Vulnerabilities (CVE)

Filtered by CWE-434
Total 4115 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-52302 2026-06-17 N/A N/A
common-user-management is a robust Spring Boot application featuring user management services designed to control user access dynamically. There is a critical security vulnerability in the application endpoint /api/v1/customer/profile-picture. This endpoint allows file uploads without proper validation or restrictions, enabling attackers to upload malicious files that can lead to Remote Code Execution (RCE).
CVE-2024-51991 1 Octobercms 1 October 2026-06-17 N/A 4.9 MEDIUM
October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to 3.7.5 affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulnerability allows an authenticated user to bypass this protection by uploading it with a permitted extension (for example, .jpg or .png) and later modifying it to the .svg extension. This vulnerability assumes a trusted user will attack another trusted user and cannot be actively exploited without access to the administration panel and interaction from the other user. This issue has been patched in v3.7.5.
CVE-2024-51919 2026-06-17 N/A 9.0 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in radykal Fancy Product Designer fancy-product-designer.This issue affects Fancy Product Designer: from n/a through <= 6.4.3.
CVE-2024-51793 1 Webfulcreations 1 Computer Repair Shop 2026-06-17 N/A 10.0 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Upload a Web Shell to a Web Server.This issue affects RepairBuddy: from n/a through <= 3.8115.
CVE-2024-51792 2026-06-17 N/A 10.0 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Dang Ngoc Binh Audio Record audio-record allows Upload a Web Shell to a Web Server.This issue affects Audio Record: from n/a through <= 1.0.
CVE-2024-51791 2026-06-17 N/A 10.0 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms forms-by-made-it allows Upload a Web Shell to a Web Server.This issue affects Forms: from n/a through <= 2.8.0.
CVE-2024-51790 2026-06-17 N/A 10.0 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in HB WEBSOL HB AUDIO GALLERY hb-audio-gallery allows Upload a Web Shell to a Web Server.This issue affects HB AUDIO GALLERY: from n/a through <= 3.0.
CVE-2024-51789 2026-06-17 N/A 10.0 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in UjW0L Image Classify image-classify allows Upload a Web Shell to a Web Server.This issue affects Image Classify: from n/a through <= 1.0.0.
CVE-2024-51788 2026-06-17 N/A 10.0 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Joshua Wolfe The Novel Design Store Directory noveldesign-store-directory allows Upload a Web Shell to a Web Server.This issue affects The Novel Design Store Directory: from n/a through <= 4.3.0.
CVE-2024-51743 1 Markusproject 1 Markus 2026-06-17 N/A 8.8 HIGH
MarkUs is a web application for the submission and grading of student assignments. In versions prior to 2.4.8, an arbitrary file write vulnerability in the update/upload/create file methods in Controllers allows authenticated instructors to write arbitrary files to any location on the web server MarkUs is running on (depending on the permissions of the underlying filesystem). e.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. MarkUs v2.4.8 has addressed this issue. No known workarounds are available at the application level aside from upgrading.
CVE-2024-51548 1 Abb 38 Aspect-ent-12, Aspect-ent-12 Firmware, Aspect-ent-2 and 35 more 2026-06-17 N/A 9.9 CRITICAL
Dangerous File Upload vulnerabilities allow upload of malicious scripts.  Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02
CVE-2024-51499 1 Markusproject 1 Markus 2026-06-17 N/A 8.8 HIGH
MarkUs is a web application for the submission and grading of student assignments. In versions prior to 2.4.8, an arbitrary file write vulnerability accessible via the update_files method of the SubmissionsController allows authenticated users (e.g. students) to write arbitrary files to any location on the web server MarkUs is running on (depending on the permissions of the underlying filesystem). e.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. MarkUs v2.4.8 has addressed this issue. No known workarounds are available at the application level aside from upgrading.
CVE-2024-51208 1 Phpgurukul 1 Boat Booking System 2026-06-17 N/A 7.2 HIGH
File Upload vulnerability in change-image.php in Anuj Kumar's Boat Booking System version 1.0 allows local attackers to upload a malicious PHP script via the Image Upload Mechanism parameter.
CVE-2024-51152 1 Alexstack 1 Laravel Cms 2026-06-17 N/A 7.2 HIGH
File Upload vulnerability in Laravel CMS v.1.4.7 and before allows a remote attacker to execute arbitrary code via the shell.php a component.
CVE-2024-50652 1 Geeeeeeeek 1 Java Shop 2026-06-17 N/A 4.3 MEDIUM
A file upload vulnerability in java_shop 1.0 allows attackers to upload arbitrary files by modifying the avatar function.
CVE-2024-50625 1 Digi 7 Connectport Lts 16, Connectport Lts 16 Mei, Connectport Lts 16 Mei 2ac and 4 more 2026-06-17 N/A 8.0 HIGH
An issue was discovered in Digi ConnectPort LTS before 1.4.12. A vulnerability in the file upload handling of a web application allows manipulation of file paths via POST requests. This can lead to arbitrary file uploads within specific directories, potentially enabling privilege escalation when combined with other vulnerabilities.
CVE-2024-50623 1 Cleo 3 Harmony, Lexicom, Vltrader 2026-06-17 N/A 9.8 CRITICAL
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
CVE-2024-50620 1 Cipplanner 1 Cipace 2026-06-17 N/A 8.8 HIGH
Unrestricted Upload of File with Dangerous Type vulnerabilities exist in the rich text editor and document manage components in CIPPlanner CIPAce before 9.17. An authorized user can upload executable files when inserting images in the rich text editor, and upload executable files when uploading files on the document management page. Those executables can be executed if they are not stored in a shared directory or if the storage directory has executed permissions.
CVE-2024-50531 1 Carrcommunications 1 Rsvpmaker 2026-06-17 N/A 10.0 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in davidfcarr RSVPMaker for Toastmasters rsvpmaker-for-toastmasters allows Upload a Web Shell to a Web Server.This issue affects RSVPMaker for Toastmasters: from n/a through <= 6.2.4.
CVE-2024-50530 1 Myriadsolutionz 1 Stars Smtp Mailer 2026-06-17 N/A 9.9 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Myriad Solutionz Stars SMTP Mailer stars-smtp-mailer allows Upload a Web Shell to a Web Server.This issue affects Stars SMTP Mailer: from n/a through <= 2.2.1.