Total
4102 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-10147 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_as_original_file' function in all versions up to, and including, 4.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-10116 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was identified in SiempreCMS up to 1.3.6. This vulnerability affects unknown code of the file /docs/admin/file_upload.php. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used. | |||||
| CVE-2025-10085 | 1 Mayurik | 1 Pet Grooming Management Software | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code of the file manage_website.php. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-10083 | 1 Mayurik | 1 Pet Grooming Management Software | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was determined in SourceCodester Pet Grooming Management Software 1.0. Affected by this issue is some unknown functionality of the file /admin/profile.php. Executing manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2025-10081 | 1 Mayurik | 1 Pet Grooming Management Software | 2026-06-17 | 5.8 MEDIUM | 4.7 MEDIUM |
| A flaw has been found in SourceCodester Pet Management System 1.0. This impacts an unknown function of the file /admin/profile.php. This manipulation of the argument website_image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. | |||||
| CVE-2025-10051 | 2026-06-17 | N/A | 7.2 HIGH | ||
| The Demo Import Kit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.1.0 via the import functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-10049 | 2026-06-17 | N/A | 7.2 HIGH | ||
| The Responsive Filterable Portfolio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the HdnMediaSelection_image field in all versions up to, and including, 1.0.24. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-10041 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-10009 | 2026-06-17 | N/A | N/A | ||
| Incorrect handling of uploaded files in the admin "Restore" function in Invoice Ninja <= 5.11.72 allows attackers with admin credentials to execute arbitrary code on the server via uploaded .php files. | |||||
| CVE-2025-10001 | 2026-06-17 | N/A | 7.2 HIGH | ||
| The Import any XML, CSV or Excel File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload unsafe files like .phar files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-10000 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| The Qyrr – simply and modern QR-Code creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the blob_to_file() function in all versions up to, and including, 2.0.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-0984 | 2026-06-17 | N/A | 8.2 HIGH | ||
| Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netoloji Software E-Flow allows Accessing Functionality Not Properly Constrained by ACLs, Stored XSS, File Content Injection. This issue affects E-Flow: before 3.23.00. | |||||
| CVE-2025-0928 | 1 Canonical | 1 Juju | 2026-06-17 | N/A | 8.8 HIGH |
| In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution. | |||||
| CVE-2025-0731 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| An unauthenticated remote attacker can upload a .aspx file instead of a PV system picture through the demo account. The code can only be executed in the security context of the user. | |||||
| CVE-2025-0722 | 1 Needyamin | 1 Image Gallery Management System | 2026-06-17 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability classified as critical was found in needyamin image_gallery 1.0. This vulnerability affects unknown code of the file /admin/gallery.php of the component Cover Image Handler. The manipulation of the argument image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-0702 | 1 Joeybling | 1 Bootplus | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. This vulnerability affects unknown code of the file src/main/java/io/github/controller/SysFileController.java. The manipulation of the argument portraitFile leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | |||||
| CVE-2025-0645 | 2026-06-17 | N/A | 7.2 HIGH | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Narkom Communication and Software Technologies Trade Ltd. Co. Pyxis Signage allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Pyxis Signage: through 31012025. | |||||
| CVE-2025-0582 | 1 Angeljudesuarez | 1 Tailoring Management System | 2026-06-17 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability classified as critical was found in itsourcecode Farm Management System up to 1.0. This vulnerability affects unknown code of the file /add-pig.php. The manipulation of the argument pigphoto leads to unrestricted upload. The attack can be initiated remotely. | |||||
| CVE-2025-0520 | 2026-06-17 | N/A | N/A | ||
| An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.This issue affects ShowDoc: before 2.8.7. | |||||
| CVE-2025-0472 | 1 Sigb | 1 Pmb | 2026-06-17 | N/A | 7.5 HIGH |
| Information exposure in the PMB platform affecting versions 4.2.13 and earlier. This vulnerability allows an attacker to upload a file to the environment and enumerate the internal files of a machine by looking at the request response. | |||||
