Vulnerabilities (CVE)

Filtered by CWE-434
Total 4115 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-5145 1 Warrendaloyan 1 Vehicle Management System 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability was found in SourceCodester Vehicle Management System up to 1.0 and classified as critical. This issue affects some unknown processing of the file /newdriver.php of the component HTTP POST Request Handler. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-265289 was assigned to this vulnerability.
CVE-2024-5084 1 Hashthemes 1 Hash Form 2026-06-17 N/A 9.8 CRITICAL
The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-5080 1 Tipsandtricks-hq 1 Wp Emember 2026-06-17 N/A 8.8 HIGH
The wp-eMember WordPress plugin before 10.6.6 does not validate files to be uploaded, which could allow admins to upload arbitrary files such as PHP on the server
CVE-2024-5050 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability, which was classified as critical, was found in Wangshen SecGate 3600 up to 20240516. This affects an unknown part of the file /?g=log_import_save. The manipulation of the argument reqfile leads to unrestricted upload. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-264747.
CVE-2024-5049 1 Codezips 1 E-commerce Site 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability, which was classified as critical, has been found in Codezips E-Commerce Site 1.0. Affected by this issue is some unknown functionality of the file admin/editproduct.php. The manipulation of the argument profilepic leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-264746 is the identifier assigned to this vulnerability.
CVE-2024-5047 1 Kabir-m-alhasan 1 Student Management System 2026-06-17 7.5 HIGH 7.3 HIGH
A vulnerability classified as critical has been found in SourceCodester Student Management System 1.0. Affected is an unknown function of the file /student/controller.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264744.
CVE-2024-5043 1 Emlog 1 Emlog 2026-06-17 5.8 MEDIUM 4.7 MEDIUM
A vulnerability was found in Emlog Pro 2.3.4 and classified as critical. Affected by this issue is some unknown functionality of the file admin/setting.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264740. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-5008 1 Progress 1 Whatsup Gold 2026-06-17 N/A 8.8 HIGH
In WhatsUp Gold versions released before 2023.1.3, an authenticated user with certain permissions can upload an arbitrary file and obtain RCE using Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController.
CVE-2024-58349 2026-06-17 N/A 9.8 CRITICAL
WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's upload functionality. Attackers can upload arbitrary files to the theme directory and execute them to achieve remote code execution on the affected WordPress installation.
CVE-2024-58348 2026-06-17 N/A 9.8 CRITICAL
WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server.
CVE-2024-58313 1 Xbtitfm 1 Xbtitfm 2026-06-17 N/A 7.2 HIGH
xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands.
CVE-2024-58298 2026-06-17 N/A N/A
Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web shell and execute arbitrary commands by sending POST requests to the uploaded JSP endpoint.
CVE-2024-58295 2026-06-17 N/A N/A
ElkArte Forum 1.1.9 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the theme installation process. Attackers can upload a ZIP archive with a PHP file containing system commands, which can then be executed by accessing the uploaded file in the theme directory.
CVE-2024-58283 1 Wbce 1 Wbce Cms 2026-06-17 N/A 8.8 HIGH
WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter.
CVE-2024-58282 1 S9y 1 Serendipity 2026-06-17 N/A 7.2 HIGH
Serendipity 2.5.0 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload mechanism by creating a PHP shell with a command execution form that enables arbitrary system command execution on the web server.
CVE-2024-58281 1 Dotclear 1 Dotclear 2026-06-17 N/A 8.8 HIGH
Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload process by crafting a PHP shell with a command execution form to gain system access through the uploaded file.
CVE-2024-58279 1 Apprain 1 Apprain 2026-06-17 N/A 8.8 HIGH
appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through the filemanager upload endpoint. Attackers can leverage authenticated access to generate a web shell with command execution capabilities by uploading a crafted PHP file to the site's uploads directory.
CVE-2024-57968 1 Advantive 1 Veracore 2026-06-17 N/A 9.9 CRITICAL
Advantive VeraCore before 2024.4.2.1 allows remote authenticated users to upload files to unintended folders (e.g., ones that are accessible during web browsing by other users). upload.aspx can be used for this.
CVE-2024-57761 1 Huayi-tec 1 Jeewms 2026-06-17 N/A 8.1 HIGH
An arbitrary file upload vulnerability in the parserXML() method of JeeWMS before v2025.01.01 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-57668 1 Fabian 1 Shopping Portal 2026-06-17 N/A 8.8 HIGH
In Code-projects Shopping Portal v1.0, the insert-product.php page has an arbitrary file upload vulnerability.