Total
3821 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-57795 | 1 Explorance | 1 Blue | 2026-02-05 | N/A | 9.9 CRITICAL |
| Explorance Blue versions prior to 8.14.13 contain an authenticated remote file download vulnerability in a web service component. In default configurations, this flaw can be leveraged to achieve remote code execution. | |||||
| CVE-2026-24769 | 1 Nocodb | 1 Nocodb | 2026-02-04 | N/A | 9.0 CRITICAL |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users. Version 0.301.0 patches the issue. | |||||
| CVE-2020-35945 | 1 Elegantthemes | 3 Divi, Divi Builder, Extra | 2026-02-04 | 6.5 MEDIUM | 9.9 CRITICAL |
| An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress. Authenticated attackers, with contributor-level or above capabilities, can upload arbitrary files, including .php files. This occurs because the check for file extensions is on the client side. | |||||
| CVE-2026-24729 | 2026-02-04 | N/A | N/A | ||
| An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file. | |||||
| CVE-2020-37023 | 2026-02-04 | N/A | 8.8 HIGH | ||
| Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. Attackers can upload PHP files with system command execution capabilities by manipulating the file upload request through a web proxy and changing the file extension. | |||||
| CVE-2026-1791 | 2026-02-04 | N/A | 2.7 LOW | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Hillstone Networks Operation and Maintenance Security Gateway on Linux allows Upload a Web Shell to a Web Server.This issue affects Operation and Maintenance Security Gateway: V5.5ST00001B113. | |||||
| CVE-2026-23704 | 2026-02-04 | N/A | 6.5 MEDIUM | ||
| A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | |||||
| CVE-2026-1756 | 2026-02-04 | N/A | 8.8 HIGH | ||
| The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-48782 | 1 Scshr | 1 Hr Portal | 2026-02-04 | N/A | 9.8 CRITICAL |
| An unrestricted upload of file with dangerous type vulnerability in the upload file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a malicious file. | |||||
| CVE-2022-50912 | 1 Impresscms | 1 Impresscms | 2026-02-03 | N/A | 9.8 CRITICAL |
| ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server. | |||||
| CVE-2021-47758 | 1 Chikitsa | 1 Patient Management System | 2026-02-03 | N/A | 8.8 HIGH |
| Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious PHP plugins through the module upload functionality. Authenticated attackers can generate and upload a ZIP plugin with a PHP backdoor that enables arbitrary command execution on the server through a weaponized PHP script. | |||||
| CVE-2026-1730 | 2026-02-03 | N/A | 8.8 HIGH | ||
| The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2026-1065 | 2026-02-03 | N/A | 7.2 HIGH | ||
| The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms. | |||||
| CVE-2025-69565 | 1 Fabian | 1 Mobile Shop Management System | 2026-02-03 | N/A | 9.8 CRITICAL |
| code-projects Mobile Shop Management System 1.0 is vulnerable to File Upload in /ExAddProduct.php. | |||||
| CVE-2025-69559 | 1 Carmelo | 1 Computer Book Store | 2026-02-03 | N/A | 9.8 CRITICAL |
| code-projects Computer Book Store 1.0 is vulnerable to File Upload in admin_add.php. | |||||
| CVE-2025-36519 | 2026-02-03 | N/A | 4.3 MEDIUM | ||
| Unrestricted upload of file with dangerous type issue exists in WRC-2533GST2, WRC-1167GST2, WRC-2533GST2, WRC-2533GS2V-B,WRC-2533GS2-B v1.69 and earlier, WRC-2533GS2-W, WRC-1167GST2, WRC-1167GS2-B, and WRC-1167GS2H-B. If a specially crafted file is uploaded by a remote authenticated attacker, arbitrary code may be executed on the product. | |||||
| CVE-2024-5911 | 1 Paloaltonetworks | 1 Pan-os | 2026-01-30 | N/A | 4.9 MEDIUM |
| An arbitrary file upload vulnerability in Palo Alto Networks Panorama software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and crash the Panorama. Repeated attacks eventually cause the Panorama to enter maintenance mode, which requires manual intervention to bring the Panorama back online. | |||||
| CVE-2025-8889 | 1 Eliehanna | 1 Compress And Upload Plugin | 2026-01-30 | N/A | 3.8 LOW |
| The Compress & Upload WordPress plugin before 1.0.5 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup) | |||||
| CVE-2026-21625 | 1 Stackideas | 1 Easydiscuss | 2026-01-30 | N/A | 8.8 HIGH |
| User provided uploads to the Easy Discuss component for Joomla aren't properly validated. Uploads are purely checked by file extensions, no mime type checks are happening. | |||||
| CVE-2025-70457 | 1 Remyandrade | 1 Modern Image Gallery App | 2026-01-30 | N/A | 9.8 CRITICAL |
| A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise. | |||||