Vulnerabilities (CVE)

Filtered by CWE-434
Total 4124 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-3123 2026-06-17 N/A 7.2 HIGH
CHANGING Mobile One Time Password's uploading function in a hidden page does not filter file type properly. Remote attackers with administrator privilege can exploit this vulnerability to upload and run malicious file to execute system commands.
CVE-2024-3117 1 Youdiancms 1 Youdiancms 2026-06-17 5.8 MEDIUM 4.7 MEDIUM
A vulnerability classified as critical was found in YouDianCMS up to 9.5.12. This vulnerability affects unknown code of the file App\Lib\Action\Admin\ChannelAction.class.php. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-258778 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-3112 1 Bestwebsoft 1 Quotes And Tips 2026-06-17 N/A 4.8 MEDIUM
The Quotes and Tips by BestWebSoft WordPress plugin before 1.45 does not properly validate image files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
CVE-2024-3022 1 Reputeinfosystems 1 Bookingpress 2026-06-17 N/A 7.2 HIGH
The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient filename validation in the 'bookingpress_process_upload' function in all versions up to, and including 1.0.87. This allows an authenticated attacker with administrator-level capabilities or higher to upload arbitrary files on the affected site's server, enabling remote code execution.
CVE-2024-39865 1 Siemens 1 Sinema Remote Connect Server 2026-06-17 N/A 8.8 HIGH
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows users to upload encrypted backup files. As part of this backup, files can be restored without correctly checking the path of the restored file. This could allow an attacker with access to the backup encryption key to upload malicious files, that could potentially lead to remote code execution.
CVE-2024-39752 1 Ibm 1 Analytics Content Hub 2026-06-17 N/A 6.8 MEDIUM
IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 could be vulnerable to malicious file upload by not validating the type of file uploaded to Explore Content. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.
CVE-2024-39717 1 Versa-networks 1 Versa Director 2026-06-17 N/A 7.2 HIGH
The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in.
CVE-2024-39397 1 Adobe 2 Commerce, Magento 2026-06-17 N/A 9.0 CRITICAL
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution by an attacker. An attacker could exploit this vulnerability by uploading a malicious file which can then be executed on the server. Exploitation of this issue does not require user interaction, but attack complexity is high and scope is changed.
CVE-2024-38736 2026-06-17 N/A 9.1 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Realtyna Realtyna Organic IDX plugin allows Code Injection.This issue affects Realtyna Organic IDX plugin: from n/a through 4.14.13.
CVE-2024-38734 2026-06-17 N/A 9.1 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in SpreadsheetConverter Import Spreadsheets from Microsoft Excel allows Code Injection.This issue affects Import Spreadsheets from Microsoft Excel: from n/a through 10.1.4.
CVE-2024-38530 1 Openeclass 1 Openeclass 2026-06-17 N/A 9.8 CRITICAL
The Open eClass platform (formerly known as GUnet eClass) is a complete Course Management System. An arbitrary file upload vulnerability in the "save" functionality of the H5P module enables unauthenticated users to upload arbitrary files on the server's filesystem. This may lead in unrestricted RCE on the backend server, since the upload location is accessible from the internet. This vulnerability is fixed in 3.16.
CVE-2024-38529 1 Admidio 1 Admidio 2026-06-17 N/A 9.0 CRITICAL
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.10, there is a Remote Code Execution Vulnerability in the Message module of the Admidio Application, where it is possible to upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL `{admidio_base_url}/adm_my_files/messages_attachments/{file_name}`. The vulnerability is caused due to the lack of file extension verification, allowing malicious files to be uploaded to the server and public availability of the uploaded file. This vulnerability is fixed in 4.3.10.
CVE-2024-37869 1 Emiloimagtolis 1 Online Discussion Forum 2026-06-17 N/A 8.8 HIGH
File Upload vulnerability in Itsourcecode Online Discussion Forum Project v.1.0 allows a remote attacker to execute arbitrary code via the "poster.php" file, and the uploaded file was received using the "$- FILES" variable
CVE-2024-37868 1 Emiloimagtolis 1 Online Discussion Forum 2026-06-17 N/A 8.8 HIGH
File Upload vulnerability in Itsourcecode Online Discussion Forum Project v.1.0 allows a remote attacker to execute arbitrary code via the "sendreply.php" file, and the uploaded file was received using the "$- FILES" variable.
CVE-2024-37847 1 Radixiot 2 Mango, Mangoapi 2026-06-17 N/A 8.8 HIGH
An arbitrary file upload vulnerability in MangoOS before 5.1.4 and Mango API before 4.5.5 allows attackers to execute arbitrary code via a crafted file.
CVE-2024-37762 1 Machform 1 Machform 2026-06-17 N/A 9.9 CRITICAL
MachForm up to version 21 is affected by an authenticated unrestricted file upload which leads to a remote code execution.
CVE-2024-37555 1 Zealousweb 1 Generate Pdf Using Contact Form 7 2026-06-17 N/A 9.1 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in ZealousWeb Generate PDF using Contact Form 7 generate-pdf-using-contact-form-7.This issue affects Generate PDF using Contact Form 7: from n/a through <= 4.1.2.
CVE-2024-37424 2026-06-17 N/A 9.9 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Automattic Newspack Blocks allows Upload a Web Shell to a Web Server.This issue affects Newspack Blocks: from n/a through 3.0.8.
CVE-2024-37420 2026-06-17 N/A 9.9 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in WPZita Zita Elementor Site Library allows Upload a Web Shell to a Web Server.This issue affects Zita Elementor Site Library: from n/a through 1.6.1.
CVE-2024-37418 1 Church Admin Project 1 Church Admin 2026-06-17 N/A 9.9 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.4.6.