Vulnerabilities (CVE)

Filtered by CWE-434
Total 4132 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-27480 1 Vvveb 1 Vvvebjs 2026-06-17 N/A 9.8 CRITICAL
givanz VvvebJs 1.7.2 is vulnerable to Insecure File Upload.
CVE-2024-27311 1 Zohocorp 1 Manageengine Ddi Central 2026-06-17 N/A 5.5 MEDIUM
Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to directory traversal vulnerability which allows the user to upload new files to the server folder.
CVE-2024-27283 1 Veritas 1 Ediscovery Platform 2026-06-17 N/A 7.2 HIGH
A vulnerability was discovered in Veritas eDiscovery Platform before 10.2.5. The application administrator can upload potentially malicious files to arbitrary locations on the server on which the application is installed.
CVE-2024-27115 1 Soplanning 1 Soplanning 2026-06-17 N/A 9.8 CRITICAL
A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02.
CVE-2024-26503 1 Openeclass 1 Openeclass 2026-06-17 N/A 9.1 CRITICAL
Unrestricted File Upload vulnerability in Greek Universities Network Open eClass v.3.15 and earlier allows attackers to run arbitrary code via upload of crafted file to certbadge.php endpoint.
CVE-2024-25994 1 Phoenixcontact 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more 2026-06-17 N/A 5.3 MEDIUM
An unauthenticated remote attacker can upload a arbitrary script file due to improper input validation. The upload destination is fixed and is write only.
CVE-2024-25925 1 Sysbasics 1 Easy Checkout Field Editor 2026-06-17 N/A 10.0 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in SYSBASICS WooCommerce Easy Checkout Field Editor, Fees & Discounts.This issue affects WooCommerce Easy Checkout Field Editor, Fees & Discounts: from n/a through 3.5.12.
CVE-2024-25913 1 Skymoonlabs 1 Moveto 2026-06-17 N/A 10.0 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Skymoonlabs MoveTo.This issue affects MoveTo: from n/a through 6.2.
CVE-2024-25909 1 Joomunited 1 Wp Media Folder 2026-06-17 N/A 9.9 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in JoomUnited WP Media folder.This issue affects WP Media folder: from n/a through 5.7.2.
CVE-2024-25869 1 Codeastro 1 Membership Management System 2026-06-17 N/A 8.8 HIGH
An Unrestricted File Upload vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary code via upload of a crafted php file in the settings.php component.
CVE-2024-25846 1 Myprestamodules 1 Product Catalog \(csv\, Excel\) Import 2026-06-17 N/A 9.1 CRITICAL
In the module "Product Catalog (CSV, Excel) Import" (simpleimportproduct) <= 6.7.0 from MyPrestaModules for PrestaShop, a guest can upload files with extensions .php.
CVE-2024-25832 1 F-logic 1 Datacube3 2026-06-17 N/A 8.8 HIGH
F-logic DataCube3 v1.0 is vulnerable to unrestricted file upload, which could allow an authenticated malicious actor to upload a file of dangerous type by manipulating the filename extension.
CVE-2024-25802 1 Skinsoft 1 S-museum 2026-06-17 N/A 9.8 CRITICAL
SKINsoft S-Museum 7.02.3 allows Unrestricted File Upload via the Add Media function. Unlike in CVE-2024-25801, the attack payload is the file content.
CVE-2024-25801 1 Skinsoft 1 S-museum 2026-06-17 N/A 6.1 MEDIUM
SKINsoft S-Museum 7.02.3 allows XSS via the filename of an uploaded file. Unlike in CVE-2024-25802, the attack payload is in the name (not the content) of a file.
CVE-2024-25636 1 Misskey 1 Misskey 2026-06-17 N/A 7.1 HIGH
Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue.
CVE-2024-25627 1 Alf 1 Alf 2026-06-17 N/A 3.5 LOW
Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io application may be able to persist access by planting an XSS payload. This issue has been addressed in version 2.0-M4-2402. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-25623 1 Joinmastodon 1 Mastodon 2026-06-17 N/A 8.5 HIGH
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue.
CVE-2024-25414 1 Cszcms 1 Csz Cms 2026-06-17 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in /admin/upgrade of CSZ CMS v1.3.0 allows attackers to execute arbitrary code via uploading a crafted Zip file.
CVE-2024-25410 1 Flusity 1 Flusity 2026-06-17 N/A 6.5 MEDIUM
flusity-CMS 2.33 is vulnerable to Unrestricted Upload of File with Dangerous Type in update_setting.php.
CVE-2024-25274 1 Xxyopen 1 Novel-plus 2026-06-17 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 allows attackers to execute arbitrary code via uploading a crafted file.