Vulnerabilities (CVE)

Filtered by CWE-434
Total 4121 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-40645 1 Fogproject 1 Fogproject 2026-06-17 N/A 8.8 HIGH
FOG is a cloning/imaging/rescue suite/inventory management system. An improperly restricted file upload feature allows authenticated users to execute arbitrary code on the fogproject server. The Rebranding feature has a check on the client banner image requiring it to be 650 pixels wide and 120 pixels high. Apart from that, there are no checks on things like file extensions. This can be abused by appending a PHP webshell to the end of the image and changing the extension to anything the PHP web server will parse. This vulnerability is fixed in 1.5.10.41.
CVE-2024-40555 1 Project Team 1 Tmall Demo 2026-06-17 N/A 5.3 MEDIUM
Tmall_demo v2024.07.03 was discovered to contain an arbitrary file upload vulnerability.
CVE-2024-40553 1 Project Team 1 Tmall Demo 2026-06-17 N/A 4.9 MEDIUM
Tmall_demo v2024.07.03 was discovered to contain an arbitrary file upload via the component uploadUserHeadImage.
CVE-2024-40551 1 Publiccms 1 Publiccms 2026-06-17 N/A 8.8 HIGH
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-40550 1 Publiccms 1 Publiccms 2026-06-17 N/A 8.8 HIGH
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/savePlaceMetaData of Public CMS v.4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-40549 1 Publiccms 1 Publiccms 2026-06-17 N/A 8.8 HIGH
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/savePlace of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-40548 1 Publiccms 1 Publiccms 2026-06-17 N/A 8.8 HIGH
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-40546 1 Publiccms 1 Publiccms 2026-06-17 N/A 8.8 HIGH
An arbitrary file upload vulnerability in the component /admin/cmsWebFile/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-40545 1 Publiccms 1 Publiccms 2026-06-17 N/A 8.8 HIGH
An arbitrary file upload vulnerability in the component /admin/cmsWebFile/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-40513 1 Themesbrand 1 Chatvia 2026-06-17 N/A 4.6 MEDIUM
An issue in themesebrand Chatvia v.5.3.2 allows a remote attacker to execute arbitrary code via the User profile Upload image function.
CVE-2024-40425 1 Sparkshop 1 Sparkshop 2026-06-17 N/A 9.8 CRITICAL
File Upload vulnerability in Nanjin Xingyuantu Technology Co Sparkshop (Spark Mall B2C Mall v.1.1.6 and before allows a remote attacker to execute arbitrary code via the contorller/common.php component.
CVE-2024-40400 1 Automad 1 Automad 2026-06-17 N/A 8.8 HIGH
An arbitrary file upload vulnerability in the image upload function of Automad v2.0.0 allows attackers to execute arbitrary code via a crafted file.
CVE-2024-40394 1 Oretnom23 1 Simple Library Management System 2026-06-17 N/A 9.8 CRITICAL
Simple Library Management System Project Using PHP/MySQL v1.0 was discovered to contain an arbitrary file upload vulnerability via the component ajax.php.
CVE-2024-40318 1 Webkul 1 Qloapps 2026-06-17 N/A 7.2 HIGH
An arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-40125 1 Closed-loop 1 Cless Server 2026-06-17 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in the Media Manager function of Closed-Loop Technology CLESS Server v4.5.2 allows attackers to execute arbitrary code via uploading a crafted PHP file to the upload endpoint.
CVE-2024-40071 1 Oretnom23 1 Online Id Generator System 2026-06-17 N/A 9.8 CRITICAL
Sourcecodester Online ID Generator System 1.0 was discovered to contain an arbitrary file upload vulnerability via id_generator/classes/SystemSettings.php?f=update_settings. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2024-3962 1 Themeisle 1 Product Addons \& Fields For Woocommerce 2026-06-17 N/A 9.8 CRITICAL
The Product Addons & Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ppom_upload_file function in all versions up to, and including, 32.0.18. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires the PPOM Pro plugin to be installed along with a WooCommerce product that contains a file upload field to retrieve the correct nonce.
CVE-2024-3948 1 Library System Project 1 Library System 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability was found in SourceCodester Home Clean Service System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file \admin\student.add.php of the component Photo Handler. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-261440.
CVE-2024-3912 2026-06-17 N/A 9.8 CRITICAL
Certain models of ASUS routers have an arbitrary firmware upload vulnerability. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands on the device.
CVE-2024-3863 1 Mozilla 2 Firefox, Thunderbird 2026-06-17 N/A 9.8 CRITICAL
The executable file warning was not presented when downloading .xrm-ms files. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.