Vulnerabilities (CVE)

Filtered by CWE-434
Total 4132 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-23630 1 Motorola 2 Mr2600, Mr2600 Firmware 2026-06-17 7.7 HIGH 9.0 CRITICAL
An arbitrary firmware upload vulnerability exists in the Motorola MR2600. An attacker can exploit this vulnerability to achieve code execution on the device. Authentication is required, however can be bypassed.
CVE-2024-23534 1 Ivanti 1 Avalanche 2026-06-17 N/A 8.8 HIGH
An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
CVE-2024-23180 1 Appleple 1 A-blog Cms 2026-06-17 N/A 8.8 HIGH
Improper input validation vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute arbitrary code by uploading a specially crafted SVG file.
CVE-2024-22895 1 Dedecms 1 Dedecms 2026-06-17 N/A 8.8 HIGH
DedeCMS 5.7.112 has a File Upload vulnerability via uploads/dede/module_upload.php.
CVE-2024-22824 1 Auntvt 1 Timo 2026-06-17 N/A 9.8 CRITICAL
An issue in Timo v.2.0.3 allows a remote attacker to execute arbitrary code via the filetype restrictions in the UploadController.java component.
CVE-2024-22641 1 Tcpdf Project 1 Tcpdf 2026-06-17 N/A 7.5 HIGH
TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted SVG file.
CVE-2024-22567 1 Mingsoft 1 Mcms 2026-06-17 N/A 8.8 HIGH
File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do.
CVE-2024-22550 1 Shopsite 1 Shopsite 2026-06-17 N/A 6.1 MEDIUM
An arbitrary file upload vulnerability in the component /alsdemo/ss/mediam.cgi of ShopSite v14.0 allows attackers to execute arbitrary code via uploading a crafted SVG file.
CVE-2024-22515 1 Ispyconnect 1 Agent Dvr 2026-06-17 N/A 8.8 HIGH
Unrestricted File Upload vulnerability in iSpyConnect.com Agent DVR 5.1.6.0 allows attackers to upload arbitrary files via the upload audio component.
CVE-2024-22426 1 Dell 1 Recoverpoint For Virtual Machines 2026-06-17 N/A 7.2 HIGH
Dell RecoverPoint for Virtual Machines 5.3.x, 6.0.SP1 contains an OS Command injection vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary operating system commands, which will get executed in the context of the root user, resulting in a complete system compromise.
CVE-2024-22393 1 Apache 1 Answer 2026-06-17 N/A 9.1 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Pixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user can cause such an attack by uploading an image when posting content. Users are recommended to upgrade to version [1.2.5], which fixes the issue.
CVE-2024-22263 2026-06-17 N/A 8.8 HIGH
Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload path, a malicious user who has access to skipper server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromises the server.
CVE-2024-22152 1 Webtoffee 1 Product Import Export For Woocommerce 2026-06-17 N/A 8.0 HIGH
Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Product Import Export for WooCommerce.This issue affects Product Import Export for WooCommerce: from n/a through 2.3.7.
CVE-2024-22135 1 Webtoffee 1 Order Export \& Order Import For Woocommerce 2026-06-17 N/A 8.0 HIGH
Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Order Export & Order Import for WooCommerce.This issue affects Order Export & Order Import for WooCommerce: from n/a through 2.4.3.
CVE-2024-22060 1 Ivanti 1 Neurons For Itsm 2026-06-17 N/A 4.9 MEDIUM
An unrestricted file upload vulnerability in web component of Ivanti Neurons for ITSM allows a remote, authenticated, high privileged user to write arbitrary files into sensitive directories of ITSM server.
CVE-2024-20296 1 Cisco 1 Identity Services Engine 2026-06-17 N/A 4.7 MEDIUM
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit this vulnerability, an attacker would need at least valid Policy Admin credentials on the affected device. This vulnerability is due to improper validation of files that are uploaded to the web-based management interface. An attacker could exploit this vulnerability by uploading arbitrary files to an affected device. A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root.
CVE-2024-1986 1 Booster 1 Booster For Woocommerce 2026-06-17 N/A 8.8 HIGH
The Booster Elite for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wc_add_new_product() function in all versions up to, and including, 7.1.7. This makes it possible for customer-level attackers, and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable when the user product upload functionality is enabled.
CVE-2024-1932 1 Freescout 1 Freescout 2026-06-17 N/A 4.8 MEDIUM
Unrestricted Upload of File with Dangerous Type in freescout-helpdesk/freescout
CVE-2024-1925 1 Ctcms Project 1 Ctcms 2026-06-17 4.6 MEDIUM 5.0 MEDIUM
A vulnerability was found in Ctcms 2.1.2. It has been declared as critical. This vulnerability affects unknown code of the file ctcms/apps/controllers/admin/Upsys.php. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254860.
CVE-2024-1921 1 Osuuu 1 Lightpicture 2026-06-17 5.8 MEDIUM 4.7 MEDIUM
A vulnerability, which was classified as critical, was found in osuuu LightPicture up to 1.2.2. Affected is an unknown function of the file /app/controller/Setup.php. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254856.