Total
3268 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1093 | 2025-04-21 | N/A | 9.8 CRITICAL | ||
| The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-3807 | 2025-04-21 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability, which was classified as critical, was found in zhenfeng13 My-BBS 1.0. This affects the function Upload of the file src/main/java/com/my/bbs/controller/common/UploadController.java of the component Endpoint. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2016-0354 | 1 Ibm | 1 Sametime | 2025-04-20 | 6.0 MEDIUM | 5.5 MEDIUM |
| IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user to upload a malicious file to a Sametime meeting room, that could be downloaded by unsuspecting users which could be executed with user privileges. IBM X-Force ID: 111893. | |||||
| CVE-2017-7357 | 1 Atlassian | 1 Hipchat Server | 2025-04-20 | 6.5 MEDIUM | 9.1 CRITICAL |
| Hipchat Server before 2.2.3 allows remote authenticated users with Server Administrator level privileges to execute arbitrary code by importing a file. | |||||
| CVE-2017-11154 | 1 Synology | 1 Photo Station | 2025-04-20 | 6.5 MEDIUM | 7.2 HIGH |
| Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter. | |||||
| CVE-2017-14841 | 1 Dasinfomedia | 1 Annual Maintenance Contract Management System | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Mojoomla Annual Maintenance Contract (AMC) Management System allows Arbitrary File Upload in profilesetting image handling. | |||||
| CVE-2017-1002000 | 1 Mobile-friendly-app-builder-by-easytouch Project | 1 Mobile-friendly-app-builder-by-easytouch | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in wordpress plugin mobile-friendly-app-builder-by-easytouch v3.0, The code in file ./mobile-friendly-app-builder-by-easytouch/server/images.php doesn't require authentication or check that the user is allowed to upload content. | |||||
| CVE-2014-9312 | 1 10web | 1 Photo Gallery | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Unrestricted File Upload vulnerability in Photo Gallery 1.2.5. | |||||
| CVE-2017-14346 | 1 Blog Project | 1 Blog | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| upload.php in tianchoy/blog through 2017-09-12 allows unrestricted file upload and PHP code execution by using the image/jpeg, image/pjpeg, image/png, or image/gif content type for a .php file. | |||||
| CVE-2014-2664 | 1 X2engine | 1 X2crm | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. | |||||
| CVE-2017-6041 | 1 Marel | 44 A320, A320 Firmware, A325 and 41 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| An Unrestricted Upload issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check Bin Grader, FlowlineQC T376, IPM3 Dual Cam v132, IPM3 Dual Cam v139, IPM3 Single Cam v132, P520, P574, SensorX13 QC flow line, SensorX23 QC Master, SensorX23 QC Slave, Speed Batcher, T374, T377, V36, V36B, and V36C; M3210 terminal associated with the same systems as the M3000 terminal identified above; M3000 desktop software associated with the same systems as the M3000 terminal identified above; MAC4 controller associated with the same systems as the M3000 terminal identified above; SensorX23 X-ray machine; SensorX25 X-ray machine; and MWS2 weighing system. This vulnerability allows an attacker to modify the operation and upload firmware changes without detection. | |||||
| CVE-2017-1000081 | 1 Onosproject | 1 Onos | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Linux foundation ONOS 1.9.0 is vulnerable to unauthenticated upload of applications (.oar) resulting in remote code execution. | |||||
| CVE-2017-9080 | 1 Playsms | 1 Playsms | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted File Upload and Code Injection. | |||||
| CVE-2015-2780 | 1 Berta | 1 Berta Cms | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted file upload vulnerability in Berta CMS allows remote attackers to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. | |||||
| CVE-2017-17593 | 1 Simple Chatting System Project | 1 Simple Chatting System | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Simple Chatting System 1.0 allows Arbitrary File Upload via view/my_profile.php, which places files under uploads/. | |||||
| CVE-2017-12617 | 6 Apache, Canonical, Debian and 3 more | 58 Tomcat, Ubuntu Linux, Debian Linux and 55 more | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. | |||||
| CVE-2017-1002008 | 1 Membership Simplified Project | 1 Membership Simplified | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in wordpress plugin membership-simplified-for-oap-members-only v1.58, The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a user is logged in and has download privileges. | |||||
| CVE-2017-14839 | 1 Teamworktec | 1 Photo Fusion | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| TeamWork Photo Fusion allows Arbitrary File Upload in changeAvatar and changeCover. | |||||
| CVE-2014-9619 | 1 Netsweeper | 1 Netsweeper | 2025-04-20 | 6.5 MEDIUM | 7.2 HIGH |
| Unrestricted file upload vulnerability in webadmin/ajaxfilemanager/ajaxfilemanager.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote authenticated users with admin privileges on the Cloud Manager web console to execute arbitrary PHP code by uploading a file with a double extension, then accessing it via a direct request to the file in webadmin/deny/images/, as demonstrated by secuid0.php.gif. | |||||
| CVE-2017-14399 | 1 Blackcat-cms | 1 Blackcat Cms | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| In BlackCat CMS 1.2.2, unrestricted file upload is possible in backend\media\ajax_rename.php via the extension parameter, as demonstrated by changing the extension from .jpg to .php. | |||||