Vulnerabilities (CVE)

Filtered by CWE-434
Total 4088 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-2607 1 Phplaozhang 1 Lzcms-laozhangbokexitong 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability was found in phplaozhang LzCMS-LaoZhangBoKeXiTong up to 1.1.4. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/upload/upimage.html of the component HTTP POST Request Handler. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-2606 1 Mayurik 1 Best Church Management Software 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/soulwinning_crud.php. The manipulation of the argument photo/photo1 leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-2525 2026-06-17 N/A 8.8 HIGH
The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-2512 1 File Away Project 1 File Away 2026-06-17 N/A 9.8 CRITICAL
The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-2494 1 Sytel 1 Softdial Contact Center 2026-06-17 N/A 9.8 CRITICAL
Unrestricted file upload to Softdial Contact Center of Sytel Ltd. This vulnerability could allow an attacker to upload files to the server via the ‘/softdial/phpconsole/upload.php’ endpoint, which is protected by basic HTTP authentication. The files are uploaded to a directory exposed by the web application, which could result in code execution, giving the attacker full control over the server.
CVE-2025-2396 1 Edetw 1 U-office Force 2026-06-17 N/A 8.8 HIGH
The U-Office Force from e-Excellence has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
CVE-2025-2350 1 Iroadau 2 Fx2, Fx2 Firmware 2026-06-17 5.8 MEDIUM 6.3 MEDIUM
A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been rated as critical. Affected by this issue is some unknown functionality of the file /action/upload_file. The manipulation leads to unrestricted upload. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used.
CVE-2025-2249 2026-06-17 N/A 8.8 HIGH
The SoJ SoundSlides plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the soj_soundslides_options_subpanel() function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-2219 1 Lovecards 1 Lovecards 2026-06-17 7.5 HIGH 7.3 HIGH
A vulnerability was found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. This issue affects some unknown processing of the file /api/upload/image. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-2216 1 Zzskzy 1 Warehouse Refinement Management System 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability, which was classified as critical, has been found in zzskzy Warehouse Refinement Management System 1.3. Affected by this issue is the function UploadCrash of the file /crash/log/SaveCrash.ashx. The manipulation of the argument file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-2155 2026-06-17 N/A 8.8 HIGH
Unrestricted Upload of File with Dangerous Type vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Remote Code Inclusion. This issue affects Specto CM: before 17032025.
CVE-2025-2115 1 Zzskzy 1 Warehouse Refinement Management System 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability, which was classified as critical, was found in zzskzy Warehouse Refinement Management System 3.1. Affected is the function ProcessRequest of the file /AcceptZip.ashx. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-2035 1 S-a-zhd 1 Ecommerce-website-using-php 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability was found in s-a-zhd Ecommerce-Website-using-PHP 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /customer_register.php. The manipulation of the argument name leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-2031 1 1000mz 1 Chestnutcms 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability classified as critical has been found in ChestnutCMS up to 1.5.2. This affects the function uploadFile of the file /dev-api/cms/file/upload. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-2008 2026-06-17 N/A 8.8 HIGH
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1.
CVE-2025-2006 2026-06-17 N/A 8.8 HIGH
The Inline Image Upload for BBPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension validation in the file uploading functionality in all versions up to, and including, 1.1.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This may be exploitable by unauthenticated attackers when the "Allow guest users without accounts to create topics and replies" setting is enabled.
CVE-2025-2005 1 Etoilewebdesign 1 Front End Users 2026-06-17 N/A 9.8 CRITICAL
The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-29411 1 Martmbithi 1 Ibanking 2026-06-17 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in the Client Profile Update section of Mart Developers iBanking v2.0.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2025-29405 1 Emlog 1 Emlog 2026-06-17 N/A 6.3 MEDIUM
An arbitrary file upload vulnerability in the component /admin/template.php of emlog pro 2.5.0 and pro 2.5.* allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2025-29394 2026-06-17 N/A 8.1 HIGH
An insecure permissions vulnerability in verydows v2.0 allows a remote attacker to execute arbitrary code by uploading a file type.