Total
3085 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-24045 | 1 Dataiku | 1 Data Science Studio | 2025-03-10 | N/A | 6.5 MEDIUM |
| In Dataiku DSS 11.2.1, an attacker can download other Dataiku files that were uploaded to the myfiles section by specifying the target username in a download request. | |||||
| CVE-2025-25361 | 2025-03-07 | N/A | 9.8 CRITICAL | ||
| An arbitrary file upload vulnerability in the component /cms/CmsWebFileAdminController.java of PublicCMS v4.0.202406 allows attackers to execute arbitrary code via uploading a crafted svg or xml file. | |||||
| CVE-2023-25402 | 1 Yf-exam Project | 1 Yf-exam | 2025-03-06 | N/A | 7.5 HIGH |
| CleverStupidDog yf-exam 1.8.0 is vulnerable to File Upload. There is no restriction on the suffix of the uploaded file, resulting in any file upload. | |||||
| CVE-2025-2035 | 2025-03-06 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in s-a-zhd Ecommerce-Website-using-PHP 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /customer_register.php. The manipulation of the argument name leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-32562 | 1 Ivanti | 1 Avalanche | 2025-03-06 | N/A | 9.8 CRITICAL |
| An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1. | |||||
| CVE-2024-13869 | 1 Wpvivid | 1 Wpvivid Backup \& Migration | 2025-03-05 | N/A | 7.2 HIGH |
| The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all versions up to, and including, 0.9.112. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers. | |||||
| CVE-2021-33352 | 1 Wyomind | 1 Help Desk | 2025-03-05 | N/A | 9.8 CRITICAL |
| An issue in Wyomind Help Desk Magento 2 extension v.1.3.6 and before fixed in v.1.3.7 allows attacker to execute arbitrary code via a phar file upload in the ticket message field. | |||||
| CVE-2024-5043 | 1 Emlog | 1 Emlog | 2025-03-05 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in Emlog Pro 2.3.4 and classified as critical. Affected by this issue is some unknown functionality of the file admin/setting.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264740. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-29859 | 1 Misp | 1 Misp | 2025-03-05 | N/A | 9.8 CRITICAL |
| In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload. | |||||
| CVE-2025-27411 | 2025-03-05 | N/A | 5.4 MEDIUM | ||
| REDAXO is a PHP-based CMS. In Redaxo before 5.18.3, the mediapool/media page is vulnerable to arbitrary file upload. This vulnerability is fixed in 5.18.3. | |||||
| CVE-2023-22890 | 1 Smartbear | 1 Zephyr Enterprise | 2025-03-05 | N/A | 7.5 HIGH |
| SmartBear Zephyr Enterprise through 7.15.0 allows unauthenticated users to upload large files, which could exhaust the local drive space, causing a denial of service condition. | |||||
| CVE-2025-1890 | 1 Shishuocms Project | 1 Shishuocms | 2025-03-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in shishuocms 1.1 and classified as critical. This vulnerability affects the function handleRequest of the file src/main/java/com/shishuo/cms/action/manage/ManageUpLoadAction.java. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-23328 | 1 Avantfax | 1 Avantfax | 2025-03-04 | N/A | 8.8 HIGH |
| A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file. | |||||
| CVE-2024-47259 | 2025-03-04 | N/A | 3.5 LOW | ||
| Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | |||||
| CVE-2025-1835 | 2025-03-03 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability has been found in osuuu LightPicture 1.2.2 and classified as critical. This vulnerability affects the function upload of the file /app/controller/Api.php. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-56897 | 1 Yitechnology | 2 Yi Car Dashcam, Yi Car Dashcam Firmware | 2025-03-03 | N/A | 9.8 CRITICAL |
| Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds, factory reset. | |||||
| CVE-2024-2529 | 1 Magesh-k21 | 1 Online-college-event-hall-reservation-system | 2025-03-03 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/rooms.php. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-256966 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-2531 | 1 Magesh-k21 | 1 Online-college-event-hall-reservation-system | 2025-03-03 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected is an unknown function of the file /admin/update-rooms.php. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256968. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-5226 | 1 Daniyalahmedk | 1 Fuse Social Floating Sidebar | 2025-03-01 | N/A | 6.4 MEDIUM |
| The Fuse Social Floating Sidebar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the file upload functionality in all versions up to, and including, 5.4.10 due to insufficient validation of SVG files. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-1590 | 1 Janobe | 1 E-learning System | 2025-02-28 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in SourceCodester E-Learning System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/modules/lesson/index.php of the component List of Lessons Page. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. | |||||