Vulnerabilities (CVE)

Filtered by CWE-434
Total 4132 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-25182 1 Vvveb 1 Vvvebjs 2026-06-17 N/A 9.8 CRITICAL
givanz VvvebJs 1.7.2 suffers from a File Upload vulnerability via save.php.
CVE-2024-25034 1 Ibm 1 Planning Analytics 2026-06-17 N/A 8.0 HIGH
IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the type of file in the File Manager T1 process. Attackers can make use of this weakness and upload malicious executable files into the system that can be sent to victims for performing further attacks.
CVE-2024-25020 1 Ibm 1 Cognos Controller 2026-06-17 N/A 5.5 MEDIUM
IBM Cognos Controller 11.0.0 and 11.0.1 is vulnerable to malicious file upload by allowing unrestricted filetype attachments in the Journal entry page. Attackers can make use of this weakness and upload malicious executable files into the system and can be sent to victims for performing further attacks.
CVE-2024-25019 1 Ibm 1 Cognos Controller 2026-06-17 N/A 5.5 MEDIUM
IBM Cognos Controller 11.0.0 and 11.0.1 could be vulnerable to malicious file upload by not validating the type of file uploaded to Journal entry attachments. Attackers can make use of this weakness and upload malicious executable files into the system that can be sent to victims for performing further attacks.
CVE-2024-24714 1 Bplugins 1 Icons Font Loader 2026-06-17 N/A 7.2 HIGH
Unrestricted Upload of File with Dangerous Type vulnerability in bPlugins LLC Icons Font Loader.This issue affects Icons Font Loader: from n/a through 1.1.4.
CVE-2024-24551 1 Bludit 1 Bludit 2026-06-17 N/A 8.8 HIGH
A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.
CVE-2024-24550 1 Bludit 1 Bludit 2026-06-17 N/A 8.1 HIGH
A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.
CVE-2024-24399 1 Lepton-cms 1 Leptoncms 2026-06-17 N/A 7.2 HIGH
An arbitrary file upload vulnerability in LEPTON v7.0.0 allows authenticated attackers to execute arbitrary PHP code by uploading this code to the backend/languages/index.php languages area.
CVE-2024-24393 1 Oaooa 1 Pichome 2026-06-17 N/A 9.8 CRITICAL
File Upload vulnerability index.php in Pichome v.1.1.01 allows a remote attacker to execute arbitrary code via crafted POST request.
CVE-2024-24350 1 Softwarepublico 1 E-sic Livre 2026-06-17 N/A 8.8 HIGH
File Upload vulnerability in Software Publico e-Sic Livre v.2.0 and before allows a remote attacker to execute arbitrary code via the extension filtering component.
CVE-2024-24202 1 Easycorp 3 Zentao, Zentao Biz, Zentao Max 2026-06-17 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in /upgrade/control.php of ZenTao Community Edition v18.10, ZenTao Biz v8.10, and ZenTao Max v4.10 allows attackers to execute arbitrary code via uploading a crafted .txt file.
CVE-2024-24146 1 Libming 1 Libming 2026-06-17 N/A 6.5 MEDIUM
A memory leak issue discovered in parseSWF_DEFINEBUTTON in libming v0.4.8 allows attackers to cause s denial of service via a crafted SWF file.
CVE-2024-24026 1 Xxyopen 1 Novel-plus 2026-06-17 N/A 9.8 CRITICAL
An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.
CVE-2024-24025 1 Xxyopen 1 Novel-plus 2026-06-17 N/A 9.8 CRITICAL
An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.
CVE-2024-24024 1 Xxyopen 1 Novel-plus 2026-06-17 N/A 9.8 CRITICAL
An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker can pass in specially crafted filePath and fieName parameters to perform arbitrary File download.
CVE-2024-24000 1 Huaxiaerp 1 Jsherp 2026-06-17 N/A 9.8 CRITICAL
jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type, and the biz parameter can be spliced into the upload path, resulting in arbitrary file uploads with controllable paths.
CVE-2024-23946 1 Apache 1 Ofbiz 2026-06-17 N/A 5.3 MEDIUM
Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.
CVE-2024-23811 1 Siemens 1 Sinec Nms 2026-06-17 N/A 8.8 HIGH
A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application allows users to upload arbitrary files via TFTP. This could allow an attacker to upload malicious firmware images or other files, that could potentially lead to remote code execution.
CVE-2024-23762 1 Gambio 1 Gambio 2026-06-17 N/A 7.8 HIGH
Unrestricted File Upload vulnerability in Content Manager feature in Gambio 4.9.2.0 allows attackers to execute arbitrary code via upload of crafted PHP file.
CVE-2024-23759 1 Gambio 1 Gambio 2026-06-17 N/A 9.8 CRITICAL
Deserialization of Untrusted Data in Gambio through 4.9.2.0 allows attackers to run arbitrary code via "search" parameter of the Parcelshopfinder/AddAddressBookEntry" function.