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| In Agora Foundation Agora fall23-Alpha1 before 690ce56, there is XSS via a profile picture to server/controller/userController.js. Formats other than PNG, JPEG, and WEBP are permitted by server/routes/userRoutes.js; this includes SVG. | |||||
| CVE-2025-55061 | 2026-06-17 | N/A | 8.8 HIGH | ||
| CWE-434 Unrestricted Upload of File with Dangerous Type | |||||
| CVE-2025-54962 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| /edit-user in webserver in OpenPLC Runtime 3 through 9cd8f1b allows authenticated users to upload arbitrary files (such as .html or .svg), and these are then publicly accessible under the /static URI. | |||||
| CVE-2025-54944 | 1 Sun.net | 1 Ehrd Ctms | 2026-06-17 | N/A | 9.8 CRITICAL |
| An unrestricted upload of file with dangerous type vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to write malicious code in a specific file, which may lead to arbitrary code execution. | |||||
| CVE-2025-54769 | 1 Xorux | 1 Lpar2rrd | 2026-06-17 | N/A | 8.8 HIGH |
| An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker. | |||||
| CVE-2025-54762 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to upload arbitrary files and execute OS commands with SYSTEM privileges. | |||||
| CVE-2025-54757 | 1 Alfasado | 1 Powercms | 2026-06-17 | N/A | 6.5 MEDIUM |
| Multiple versions of PowerCMS allow unrestricted upload of dangerous files. If a product administrator accesses a malicious file uploaded by a product user, an arbitrary script may be executed on the browser. | |||||
| CVE-2025-54693 | 2026-06-17 | N/A | 9.0 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in epiphyt Form Block form-block allows Upload a Web Shell to a Web Server.This issue affects Form Block: from n/a through <= 1.5.5. | |||||