Total
4115 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6117 | 1 Hamastar | 1 Meetinghub Paperless Meetings | 2026-06-17 | N/A | 8.8 HIGH |
| A Unrestricted upload of file with dangerous type vulnerability in meeting management function in Hamastar MeetingHub Paperless Meetings 2021 allows remote authenticated users to perform arbitrary system commands via a crafted ASP file. | |||||
| CVE-2024-6116 | 1 Clive 21 | 1 Simple Online Hotel Reservation System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability, which was classified as critical, has been found in itsourcecode Simple Online Hotel Reservation System 1.0. Affected by this issue is some unknown functionality of the file edit_room.php. The manipulation of the argument photo leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268868. | |||||
| CVE-2024-6115 | 1 Clive 21 | 1 Simple Online Hotel Reservation System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical was found in itsourcecode Simple Online Hotel Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file add_room.php. The manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268867. | |||||
| CVE-2024-6114 | 1 Janobe | 1 Monbela Tourist Inn Online Reservation System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical has been found in itsourcecode Monbela Tourist Inn Online Reservation System up to 1.0. Affected is an unknown function of the file controller.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-268866 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-6110 | 1 Janobe | 1 Magbanua Beach Resort Online Reservation System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in itsourcecode Magbanua Beach Resort Online Reservation System up to 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file controller.php. The manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268856. | |||||
| CVE-2024-6084 | 1 Janobe | 1 Pool Of Bethesda Online Reservation System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in itsourcecode Pool of Bethesda Online Reservation System up to 1.0 and classified as critical. Affected by this vulnerability is the function uploadImage of the file /admin/mod_room/controller.php?action=add. The manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-268825 was assigned to this vulnerability. | |||||
| CVE-2024-6083 | 1 Phpvibe | 1 Phpvibe | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in PHPVibe 11.0.46. Affected is an unknown function of the file /app/uploading/upload-mp3.php of the component Media Upload Page. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268824. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-6054 | 1 Auto-featured-image Project | 1 Auto-featured-image | 2026-06-17 | N/A | 8.8 HIGH |
| The Auto Featured Image plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'create_post_attachment_from_url' function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-5911 | 1 Paloaltonetworks | 1 Pan-os | 2026-06-17 | N/A | 4.9 MEDIUM |
| An arbitrary file upload vulnerability in Palo Alto Networks Panorama software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and crash the Panorama. Repeated attacks eventually cause the Panorama to enter maintenance mode, which requires manual intervention to bring the Panorama back online. | |||||
| CVE-2024-5853 | 1 Sirv | 1 Sirv | 2026-06-17 | N/A | 9.9 CRITICAL |
| The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the sirv_upload_file_by_chanks AJAX action in all versions up to, and including, 7.2.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-5745 | 1 Bakery Online Ordering System Project | 1 Bakery Online Ordering System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in itsourcecode Bakery Online Ordering System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/modules/product/controller.php?action=add. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-267414 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-5734 | 1 Online Discussion Forum Project | 1 Online Discussion Forum | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in itsourcecode Online Discussion Forum 1.0. Affected is an unknown function of the file /members/poster.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-267408. | |||||
| CVE-2024-5630 | 1 Elearningfreak | 1 Insert Or Embed Articulate Content | 2026-06-17 | N/A | 8.8 HIGH |
| The Insert or Embed Articulate Content into WordPress plugin before 4.3000000024 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites. | |||||
| CVE-2024-5518 | 1 Emiloimagtolis | 1 Online Discussion Forum | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in itsourcecode Online Discussion Forum 1.0. This affects an unknown part of the file change_profile_picture.php. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-266589 was assigned to this vulnerability. | |||||
| CVE-2024-5450 | 1 Bug Library Project | 1 Bug Library | 2026-06-17 | N/A | 9.1 CRITICAL |
| The Bug Library WordPress plugin before 2.1.1 does not check the file type on user-submitted bug reports, allowing an unauthenticated user to upload PHP files | |||||
| CVE-2024-5441 | 1 Webnus | 2 Modern Events Calendar, Modern Events Calendar Lite | 2026-06-17 | N/A | 8.8 HIGH |
| The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image function in all versions up to, and including, 7.11.0. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The plugin allows administrators (via its settings) to extend the ability to submit events to unauthenticated users, which would allow unauthenticated attackers to exploit this vulnerability. | |||||
| CVE-2024-5377 | 1 Warrendaloyan | 1 Vehicle Management System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in SourceCodester Vehicle Management System 1.0. It has been classified as critical. This affects an unknown part of the file /newvehicle.php. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-266289 was assigned to this vulnerability. | |||||
| CVE-2024-5278 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2026-06-17 | N/A | 6.1 MEDIUM |
| gaizhenbiao/chuanhuchatgpt is vulnerable to an unrestricted file upload vulnerability due to insufficient validation of uploaded file types in its `/upload` endpoint. Specifically, the `handle_file_upload` function does not sanitize or validate the file extension or content type of uploaded files, allowing attackers to upload files with arbitrary extensions, including HTML files containing XSS payloads and Python files. This vulnerability, present in the latest version as of 20240310, could lead to stored XSS attacks and potentially result in remote code execution (RCE) on the server hosting the application. | |||||
| CVE-2024-5247 | 1 Netgear | 1 Prosafe Network Management System | 2026-06-17 | N/A | 8.8 HIGH |
| NETGEAR ProSAFE Network Management System UpLoadServlet Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Authentication is required to exploit this vulnerability. The specific flaw exists within the UpLoadServlet class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22923. | |||||
| CVE-2024-5226 | 1 Daniyalahmedk | 1 Fuse Social Floating Sidebar | 2026-06-17 | N/A | 6.4 MEDIUM |
| The Fuse Social Floating Sidebar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the file upload functionality in all versions up to, and including, 5.4.10 due to insufficient validation of SVG files. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
