Total
4005 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-4732 | 1 Microweber | 1 Microweber | 2025-04-10 | 7.2 High |
| Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2. | ||||
| CVE-2022-48194 | 1 Tp-link | 2 Tl-wr902ac, Tl-wr902ac Firmware | 2025-04-10 | 8.8 High |
| TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate. | ||||
| CVE-2025-25784 | 1 Jizhicms | 1 Jizhicms | 2025-04-10 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component \c\TemplateController.php of Jizhicms v2.5.4 allows attackers to execute arbitrary code via uploading a crafted Zip file. | ||||
| CVE-2025-26325 | 1 Shopxo | 1 Shopxo | 2025-04-10 | 9.8 Critical |
| ShopXO 6.4.0 is vulnerable to File Upload in ThemeDataService.php. | ||||
| CVE-2022-43436 | 1 Easy Test Project | 1 Easy Test | 2025-04-10 | 8.8 High |
| The File Upload function of EasyTest has insufficient filtering for special characters and file type. A remote attacker authenticated as a general user can upload and execute arbitrary files, to manipulate system or disrupt service. | ||||
| CVE-2025-2973 | 1 Code-projects | 1 College Management System | 2025-04-10 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in code-projects College Management System 1.0. This affects an unknown part of the file /Admin/student.php. The manipulation of the argument profile_image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-4665 | 1 Ampache | 1 Ampache | 2025-04-09 | 8.8 High |
| Unrestricted Upload of File with Dangerous Type in GitHub repository ampache/ampache prior to 5.5.6. | ||||
| CVE-2025-22133 | 1 Wegia | 1 Wegia | 2025-04-09 | 10 Critical |
| WeGIA is a web manager for charitable institutions. Prior to 3.2.8, a critical vulnerability was identified in the /WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as .phar, which can then be executed by the server. This vulnerability is fixed in 3.2.8. | ||||
| CVE-2024-13744 | 1 Booster | 1 Booster For Woocommerce | 2025-04-09 | 8.1 High |
| The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the validate_product_input_fields_on_add_to_cart function in versions 4.0.1 to 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-13708 | 1 Booster | 1 Booster For Woocommerce | 2025-04-09 | 7.2 High |
| The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in versions 4.0.1 to 7.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2022-46610 | 1 72crm | 1 Wukong Crm | 2025-04-09 | 8.8 High |
| 72crm v9 was discovered to contain an arbitrary file upload vulnerability via the avatar upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2025-25790 | 1 Foxcms | 1 Foxcms | 2025-04-09 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component \controller\LocalTemplate.php of FoxCMS v1.2.5 allows attackers to execute arbitrary code via uploading a crafted Zip file. | ||||
| CVE-2025-32370 | 1 Kentico | 1 Xperience | 2025-04-08 | 7.2 High |
| Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not necessarily related to SVG or XSS. | ||||
| CVE-2025-3325 | 1 Iteaj | 1 Iboot | 2025-04-08 | 4.3 Medium |
| A vulnerability, which was classified as problematic, was found in iteaj iboot 物联网网关 1.1.3. This affects an unknown part of the file /core/admin/pwd of the component Admin Password Handler. The manipulation of the argument ID leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-3778 | 1 Ai3 | 1 Qbibot | 2025-04-08 | 7.2 High |
| The file upload functionality of Ai3 QbiBot does not properly restrict types of uploaded files, allowing remote attackers with administrator privilege to upload files with dangerous type containing malicious code. | ||||
| CVE-2025-25783 | 1 Emlog | 1 Emlog | 2025-04-07 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component admin\plugin.php of Emlog Pro v2.5.3 allows attackers to execute arbitrary code via uploading a crafted Zip file. | ||||
| CVE-2025-3324 | 1 Godcheese | 1 Nimrod | 2025-04-07 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in godcheese/code-projects Nimrod 0.8. Affected by this issue is some unknown functionality of the file FileRestController.java. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-42287 | 1 Nvidia | 2 Bmc, Dgx A100 | 2025-04-07 | 6 Medium |
| NVIDIA BMC contains a vulnerability in IPMI handler, where an authorized attacker can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure and data tampering. | ||||
| CVE-2024-20296 | 1 Cisco | 1 Identity Services Engine | 2025-04-07 | 4.7 Medium |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit this vulnerability, an attacker would need at least valid Policy Admin credentials on the affected device. This vulnerability is due to improper validation of files that are uploaded to the web-based management interface. An attacker could exploit this vulnerability by uploading arbitrary files to an affected device. A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root. | ||||
| CVE-2024-31012 | 1 Sem-cms | 1 Semcms | 2025-04-04 | 9.8 Critical |
| An issue was discovered in SEMCMS v.4.8, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the upload.php file. | ||||