Vulnerabilities (CVE)

Filtered by CWE-434
Total 4119 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-48034 2026-06-17 N/A 9.9 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in fliperrr Creates 3D Flipbook, PDF Flipbook create-flipbook-from-pdf allows Upload a Web Shell to a Web Server.This issue affects Creates 3D Flipbook, PDF Flipbook: from n/a through <= 1.2.
CVE-2024-48027 2026-06-17 N/A 9.9 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in xaraartech External featured image from bing external-featured-image-from-bing allows Upload a Web Shell to a Web Server.This issue affects External featured image from bing: from n/a through <= 1.0.2.
CVE-2024-47946 2026-06-17 N/A 7.2 HIGH
If the attacker has access to a valid Poweruser session, remote code execution is possible because specially crafted valid PNG files with injected PHP content can be uploaded as desktop backgrounds or lock screens. After the upload, the PHP script is available in the web root. The PHP code executes once the uploaded file is accessed. This allows the execution of arbitrary PHP code and OS commands on the device as "www-data".
CVE-2024-47823 1 Laravel 1 Livewire 2026-06-17 N/A 9.8 CRITICAL
Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-47655 1 Shilpisoft 1 Client Dashboard 2026-06-17 N/A 8.8 HIGH
This vulnerability exists in the Shilpi Client Dashboard due to improper validation of files being uploaded other than the specified extension. An authenticated remote attacker could exploit this vulnerability by uploading malicious file, which could lead to remote code execution on targeted application.
CVE-2024-47649 2026-06-17 N/A 9.1 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in THATplugin Iconize iconize.This issue affects Iconize: from n/a through <= 1.2.4.
CVE-2024-47528 1 Librenms 1 Librenms 2026-06-17 N/A 4.8 MEDIUM
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Stored Cross-Site Scripting (XSS) can be achieved by uploading a new Background for a Custom Map. Users with "admin" role can set background for a custom map, this allow the upload of SVG file that can contain XSS payload which will trigger on load. This led to Stored Cross-Site Scripting (XSS). The vulnerability is fixed in 24.9.0.
CVE-2024-47423 2 Adobe, Microsoft 2 Framemaker, Windows 2026-06-17 N/A 7.8 HIGH
Adobe Framemaker versions 2020.6, 2022.4 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by uploading a malicious file which can be automatically processed or executed by the system. Exploitation of this issue requires user interaction.
CVE-2024-47319 2026-06-17 N/A 8.0 HIGH
Unrestricted Upload of File with Dangerous Type vulnerability in Bit Apps Bit Form bit-form.This issue affects Bit Form: from n/a through <= 2.13.10.
CVE-2024-47259 1 Axis 2 Axis Os, Axis Os 2024 2026-06-17 N/A 3.5 LOW
Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-47169 1 Agnai 1 Agnai 2026-06-17 N/A 8.8 HIGH
Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to upload arbitrary files to attacker-chosen locations on the server, including JavaScript, enabling the execution of commands within those files. This issue could result in unauthorized access, full server compromise, data leakage, and other critical security threats. This does not affect `agnai.chat`, installations using S3-compatible storage, or self-hosting that is not publicly exposed. This does affect publicly hosted installs without S3-compatible storage. Version 1.0.330 fixes this vulnerability.
CVE-2024-47151 1 Honor 1 Magicos 2026-06-17 N/A 6.3 MEDIUM
Some Honor products are affected by file writing vulnerability, successful exploitation could cause code execution
CVE-2024-46625 2026-06-17 N/A 8.8 HIGH
An authenticated arbitrary file upload vulnerability in the /documentCache/upload endpoint of InfoDom Performa 365 v4.0.1 allows attackers to execute arbitrary code via uploading a crafted SVG file.
CVE-2024-46482 2026-06-17 N/A 8.2 HIGH
An arbitrary file upload vulnerability in the Ticket Generation function of Ladybird Web Solution Faveo-Helpdesk v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .html or .svg file.
CVE-2024-46479 1 Venki 1 Supravizio Bpm 2026-06-17 N/A 9.9 CRITICAL
Venki Supravizio BPM through 18.0.1 was discovered to contain an arbitrary file upload vulnerability. An authenticated attacker may upload a malicious file, leading to remote code execution.
CVE-2024-46441 2026-06-17 N/A 8.8 HIGH
An arbitrary file upload vulnerability in YPay 1.2.0 allows attackers to execute arbitrary code via a ZIP archive to themePutFile in app/common/util/Upload.php (called from app/admin/controller/ypay/Home.php). The file extension of an uncompressed file is not checked.
CVE-2024-46377 1 Mayurik 1 Best House Rental Management System 2026-06-17 N/A 9.8 CRITICAL
Best House Rental Management System 1.0 contains an arbitrary file upload vulnerability in the save_settings() function of the file rental/admin_class.php.
CVE-2024-46373 1 Dedecms 1 Dedecms 2026-06-17 N/A 8.8 HIGH
Dedecms V5.7.115 contains an arbitrary code execution via file upload vulnerability in the backend.
CVE-2024-46210 1 Redaxo 1 Redaxo 2026-06-17 N/A 7.2 HIGH
An arbitrary file upload vulnerability in the MediaPool module of Redaxo CMS v5.17.1 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-46101 1 Gdidees 1 Gdidees Cms 2026-06-17 N/A 9.8 CRITICAL
GDidees CMS <= v3.9.1 has a file upload vulnerability.