Total
4131 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-2531 | 1 Magesh-k21 | 1 Online-college-event-hall-reservation-system | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected is an unknown function of the file /admin/update-rooms.php. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256968. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-2529 | 1 Magesh-k21 | 1 Online-college-event-hall-reservation-system | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/rooms.php. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-256966 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-2406 | 1 Gacjie Server Project | 1 Gacjie Server | 2026-06-17 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability, which was classified as critical, was found in Gacjie Server up to 1.0. This affects the function index of the file /app/admin/controller/Upload.php. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256503. | |||||
| CVE-2024-2381 | 1 Ali2woo | 1 Aliexpress Dropshipping With Alinext | 2026-06-17 | N/A | 8.8 HIGH |
| The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-2334 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| The Template Kit – Import plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template upload functionality in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-2268 | 1 Keerti1924 | 1 Online Bookstore Website | 2026-06-17 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in keerti1924 Online-Book-Store-Website 1.0. It has been classified as critical. Affected is an unknown function of the file /product_update.php?update=1. The manipulation of the argument update_image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-256038 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-2221 | 1 Qdrant | 1 Qdrant | 2026-06-17 | N/A | 9.8 CRITICAL |
| qdrant/qdrant is vulnerable to a path traversal and arbitrary file upload vulnerability via the `/collections/{COLLECTION}/snapshots/upload` endpoint, specifically through the `snapshot` parameter. This vulnerability allows attackers to upload and overwrite any file on the filesystem, leading to potential remote code execution. This issue affects the integrity and availability of the system, enabling unauthorized access and potentially causing the server to malfunction. | |||||
| CVE-2024-2148 | 1 Oretnom23 | 1 Online Mobile Store Management System | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in SourceCodester Online Mobile Management Store 1.0. This affects an unknown part of the file /classes/Users.php. The manipulation of the argument img leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255501 was assigned to this vulnerability. | |||||
| CVE-2024-2125 | 1 Donweb | 1 Envialosimple | 2026-06-17 | N/A | 8.8 HIGH |
| The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the gallery_add function. This makes it possible for unauthenticated attackers to upload malicious files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The Cross-Site Request Forgery was patched in 2.4, however, nothing was done about the ability to upload arbitrary files. | |||||
| CVE-2024-2058 | 1 Mayurik | 1 Petrol Pump Management | 2026-06-17 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in SourceCodester Petrol Pump Management Software 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/product.php. The manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255373 was assigned to this vulnerability. | |||||
| CVE-2024-29974 | 1 Zyxel | 4 Nas326, Nas326 Firmware, Nas542 and 1 more | 2026-06-17 | N/A | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device. | |||||
| CVE-2024-29891 | 1 Zitadel | 1 Zitadel | 2026-06-17 | N/A | 8.7 HIGH |
| ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17. | |||||
| CVE-2024-29848 | 1 Ivanti | 1 Avalanche | 2026-06-17 | N/A | 7.2 HIGH |
| An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM. | |||||
| CVE-2024-29661 | 1 Dedecms | 1 Dedecms | 2026-06-17 | N/A | 9.8 CRITICAL |
| A File Upload vulnerability in DedeCMS v5.7 allows a local attacker to execute arbitrary code via a crafted payload. | |||||
| CVE-2024-29515 | 1 Lepton-cms | 1 Leptoncms | 2026-06-17 | N/A | 8.8 HIGH |
| File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file to the save.php and config.php component. | |||||
| CVE-2024-29514 | 1 Lepton-cms | 1 Leptoncms | 2026-06-17 | N/A | 8.8 HIGH |
| File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file. | |||||
| CVE-2024-29387 | 1 Projeqtor | 1 Projeqtor | 2026-06-17 | N/A | 8.8 HIGH |
| projeqtor up to 11.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /view/print.php. | |||||
| CVE-2024-29368 | 1 Mozilo | 1 Mozilocms | 2026-06-17 | N/A | 6.5 MEDIUM |
| An arbitrary file upload vulnerability in the file handling module of moziloCMS v2.0 allows attackers to bypass extension restrictions via file renaming, potentially leading to unauthorized file execution or storage of malicious content. | |||||
| CVE-2024-29272 | 1 Vvveb | 1 Vvvebjs | 2026-06-17 | N/A | 6.5 MEDIUM |
| Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php. | |||||
| CVE-2024-29135 | 1 Themefic | 1 Tourfic | 2026-06-17 | N/A | 9.9 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic.This issue affects Tourfic: from n/a through <= 2.11.15. | |||||
