Total
4083 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-46490 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in wordwebsoftware Crossword Compiler Puzzles crossword-compiler-puzzles allows Upload a Web Shell to a Web Server.This issue affects Crossword Compiler Puzzles: from n/a through <= 5.2. | |||||
| CVE-2025-46384 | 2026-06-17 | N/A | 8.8 HIGH | ||
| CWE-434 Unrestricted Upload of File with Dangerous Type | |||||
| CVE-2025-46264 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in blubrry PowerPress Podcasting powerpress allows Upload a Web Shell to a Web Server.This issue affects PowerPress Podcasting: from n/a through <= 11.12.5. | |||||
| CVE-2025-46193 | 1 Lerouxyxchire | 1 Client Database Management System | 2026-06-17 | N/A | 9.8 CRITICAL |
| SourceCodester Client Database Management System 1.0 is vulnerable to Remote code execution via Arbitrary file upload in user_proposal_update_order.php. | |||||
| CVE-2025-46157 | 1 Efrotech | 1 Timetrax | 2026-06-17 | N/A | 9.9 CRITICAL |
| An issue in EfroTech Time Trax v.1.0 allows a remote attacker to execute arbitrary code via the file attachment function in the leave request form | |||||
| CVE-2025-46099 | 1 Pluck-cms | 1 Pluck | 2026-06-17 | N/A | 7.2 HIGH |
| In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routing logic in albums.site.php, resulting in arbitrary command execution through a GET parameter. | |||||
| CVE-2025-46080 | 1 Huocms | 1 Huocms | 2026-06-17 | N/A | 5.3 MEDIUM |
| HuoCMS V3.5.1 has a File Upload Vulnerability. An attacker can exploit this flaw to bypass whitelist restrictions and craft malicious files with specific suffixes, thereby gaining control of the server. | |||||
| CVE-2025-46078 | 1 Huocms | 1 Huocms | 2026-06-17 | N/A | 5.3 MEDIUM |
| HuoCMS V3.5.1 and before is vulnerable to file upload, which allows attackers to take control of the target server | |||||
| CVE-2025-46068 | 1 Automai | 1 Director | 2026-06-17 | N/A | 8.8 HIGH |
| An issue in Automai Director v.25.2.0 allows a remote attacker to execute arbitrary code via the update mechanism | |||||
| CVE-2025-46001 | 1 Simogeo | 1 Filemanager | 2026-06-17 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the is_allowed_file_type() function of Filemanager v2.3.0 allows attackers to execute arbitrary code via uploading a crafted PHP file. | |||||
| CVE-2025-45997 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2026-06-17 | N/A | 8.6 HIGH |
| Sourcecodester Web-based Pharmacy Product Management System v.1.0 has a file upload vulnerability. An attacker can upload a PHP file disguised as an image by modifying the Content-Type header to image/jpg. | |||||
| CVE-2025-45855 | 1 Erupt | 1 Erupt | 2026-06-17 | N/A | 5.4 MEDIUM |
| An arbitrary file upload vulnerability in the component /upload/GoodsCategory/image of erupt v1.12.19 allows attackers to execute arbitrary code via uploading a crafted file. | |||||
| CVE-2025-45586 | 1 Audi | 2 Universal Traffic Recorder, Universal Traffic Recorder Firmware | 2026-06-17 | N/A | 7.5 HIGH |
| An issue in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to arbitrarily overwrite files via supplying a crafted PUT request. | |||||
| CVE-2025-44658 | 1 Netgear | 2 Rax30, Rax30 Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| In Netgear RAX30 V1.0.10.94, a PHP-FPM misconfiguration vulnerability is caused by not following the specification to only limit FPM to .php extensions. An attacker may exploit this by uploading malicious scripts disguised with alternate extensions and tricking the web server into executing them as PHP, bypassing security mechanisms based on file extension filtering. This may lead to remote code execution (RCE), information disclosure, or full system compromise. | |||||
| CVE-2025-44139 | 1 Emlog | 1 Emlog | 2026-06-17 | N/A | 7.2 HIGH |
| Emlog Pro V2.5.7 is vulnerable to Unrestricted Upload of File with Dangerous Type via /emlog/admin/plugin.php?action=upload_zip | |||||
| CVE-2025-43946 | 1 Tcpwave | 1 Ddi | 2026-06-17 | N/A | 9.8 CRITICAL |
| TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal). | |||||
| CVE-2025-43766 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-06-17 | N/A | 9.8 CRITICAL |
| The Liferay Portal 7.4.0 through 7.3.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows the upload of unrestricted files in the style books component that are processed within the environment enabling arbitrary code execution by attackers. | |||||
| CVE-2025-43750 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-06-17 | N/A | 6.5 MEDIUM |
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows remote unauthenticated users (guests) to upload files via the form attachment field without proper validation, enabling extension obfuscation and bypassing MIME type checks. | |||||
| CVE-2025-42910 | 2026-06-17 | N/A | 9.0 CRITICAL | ||
| Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker could cause high impact on confidentiality, integrity and availability of the application. | |||||
| CVE-2025-42883 | 2026-06-17 | N/A | 2.7 LOW | ||
| Migration Workbench (DX Workbench) in SAP NetWeaver Application Server for ABAP fails to trigger a malware scan when an attacker with administrative privileges uploads files to the application server. An attacker could leverage this and upload a malicious file into the system. This results in a low impact on the integrity of the application. | |||||
