Total
4132 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-27480 | 1 Vvveb | 1 Vvvebjs | 2026-06-17 | N/A | 9.8 CRITICAL |
| givanz VvvebJs 1.7.2 is vulnerable to Insecure File Upload. | |||||
| CVE-2024-27311 | 1 Zohocorp | 1 Manageengine Ddi Central | 2026-06-17 | N/A | 5.5 MEDIUM |
| Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to directory traversal vulnerability which allows the user to upload new files to the server folder. | |||||
| CVE-2024-27283 | 1 Veritas | 1 Ediscovery Platform | 2026-06-17 | N/A | 7.2 HIGH |
| A vulnerability was discovered in Veritas eDiscovery Platform before 10.2.5. The application administrator can upload potentially malicious files to arbitrary locations on the server on which the application is installed. | |||||
| CVE-2024-27115 | 1 Soplanning | 1 Soplanning | 2026-06-17 | N/A | 9.8 CRITICAL |
| A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02. | |||||
| CVE-2024-26503 | 1 Openeclass | 1 Openeclass | 2026-06-17 | N/A | 9.1 CRITICAL |
| Unrestricted File Upload vulnerability in Greek Universities Network Open eClass v.3.15 and earlier allows attackers to run arbitrary code via upload of crafted file to certbadge.php endpoint. | |||||
| CVE-2024-25994 | 1 Phoenixcontact | 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more | 2026-06-17 | N/A | 5.3 MEDIUM |
| An unauthenticated remote attacker can upload a arbitrary script file due to improper input validation. The upload destination is fixed and is write only. | |||||
| CVE-2024-25925 | 1 Sysbasics | 1 Easy Checkout Field Editor | 2026-06-17 | N/A | 10.0 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in SYSBASICS WooCommerce Easy Checkout Field Editor, Fees & Discounts.This issue affects WooCommerce Easy Checkout Field Editor, Fees & Discounts: from n/a through 3.5.12. | |||||
| CVE-2024-25913 | 1 Skymoonlabs | 1 Moveto | 2026-06-17 | N/A | 10.0 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in Skymoonlabs MoveTo.This issue affects MoveTo: from n/a through 6.2. | |||||
| CVE-2024-25909 | 1 Joomunited | 1 Wp Media Folder | 2026-06-17 | N/A | 9.9 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in JoomUnited WP Media folder.This issue affects WP Media folder: from n/a through 5.7.2. | |||||
| CVE-2024-25869 | 1 Codeastro | 1 Membership Management System | 2026-06-17 | N/A | 8.8 HIGH |
| An Unrestricted File Upload vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary code via upload of a crafted php file in the settings.php component. | |||||
| CVE-2024-25846 | 1 Myprestamodules | 1 Product Catalog \(csv\, Excel\) Import | 2026-06-17 | N/A | 9.1 CRITICAL |
| In the module "Product Catalog (CSV, Excel) Import" (simpleimportproduct) <= 6.7.0 from MyPrestaModules for PrestaShop, a guest can upload files with extensions .php. | |||||
| CVE-2024-25832 | 1 F-logic | 1 Datacube3 | 2026-06-17 | N/A | 8.8 HIGH |
| F-logic DataCube3 v1.0 is vulnerable to unrestricted file upload, which could allow an authenticated malicious actor to upload a file of dangerous type by manipulating the filename extension. | |||||
| CVE-2024-25802 | 1 Skinsoft | 1 S-museum | 2026-06-17 | N/A | 9.8 CRITICAL |
| SKINsoft S-Museum 7.02.3 allows Unrestricted File Upload via the Add Media function. Unlike in CVE-2024-25801, the attack payload is the file content. | |||||
| CVE-2024-25801 | 1 Skinsoft | 1 S-museum | 2026-06-17 | N/A | 6.1 MEDIUM |
| SKINsoft S-Museum 7.02.3 allows XSS via the filename of an uploaded file. Unlike in CVE-2024-25802, the attack payload is in the name (not the content) of a file. | |||||
| CVE-2024-25636 | 1 Misskey | 1 Misskey | 2026-06-17 | N/A | 7.1 HIGH |
| Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue. | |||||
| CVE-2024-25627 | 1 Alf | 1 Alf | 2026-06-17 | N/A | 3.5 LOW |
| Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io application may be able to persist access by planting an XSS payload. This issue has been addressed in version 2.0-M4-2402. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-25623 | 1 Joinmastodon | 1 Mastodon | 2026-06-17 | N/A | 8.5 HIGH |
| Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue. | |||||
| CVE-2024-25414 | 1 Cszcms | 1 Csz Cms | 2026-06-17 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in /admin/upgrade of CSZ CMS v1.3.0 allows attackers to execute arbitrary code via uploading a crafted Zip file. | |||||
| CVE-2024-25410 | 1 Flusity | 1 Flusity | 2026-06-17 | N/A | 6.5 MEDIUM |
| flusity-CMS 2.33 is vulnerable to Unrestricted Upload of File with Dangerous Type in update_setting.php. | |||||
| CVE-2024-25274 | 1 Xxyopen | 1 Novel-plus | 2026-06-17 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 allows attackers to execute arbitrary code via uploading a crafted file. | |||||
