Total
4088 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-2607 | 1 Phplaozhang | 1 Lzcms-laozhangbokexitong | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in phplaozhang LzCMS-LaoZhangBoKeXiTong up to 1.1.4. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/upload/upimage.html of the component HTTP POST Request Handler. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2606 | 1 Mayurik | 1 Best Church Management Software | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/soulwinning_crud.php. The manipulation of the argument photo/photo1 leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2525 | 2026-06-17 | N/A | 8.8 HIGH | ||
| The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-2512 | 1 File Away Project | 1 File Away | 2026-06-17 | N/A | 9.8 CRITICAL |
| The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-2494 | 1 Sytel | 1 Softdial Contact Center | 2026-06-17 | N/A | 9.8 CRITICAL |
| Unrestricted file upload to Softdial Contact Center of Sytel Ltd. This vulnerability could allow an attacker to upload files to the server via the ‘/softdial/phpconsole/upload.php’ endpoint, which is protected by basic HTTP authentication. The files are uploaded to a directory exposed by the web application, which could result in code execution, giving the attacker full control over the server. | |||||
| CVE-2025-2396 | 1 Edetw | 1 U-office Force | 2026-06-17 | N/A | 8.8 HIGH |
| The U-Office Force from e-Excellence has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | |||||
| CVE-2025-2350 | 1 Iroadau | 2 Fx2, Fx2 Firmware | 2026-06-17 | 5.8 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been rated as critical. Affected by this issue is some unknown functionality of the file /action/upload_file. The manipulation leads to unrestricted upload. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2249 | 2026-06-17 | N/A | 8.8 HIGH | ||
| The SoJ SoundSlides plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the soj_soundslides_options_subpanel() function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-2219 | 1 Lovecards | 1 Lovecards | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. This issue affects some unknown processing of the file /api/upload/image. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-2216 | 1 Zzskzy | 1 Warehouse Refinement Management System | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in zzskzy Warehouse Refinement Management System 1.3. Affected by this issue is the function UploadCrash of the file /crash/log/SaveCrash.ashx. The manipulation of the argument file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-2155 | 2026-06-17 | N/A | 8.8 HIGH | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Remote Code Inclusion. This issue affects Specto CM: before 17032025. | |||||
| CVE-2025-2115 | 1 Zzskzy | 1 Warehouse Refinement Management System | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in zzskzy Warehouse Refinement Management System 3.1. Affected is the function ProcessRequest of the file /AcceptZip.ashx. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-2035 | 1 S-a-zhd | 1 Ecommerce-website-using-php | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in s-a-zhd Ecommerce-Website-using-PHP 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /customer_register.php. The manipulation of the argument name leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2031 | 1 1000mz | 1 Chestnutcms | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in ChestnutCMS up to 1.5.2. This affects the function uploadFile of the file /dev-api/cms/file/upload. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2008 | 2026-06-17 | N/A | 8.8 HIGH | ||
| The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1. | |||||
| CVE-2025-2006 | 2026-06-17 | N/A | 8.8 HIGH | ||
| The Inline Image Upload for BBPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension validation in the file uploading functionality in all versions up to, and including, 1.1.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This may be exploitable by unauthenticated attackers when the "Allow guest users without accounts to create topics and replies" setting is enabled. | |||||
| CVE-2025-2005 | 1 Etoilewebdesign | 1 Front End Users | 2026-06-17 | N/A | 9.8 CRITICAL |
| The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-29411 | 1 Martmbithi | 1 Ibanking | 2026-06-17 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the Client Profile Update section of Mart Developers iBanking v2.0.0 allows attackers to execute arbitrary code via uploading a crafted PHP file. | |||||
| CVE-2025-29405 | 1 Emlog | 1 Emlog | 2026-06-17 | N/A | 6.3 MEDIUM |
| An arbitrary file upload vulnerability in the component /admin/template.php of emlog pro 2.5.0 and pro 2.5.* allows attackers to execute arbitrary code via uploading a crafted PHP file. | |||||
| CVE-2025-29394 | 2026-06-17 | N/A | 8.1 HIGH | ||
| An insecure permissions vulnerability in verydows v2.0 allows a remote attacker to execute arbitrary code by uploading a file type. | |||||
