Vulnerabilities (CVE)

Filtered by CWE-434
Total 4083 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-46490 2026-06-17 N/A 9.9 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in wordwebsoftware Crossword Compiler Puzzles crossword-compiler-puzzles allows Upload a Web Shell to a Web Server.This issue affects Crossword Compiler Puzzles: from n/a through <= 5.2.
CVE-2025-46384 2026-06-17 N/A 8.8 HIGH
CWE-434 Unrestricted Upload of File with Dangerous Type
CVE-2025-46264 2026-06-17 N/A 9.9 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in blubrry PowerPress Podcasting powerpress allows Upload a Web Shell to a Web Server.This issue affects PowerPress Podcasting: from n/a through <= 11.12.5.
CVE-2025-46193 1 Lerouxyxchire 1 Client Database Management System 2026-06-17 N/A 9.8 CRITICAL
SourceCodester Client Database Management System 1.0 is vulnerable to Remote code execution via Arbitrary file upload in user_proposal_update_order.php.
CVE-2025-46157 1 Efrotech 1 Timetrax 2026-06-17 N/A 9.9 CRITICAL
An issue in EfroTech Time Trax v.1.0 allows a remote attacker to execute arbitrary code via the file attachment function in the leave request form
CVE-2025-46099 1 Pluck-cms 1 Pluck 2026-06-17 N/A 7.2 HIGH
In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routing logic in albums.site.php, resulting in arbitrary command execution through a GET parameter.
CVE-2025-46080 1 Huocms 1 Huocms 2026-06-17 N/A 5.3 MEDIUM
HuoCMS V3.5.1 has a File Upload Vulnerability. An attacker can exploit this flaw to bypass whitelist restrictions and craft malicious files with specific suffixes, thereby gaining control of the server.
CVE-2025-46078 1 Huocms 1 Huocms 2026-06-17 N/A 5.3 MEDIUM
HuoCMS V3.5.1 and before is vulnerable to file upload, which allows attackers to take control of the target server
CVE-2025-46068 1 Automai 1 Director 2026-06-17 N/A 8.8 HIGH
An issue in Automai Director v.25.2.0 allows a remote attacker to execute arbitrary code via the update mechanism
CVE-2025-46001 1 Simogeo 1 Filemanager 2026-06-17 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in the is_allowed_file_type() function of Filemanager v2.3.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2025-45997 1 Senior-walter 1 Web-based Pharmacy Product Management System 2026-06-17 N/A 8.6 HIGH
Sourcecodester Web-based Pharmacy Product Management System v.1.0 has a file upload vulnerability. An attacker can upload a PHP file disguised as an image by modifying the Content-Type header to image/jpg.
CVE-2025-45855 1 Erupt 1 Erupt 2026-06-17 N/A 5.4 MEDIUM
An arbitrary file upload vulnerability in the component /upload/GoodsCategory/image of erupt v1.12.19 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2025-45586 1 Audi 2 Universal Traffic Recorder, Universal Traffic Recorder Firmware 2026-06-17 N/A 7.5 HIGH
An issue in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to arbitrarily overwrite files via supplying a crafted PUT request.
CVE-2025-44658 1 Netgear 2 Rax30, Rax30 Firmware 2026-06-17 N/A 9.8 CRITICAL
In Netgear RAX30 V1.0.10.94, a PHP-FPM misconfiguration vulnerability is caused by not following the specification to only limit FPM to .php extensions. An attacker may exploit this by uploading malicious scripts disguised with alternate extensions and tricking the web server into executing them as PHP, bypassing security mechanisms based on file extension filtering. This may lead to remote code execution (RCE), information disclosure, or full system compromise.
CVE-2025-44139 1 Emlog 1 Emlog 2026-06-17 N/A 7.2 HIGH
Emlog Pro V2.5.7 is vulnerable to Unrestricted Upload of File with Dangerous Type via /emlog/admin/plugin.php?action=upload_zip
CVE-2025-43946 1 Tcpwave 1 Ddi 2026-06-17 N/A 9.8 CRITICAL
TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal).
CVE-2025-43766 1 Liferay 2 Digital Experience Platform, Liferay Portal 2026-06-17 N/A 9.8 CRITICAL
The Liferay Portal 7.4.0 through 7.3.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows the upload of unrestricted files in the style books component that are processed within the environment enabling arbitrary code execution by attackers.
CVE-2025-43750 1 Liferay 2 Digital Experience Platform, Liferay Portal 2026-06-17 N/A 6.5 MEDIUM
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows remote unauthenticated users (guests) to upload files via the form attachment field without proper validation, enabling extension obfuscation and bypassing MIME type checks.
CVE-2025-42910 2026-06-17 N/A 9.0 CRITICAL
Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker could cause high impact on confidentiality, integrity and availability of the application.
CVE-2025-42883 2026-06-17 N/A 2.7 LOW
Migration Workbench (DX Workbench) in SAP NetWeaver Application Server for ABAP fails to trigger a malware scan when an attacker with administrative privileges uploads files to the application server. An attacker could leverage this and upload a malicious file into the system. This results in a low impact on the integrity of the application.