Vulnerabilities (CVE)

Filtered by CWE-434
Total 4088 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-26411 2026-06-17 N/A 8.8 HIGH
An authenticated attacker is able to use the Plugin Manager of the web interface of the Wattsense Bridge devices to upload malicious Python files to the device. This enables an attacker to gain remote root access to the device. An attacker needs a valid user account on the Wattsense web interface to be able to conduct this attack. This issue is fixed in recent firmware versions BSP >= 6.1.0.
CVE-2025-26350 1 Q-free 1 Maxtime 2026-06-17 N/A 4.9 MEDIUM
A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests.
CVE-2025-26325 1 Shopxo 1 Shopxo 2026-06-17 N/A 9.8 CRITICAL
ShopXO 6.4.0 is vulnerable to File Upload in ThemeDataService.php.
CVE-2025-26319 1 Flowiseai 1 Flowise 2026-06-17 N/A 9.8 CRITICAL
FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.
CVE-2025-25790 1 Foxcms 1 Foxcms 2026-06-17 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in the component \controller\LocalTemplate.php of FoxCMS v1.2.5 allows attackers to execute arbitrary code via uploading a crafted Zip file.
CVE-2025-25784 1 Jizhicms 1 Jizhicms 2026-06-17 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in the component \c\TemplateController.php of Jizhicms v2.5.4 allows attackers to execute arbitrary code via uploading a crafted Zip file.
CVE-2025-25783 1 Emlog 1 Emlog 2026-06-17 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in the component admin\plugin.php of Emlog Pro v2.5.3 allows attackers to execute arbitrary code via uploading a crafted Zip file.
CVE-2025-25361 1 Publiccms 1 Publiccms 2026-06-17 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in the component /cms/CmsWebFileAdminController.java of PublicCMS v4.0.202406 allows attackers to execute arbitrary code via uploading a crafted svg or xml file.
CVE-2025-25016 1 Elastic 1 Kibana 2026-06-17 N/A 4.3 MEDIUM
Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation.
CVE-2025-24862 1 Intel 1 Computing Improvement Program 2026-06-17 N/A 2.0 LOW
Unrestricted upload of file with dangerous type for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with a privileged user combined with a high complexity attack may enable data manipulation. This result may potentially occur via network access when attack requirements are present with special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
CVE-2025-24801 1 Glpi-project 1 Glpi 2026-06-17 N/A 8.5 HIGH
GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.
CVE-2025-24775 2026-06-17 N/A 9.9 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms forms-by-made-it allows Upload a Web Shell to a Web Server.This issue affects Forms: from n/a through <= 2.9.0.
CVE-2025-24650 1 Themefic 1 Tourfic 2026-06-17 N/A 9.1 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic allows Upload a Web Shell to a Web Server.This issue affects Tourfic: from n/a through <= 2.15.3.
CVE-2025-24505 2026-06-17 N/A N/A
This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by uploading a specially crafted upgrade file.
CVE-2025-24489 2026-06-17 N/A 6.3 MEDIUM
An attacker could exploit this vulnerability by uploading arbitrary files via a specific service, which could lead to system compromise.
CVE-2025-23968 2026-06-17 N/A 9.1 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in WebFactory AiBud WP aibuddy-openai-chatgpt allows Upload a Web Shell to a Web Server.This issue affects AiBud WP: from n/a through <= 1.9.
CVE-2025-23953 2026-06-17 N/A 10.0 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Scriptonite user files user-files allows Upload a Web Shell to a Web Server.This issue affects user files: from n/a through <= 2.4.2.
CVE-2025-23942 2026-06-17 N/A 9.1 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in ngocuct0912 WP Load Gallery wp-load-gallery allows Upload a Web Shell to a Web Server.This issue affects WP Load Gallery: from n/a through <= 2.1.6.
CVE-2025-23921 2026-06-17 N/A 9.0 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in sh1zen Multi Uploader for Gravity Forms gf-multi-uploader allows Upload a Web Shell to a Web Server.This issue affects Multi Uploader for Gravity Forms: from n/a through <= 1.1.3.
CVE-2025-23918 2026-06-17 N/A 9.9 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Enrico Sandoli Smallerik File Browser smallerik-file-browser allows Upload a Web Shell to a Web Server.This issue affects Smallerik File Browser: from n/a through <= 1.1.