Total
3336 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-40051 | 1 Progress | 2 Openedge, Openedge Innovation | 2025-06-02 | 9.1 Critical |
| This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. An attacker can formulate a request for a WEB transport that allows unintended file uploads to a server directory path on the system running PASOE. If the upload contains a payload that can further exploit the server or its network, the launch of a larger scale attack may be possible. | ||||
| CVE-2024-1027 | 1 Oretnom23 | 1 Facebook News Feed Like | 2025-05-30 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in SourceCodester Facebook News Feed Like 1.0. Affected is an unknown function of the component Post Handler. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-252300. | ||||
| CVE-2024-6366 | 1 Cozmoslabs | 1 Profile Builder | 2025-05-30 | 9.1 Critical |
| The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP. | ||||
| CVE-2023-26098 | 1 Telindus | 1 Apsal | 2025-05-30 | 8.2 High |
| An issue was discovered in the Open Document feature in Telindus Apsal 3.14.2022.235 b. An attacker may upload a crafted file to execute arbitrary code. | ||||
| CVE-2019-6513 | 1 Wso2 | 1 Api Manager | 2025-05-30 | N/A |
| An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one. | ||||
| CVE-2023-52324 | 1 Trendmicro | 1 Apex Central | 2025-05-30 | 8.8 High |
| An unrestricted file upload vulnerability in Trend Micro Apex Central could allow a remote attacker to create arbitrary files on affected installations. Please note: although authentication is required to exploit this vulnerability, this vulnerability could be exploited when the attacker has any valid set of credentials. Also, this vulnerability could be potentially used in combination with another vulnerability to execute arbitrary code. | ||||
| CVE-2024-0783 | 1 Online Admission System Project | 1 Online Admission System | 2025-05-30 | 6.3 Medium |
| A vulnerability was found in Project Worlds Online Admission System 1.0 and classified as critical. This issue affects some unknown processing of the file documents.php. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-251699. | ||||
| CVE-2024-1069 | 1 Crmperks | 1 Database For Contact Form 7\, Wpforms\, Elementor Forms | 2025-05-29 | 7.2 High |
| The Contact Form Entries plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page' function in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-0933 | 1 Niushop | 1 B2b2c Multi-business | 2025-05-29 | 6.3 Medium |
| A vulnerability was found in Niushop B2B2C V5 and classified as critical. Affected by this issue is some unknown functionality of the file \app\model\Upload.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252140. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-0939 | 1 Byzoro | 2 Smart S210, Smart S210 Firmware | 2025-05-29 | 6.3 Medium |
| A vulnerability has been found in Byzoro Smart S210 Management Platform up to 20240117 and classified as critical. This vulnerability affects unknown code of the file /Tool/uploadfile.php. The manipulation of the argument file_upload leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252184. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-5953 | 1 Welcart | 1 Welcart E-commerce | 2025-05-29 | 8.8 High |
| The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, such as subscriber could upload arbitrary files, such as PHP on the server | ||||
| CVE-2024-13191 | 1 Zerowdd | 1 Myblog | 2025-05-28 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in ZeroWdd myblog 1.0. This issue affects the function upload of the file src/main/java/com/wdd/myblog/controller/admin/uploadController.java. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-29272 | 2 Givanz, Vvveb | 2 Vvvebjs, Vvvebjs | 2025-05-28 | 6.5 Medium |
| Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php. | ||||
| CVE-2023-41505 | 1 Code-projects | 2 Student Enrollment, Student Enrollment In Php | 2025-05-28 | 9.8 Critical |
| An arbitrary file upload vulnerability in the Add Student's Profile Picture function of Student Enrollment In PHP v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file. | ||||
| CVE-2025-3616 | 1 Greenshiftwp | 1 Greenshift - Animation And Page Builder Blocks | 2025-05-28 | 8.8 High |
| The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gspb_make_proxy_api_request() function in versions 11.4 to 11.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The arbitrary file upload was sufficiently patched in 11.4.5, but a capability check was added in 11.4.6 to properly prevent unauthorized limited file uploads. | ||||
| CVE-2025-3123 | 1 Wondercms | 1 Wondercms | 2025-05-28 | 4.7 Medium |
| A vulnerability, which was classified as critical, has been found in WonderCMS 3.5.0. Affected by this issue is the function installUpdateModuleAction of the component Theme Installation/Plugin Installation. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor explains, that "[t]he philosophy has always been, admin [...] bear responsibility to not install themes/plugins from untrusted sources." | ||||
| CVE-2022-2872 | 1 Octoprint | 1 Octoprint | 2025-05-28 | 5.4 Medium |
| Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3. | ||||
| CVE-2025-4800 | 2025-05-28 | 8.8 High | ||
| The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to a missing file type validation in the stm_lms_add_assignment_attachment function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible. | ||||
| CVE-2025-4735 | 1 Campcodes | 1 Sales And Inventory System | 2025-05-28 | 6.3 Medium |
| A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /pages/product.php. The manipulation of the argument Picture leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-4122 | 1 Imsurajghosh | 1 Student Information System | 2025-05-28 | 9.9 Critical |
| Student Information System v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'photo' parameter of my-profile page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application. | ||||