Total
3433 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-51056 | 1 Vedo Suite Project | 1 Vedo Suite | 2025-10-09 | N/A | 8.2 HIGH |
| An unrestricted file upload vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to write to arbitrary filesystem paths by exploiting the insecure 'uploadPreviews()' custom function in '/api_vedo/colorways_preview', ultimately resulting in remote code execution (RCE). | |||||
| CVE-2025-11351 | 1 Fabian | 1 Online Hotel Reservation System | 2025-10-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in code-projects Online Hotel Reservation System 1.0. The impacted element is an unknown function of the file /admin/editpicexec.php. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-11352 | 1 Fabian | 1 Online Hotel Reservation System | 2025-10-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in code-projects Online Hotel Reservation System 1.0. This affects an unknown function of the file /admin/addexec.php. Such manipulation of the argument image leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-11353 | 1 Fabian | 1 Online Hotel Reservation System | 2025-10-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in code-projects Online Hotel Reservation System 1.0. This impacts an unknown function of the file /admin/addgalleryexec.php. Performing manipulation of the argument image results in unrestricted upload. The attack is possible to be carried out remotely. The exploit is now public and may be used. | |||||
| CVE-2025-11398 | 1 Nikhil-bhalerao | 1 Hotel And Lodge Management System | 2025-10-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in SourceCodester Hotel and Lodge Management System 1.0. The impacted element is an unknown function of the file /profile.php of the component Profile Page. Executing manipulation of the argument image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-11417 | 1 Campcodes | 1 Advanced Online Voting System | 2025-10-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in Campcodes Advanced Online Voting Management System 1.0. This vulnerability affects unknown code of the file /admin/voters_add.php. Executing manipulation of the argument photo can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-11426 | 1 Projectworlds | 1 Advanced Library Management System | 2025-10-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in projectworlds Advanced Library Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit_book.php. The manipulation of the argument image results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-11436 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in JhumanJ OpnForm up to 1.9.3. Affected by this issue is some unknown functionality of the file /answer. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. The patch is identified as 95c3e23856465d202e6aec10bdb6ee0688b5305a. It is advisable to implement a patch to correct this issue. | |||||
| CVE-2025-2978 | 1 Wcms | 1 Wcms | 2025-10-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in WCMS 11. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?articleadmin/upload/?&CKEditor=container&CKEditorFuncNum=1 of the component Article Publishing Page. The manipulation of the argument Upload leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-11470 | 1 Nikhil-bhalerao | 1 Hotel And Lodge Management System | 2025-10-08 | 5.8 MEDIUM | 4.7 MEDIUM |
| A security vulnerability has been detected in SourceCodester Hotel and Lodge Management System up to 1.0. The impacted element is an unknown function of the file /manage_website.php. The manipulation of the argument website_image/back_login_image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-61768 | 2025-10-08 | N/A | N/A | ||
| KUNO CMS is a fully deployable full-stack blog application. In versions prior to 1.3.15, an SSRF (Server-Side Request Forgery) vulnerability exists in the Media module of the Kuno CMS administrative panel. A logged-in administrator can upload a specially crafted SVG file containing an external image reference, causing the server to initiate an outgoing connection to an arbitrary external URL. This can lead to information disclosure or internal network probing. Version 1.3.15 contains a fix for the issue. | |||||
| CVE-2024-46479 | 1 Venki | 1 Supravizio Bpm | 2025-10-07 | N/A | 9.9 CRITICAL |
| Venki Supravizio BPM through 18.0.1 was discovered to contain an arbitrary file upload vulnerability. An authenticated attacker may upload a malicious file, leading to remote code execution. | |||||
| CVE-2024-56508 | 1 Linkace | 1 Linkace | 2025-10-06 | N/A | 7.6 HIGH |
| LinkAce is a self-hosted archive to collect links of your favorite websites. Prior to 1.15.6, a file upload vulnerability exists in the LinkAce. This issue occurs in the "Import Bookmarks" functionality, where malicious HTML files can be uploaded containing JavaScript payloads. These payloads execute when the uploaded links are accessed, leading to potential reflected or persistent XSS scenarios. This vulnerability is fixed in 1.15.6. | |||||
| CVE-2025-59835 | 2025-10-06 | N/A | N/A | ||
| LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5. | |||||
| CVE-2025-9212 | 2025-10-06 | N/A | 7.5 HIGH | ||
| The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wp_dispatcher_process_upload() function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The directory does have an .htaccess file which limits the ability to achieve remote code execution. | |||||
| CVE-2025-61681 | 2025-10-06 | N/A | 5.4 MEDIUM | ||
| KUNO CMS is a fully deployable full-stack blog application. Versions 1.3.13 and below contain validation flaws in its file upload functionality that can be exploited for stored XSS. The upload endpoint only validates file types based on Content-Type headers, lacks file content analysis and extension whitelist restrictions, allowing attackers to upload SVG files containing malicious scripts (disguised as images). When users access the uploaded resource pages, arbitrary JavaScript executes in their browsers. This issue is fixed in version 1.3.14. | |||||
| CVE-2025-9561 | 2025-10-06 | N/A | 8.8 HIGH | ||
| The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-11320 | 2025-10-06 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security vulnerability has been detected in zhuimengshaonian wisdom-education up to 1.0.4. Impacted is the function uploadFile of the file src/main/java/com/education/core/controller/UploadController.java. Such manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-11318 | 2025-10-06 | 7.5 HIGH | 7.3 HIGH | ||
| A security flaw has been discovered in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. This vulnerability affects unknown code of the file uploadWxFile.do. The manipulation of the argument File results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-1862 | 1 Wso2 | 4 Enterprise Integrator, Identity Server, Identity Server As Key Manager and 1 more | 2025-10-06 | N/A | 6.7 MEDIUM |
| An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. A malicious actor with administrative privileges can upload arbitrary files to a user-controlled location on the server. By leveraging this vulnerability, an attacker can upload a specially crafted payload and achieve remote code execution (RCE), potentially compromising the server and its data. | |||||