Total
3868 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-25846 | 1 Myprestamodules | 2 Product Catalog \(csv\, Excel\) Import, Simpleimportproduct | 2026-02-18 | 9.1 Critical |
| In the module "Product Catalog (CSV, Excel) Import" (simpleimportproduct) <= 6.7.0 from MyPrestaModules for PrestaShop, a guest can upload files with extensions .php. | ||||
| CVE-2024-6115 | 1 Clive 21 | 1 Simple Online Hotel Reservation System | 2026-02-18 | 7.3 High |
| A vulnerability classified as critical was found in itsourcecode Simple Online Hotel Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file add_room.php. The manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268867. | ||||
| CVE-2024-6116 | 1 Clive 21 | 1 Simple Online Hotel Reservation System | 2026-02-18 | 7.3 High |
| A vulnerability, which was classified as critical, has been found in itsourcecode Simple Online Hotel Reservation System 1.0. Affected by this issue is some unknown functionality of the file edit_room.php. The manipulation of the argument photo leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268868. | ||||
| CVE-2025-69565 | 2 Code-projects, Fabian | 2 Mobile Shop Management System, Mobile Shop Management System | 2026-02-18 | 9.8 Critical |
| code-projects Mobile Shop Management System 1.0 is vulnerable to File Upload in /ExAddProduct.php. | ||||
| CVE-2024-7694 | 1 Teamt5 | 1 Threatsonar Anti-ransomware | 2026-02-18 | 7.2 High |
| ThreatSonar Anti-Ransomware from TeamT5 does not properly validate the content of uploaded files. Remote attackers with administrator privileges on the product platform can upload malicious files, which can be used to execute arbitrary system command on the server. | ||||
| CVE-2025-41347 | 2 Iest, Informatica Del Este | 2 Winplus, Winplus | 2026-02-18 | 9.8 Critical |
| Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Informática del Este. This vulnerability allows an attacker to upload a 'webshell' by sending a POST request to '/WinplusPortal/ws/sWinplus.svc/json/uploadfile'. | ||||
| CVE-2026-1331 | 1 Hamastar | 2 Meetinghub, Meetinghub Paperless Meetings | 2026-02-17 | 9.8 Critical |
| MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||||
| CVE-2025-14014 | 1 Ntn Information Processing Services Computer Software Hardware Industry And Trade Ltd. Co. | 1 Smart Panel | 2026-02-13 | 9.8 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in NTN Information Processing Services Computer Software Hardware Industry and Trade Ltd. Co. Smart Panel allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Smart Panel: before 20251215. | ||||
| CVE-2023-33498 | 1 Alistgo | 1 Alist | 2026-02-13 | 8.8 High |
| alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privilege accounts can upload any file. | ||||
| CVE-2022-45968 | 1 Alistgo | 1 Alist | 2026-02-13 | 8.8 High |
| Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one). | ||||
| CVE-2026-2097 | 1 Flowring | 1 Agentflow | 2026-02-13 | 8.8 High |
| Agentflow developed by Flowring has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||||
| CVE-2026-1458 | 1 Gitlab | 1 Gitlab | 2026-02-12 | 6.5 Medium |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files. | ||||
| CVE-2020-37113 | 2 Gunet, Openeclass | 2 Open Eclass Platform, Openeclass | 2026-02-12 | 8.8 High |
| GUnet OpenEclass 1.7.3 allows authenticated users to bypass file extension restrictions when uploading files. By renaming a PHP file to .php3 or .PhP, an attacker can upload a web shell and execute arbitrary code on the server. This vulnerability enables remote code execution by bypassing the intended file type checks in the exercise submission feature. | ||||
| CVE-2025-10465 | 1 Birtech Information Technologies Industry And Trade | 1 Sensaway | 2026-02-11 | 8.8 High |
| Unrestricted Upload of File with Dangerous Type vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Sensaway allows Upload a Web Shell to a Web Server.This issue affects Sensaway: through 09022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-1357 | 2 Wordpress, Wpvividplugins | 2 Wordpress, Migration Backup Staging Wpvivd Backup And Migration | 2026-02-11 | 9.8 Critical |
| The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter. | ||||
| CVE-2026-25923 | 1 My Little Forum | 1 My Little Forum | 2026-02-11 | N/A |
| my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature, trigger Phar deserialization through BBCode [img] tag processing, and exploit Smarty 4.1.0 POP chain to achieve arbitrary file deletion. This vulnerability is fixed in 20260208.1. | ||||
| CVE-2025-69618 | 2 Coto, Coto.world | 2 Tarot, Astro & Healing, Coto | 2026-02-11 | 6.5 Medium |
| An arbitrary file overwrite vulnerability in the file import process of Tarot, Astro & Healing v11.4.0 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information. | ||||
| CVE-2025-61506 | 1 Mediacrush | 1 Mediacrush | 2026-02-11 | 9.8 Critical |
| An issue was discovered in MediaCrush thru 1.0.1 allowing remote unauthenticated attackers to upload arbitrary files of any size to the /upload endpoint. | ||||
| CVE-2025-65875 | 2 Fpdf, Setasign | 2 Fpdf, Fpdf | 2026-02-11 | 8.8 High |
| An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file. | ||||
| CVE-2025-69906 | 1 Monstra | 1 Monstra Cms | 2026-02-11 | 8.8 High |
| Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution. | ||||