Total
3821 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-12500 | 2026-02-19 | N/A | 5.3 MEDIUM | ||
| The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (images, documents, etc.). | |||||
| CVE-2026-1405 | 2026-02-19 | N/A | 9.8 CRITICAL | ||
| The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'slider_future_handle_image_upload' function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-25846 | 1 Myprestamodules | 1 Product Catalog \(csv\, Excel\) Import | 2026-02-18 | N/A | 9.1 CRITICAL |
| In the module "Product Catalog (CSV, Excel) Import" (simpleimportproduct) <= 6.7.0 from MyPrestaModules for PrestaShop, a guest can upload files with extensions .php. | |||||
| CVE-2026-1306 | 2026-02-18 | N/A | 9.8 CRITICAL | ||
| The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible granted the attacker can obtain a valid nonce. The nonce is exposed in frontend JavaScript making it trivially accessible to unauthenticated attackers. | |||||
| CVE-2026-2550 | 2026-02-18 | 10.0 HIGH | 9.8 CRITICAL | ||
| A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-6116 | 1 Clive 21 | 1 Simple Online Hotel Reservation System | 2026-02-18 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability, which was classified as critical, has been found in itsourcecode Simple Online Hotel Reservation System 1.0. Affected by this issue is some unknown functionality of the file edit_room.php. The manipulation of the argument photo leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268868. | |||||
| CVE-2024-6115 | 1 Clive 21 | 1 Simple Online Hotel Reservation System | 2026-02-18 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical was found in itsourcecode Simple Online Hotel Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file add_room.php. The manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268867. | |||||
| CVE-2024-7694 | 1 Teamt5 | 1 Threatsonar Anti-ransomware | 2026-02-18 | N/A | 7.2 HIGH |
| ThreatSonar Anti-Ransomware from TeamT5 does not properly validate the content of uploaded files. Remote attackers with administrator privileges on the product platform can upload malicious files, which can be used to execute arbitrary system command on the server. | |||||
| CVE-2026-1331 | 1 Hamastar | 1 Meetinghub Paperless Meetings | 2026-02-17 | N/A | 9.8 CRITICAL |
| MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | |||||
| CVE-2026-2146 | 1 Guchengwuyue | 1 Yshopmall | 2026-02-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2023-33498 | 1 Alistgo | 1 Alist | 2026-02-13 | N/A | 8.8 HIGH |
| alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privilege accounts can upload any file. | |||||
| CVE-2022-45968 | 1 Alistgo | 1 Alist | 2026-02-13 | N/A | 8.8 HIGH |
| Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one). | |||||
| CVE-2026-2097 | 1 Flowring | 1 Agentflow | 2026-02-13 | N/A | 8.8 HIGH |
| Agentflow developed by Flowring has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | |||||
| CVE-2025-14014 | 2026-02-13 | N/A | 9.8 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in NTN Information Processing Services Computer Software Hardware Industry and Trade Ltd. Co. Smart Panel allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Smart Panel: before 20251215. | |||||
| CVE-2026-1458 | 1 Gitlab | 1 Gitlab | 2026-02-12 | N/A | 6.5 MEDIUM |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files. | |||||
| CVE-2020-37113 | 1 Gunet | 1 Open Eclass Platform | 2026-02-12 | N/A | 8.8 HIGH |
| GUnet OpenEclass 1.7.3 allows authenticated users to bypass file extension restrictions when uploading files. By renaming a PHP file to .php3 or .PhP, an attacker can upload a web shell and execute arbitrary code on the server. This vulnerability enables remote code execution by bypassing the intended file type checks in the exercise submission feature. | |||||
| CVE-2025-61506 | 1 Mediacrush | 1 Mediacrush | 2026-02-11 | N/A | 9.8 CRITICAL |
| An issue was discovered in MediaCrush thru 1.0.1 allowing remote unauthenticated attackers to upload arbitrary files of any size to the /upload endpoint. | |||||
| CVE-2025-65875 | 1 Fpdf | 1 Fpdf | 2026-02-11 | N/A | 8.8 HIGH |
| An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file. | |||||
| CVE-2025-69906 | 1 Monstra | 1 Monstra Cms | 2026-02-11 | N/A | 8.8 HIGH |
| Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution. | |||||
| CVE-2025-69981 | 1 Frangoteam | 1 Fuxa | 2026-02-11 | N/A | 9.8 CRITICAL |
| FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code. | |||||