Total
4082 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-53260 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in getredhawkstudio File Manager Plugin For Wordpress file-manager-plugin-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects File Manager Plugin For Wordpress: from n/a through <= 7.5. | |||||
| CVE-2025-53251 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP pin-wp allows Upload a Web Shell to a Web Server.This issue affects Pin WP: from n/a through < 7.2. | |||||
| CVE-2025-53213 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ReachShip WooCommerce Multi-Carrier & Conditional Shipping elex-reachship-multi-carrier-conditional-shipping allows Using Malicious Files.This issue affects ReachShip WooCommerce Multi-Carrier & Conditional Shipping: from n/a through <= 4.3.1. | |||||
| CVE-2025-53119 | 2026-06-17 | N/A | 7.5 HIGH | ||
| An unauthenticated unrestricted file upload vulnerability allows an attacker to upload malicious binaries and scripts to the server. | |||||
| CVE-2025-52758 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy zippy allows Using Malicious Files.This issue affects Zippy: from n/a through <= 1.7.0. | |||||
| CVE-2025-52691 | 1 Smartertools | 1 Smartermail | 2026-06-17 | N/A | 10.0 CRITICAL |
| Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. | |||||
| CVE-2025-52546 | 1 Copeland | 8 E3 Supervisory Controller Firmware, Site Supervisor Bx 860-1240, Site Supervisor Bxe 860-1245 and 5 more | 2026-06-17 | N/A | 6.1 MEDIUM |
| E3 Site Supervisor Control (firmware version < 2.31F01) has a floor plan feature that allows for an unauthenticated attacker to upload floor plan files. By uploading a specially crafted floor plan file, an attacker can inject a stored XSS to the floorplan web page. | |||||
| CVE-2025-52449 | 3 Linux, Microsoft, Tableau | 3 Linux Kernel, Windows, Tableau Server | 2026-06-17 | N/A | 8.5 HIGH |
| Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (Extensible Protocol Service modules) allows Alternative Execution Due to Deceptive Filenames (RCE). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | |||||
| CVE-2025-52353 | 1 Uatech | 1 Badaso | 2026-06-17 | N/A | 9.8 CRITICAL |
| An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php extension. | |||||
| CVE-2025-52239 | 1 Zkea | 1 Zkeacms | 2026-06-17 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in ZKEACMS v4.1 allows attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2025-52078 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| File upload vulnerability in Writebot AI Content Generator SaaS React Template thru 4.0.0, allowing remote attackers to gain escalated privileges via a crafted POST request to the /file-upload endpoint. | |||||
| CVE-2025-51736 | 1 Hcltech | 1 Unica | 2026-06-17 | N/A | 6.3 MEDIUM |
| File upload vulnerability in HCL Technologies Ltd. Unica 12.0.0. | |||||
| CVE-2025-51511 | 1 Cadmium-cms | 1 Cadmium Cms | 2026-06-17 | N/A | 9.8 CRITICAL |
| Cadmium CMS v.0.4.9 has a background arbitrary file upload vulnerability in /admin/content/filemanager/uploads. | |||||
| CVE-2025-51489 | 1 Moonshine | 1 Moonshine | 2026-06-17 | N/A | 5.4 MEDIUM |
| A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.5, allowing remote attackers to upload a malicious SVG file when creating/updating an Article and correctly execute arbitrary JavaScript when the file link is opened. | |||||
| CVE-2025-51056 | 1 Vedo Suite Project | 1 Vedo Suite | 2026-06-17 | N/A | 8.2 HIGH |
| An unrestricted file upload vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to write to arbitrary filesystem paths by exploiting the insecure 'uploadPreviews()' custom function in '/api_vedo/colorways_preview', ultimately resulting in remote code execution (RCE). | |||||
| CVE-2025-50897 | 1 Boom-core | 1 Boomv | 2026-06-17 | N/A | 4.3 MEDIUM |
| A vulnerability exists in riscv-boom SonicBOOM 1.2 (BOOMv1.2) processor implementation, where valid virtual-to-physical address translations configured with write permissions (PTE_W) in SV39 mode may incorrectly trigger a Store/AMO access fault during store instructions (sd). This occurs despite the presence of proper page table entries and valid memory access modes. The fault is reproducible when transitioning into virtual memory and attempting store operations in mapped kernel memory, indicating a potential flaw in the MMU, PMP, or memory access enforcement logic. This may cause unexpected kernel panics or denial of service in systems using BOOMv1.2. | |||||
| CVE-2025-50286 | 1 Getgrav | 1 Grav | 2026-06-17 | N/A | 8.1 HIGH |
| A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access. | |||||
| CVE-2025-50002 | 2026-06-17 | N/A | 10.0 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server.This issue affects Energia: from n/a through <= 1.1.2. | |||||
| CVE-2025-4954 | 1 Axlethemes | 1 Axle Demo Importer | 2026-06-17 | N/A | 8.8 HIGH |
| The Axle Demo Importer WordPress plugin through 1.0.3 does not validate files to be uploaded, which could allow authenticated users (author and above) to upload arbitrary files such as PHP on the server | |||||
| CVE-2025-4926 | 1 Phpgurukul | 1 Car Rental Portal | 2026-06-17 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in PHPGurukul Car Rental Project 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/post-avehical.php. The manipulation of the argument img1/img2/img3/img4/img5 leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
