Total
3873 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2012-10064 | 1 Wordpress | 1 Wordpress | 2026-01-26 | N/A |
| Omni Secure Files plugin versions prior to 0.1.14 contain an arbitrary file upload vulnerability in the bundled plupload example endpoint. The /wp-content/plugins/omni-secure-files/plupload/examples/upload.php handler allows unauthenticated uploads without enforcing safe file type restrictions, enabling an attacker to place attacker-controlled files under the plugin's uploads directory. This can lead to remote code execution if a server-executable file type is uploaded and subsequently accessed. | ||||
| CVE-2025-14632 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 4.4 Medium |
| The Filr – Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the 'filr' post type. | ||||
| CVE-2026-1222 | 1 Browan Communications | 1 Prismx Mx100 Ap Controller | 2026-01-26 | 7.2 High |
| PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||||
| CVE-2025-10856 | 1 Solvera Software | 1 Teknoera | 2026-01-26 | 8.1 High |
| Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection.This issue affects Teknoera: through 01102025. | ||||
| CVE-2025-69828 | 1 Tms | 1 Management Console | 2026-01-26 | 10 Critical |
| File Upload vulnerability in TMS Global Software TMS Management Console v.6.3.7.27386.20250818 allows a remote attacker to execute arbitrary code via the Logo upload in /Customer/AddEdit | ||||
| CVE-2021-47904 | 1 Phreesoft | 1 Phreebookserp | 2026-01-26 | 8.8 High |
| PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server. | ||||
| CVE-2021-47899 | 1 Mfscripts | 1 Yetishare | 2026-01-26 | 4 Medium |
| YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files like /etc/passwd by using file:/// protocol. | ||||
| CVE-2025-32660 | 2 Joomsky, Wordpress | 2 Js Job Manager, Wordpress | 2026-01-23 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in JoomSky JS Job Manager allows Upload a Web Shell to a Web Server. This issue affects JS Job Manager: from n/a through 2.0.2. | ||||
| CVE-2026-1021 | 1 Gotac | 2 Police Statistics Database System, Statistical Database System | 2026-01-23 | 9.8 Critical |
| Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||||
| CVE-2023-25444 | 2 Joomsky, Wordpress | 2 Js Help Desk, Wordpress | 2026-01-23 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Using Malicious Files.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.7. | ||||
| CVE-2022-1952 | 1 Syntacticsinc | 1 Easync | 2026-01-23 | 9.8 Critical |
| The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps. | ||||
| CVE-2026-22241 | 1 Openeclass | 1 Openeclass | 2026-01-23 | 7.2 High |
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file system. The main cause of the issue is that no validation or sanitization of the file's present inside the zip archive. This leads to remote code execution on the web server. Version 4.2 patches the issue. | ||||
| CVE-2021-47753 | 1 Phpkf | 2 Cms, Phpkf | 2026-01-23 | 9.8 Critical |
| phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter. | ||||
| CVE-2025-14894 | 2 Bee Interactive, Livewire-filemanager | 2 Livewire Filemanager, Filemanager | 2026-01-23 | 7.5 High |
| Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed. | ||||
| CVE-2024-9932 | 1 Jurre De Klijn | 1 Wux Blog Editor | 2026-01-23 | 9.8 Critical |
| The Wux Blog Editor plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'wuxbt_insertImageNew' function in versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-50526 | 2 Lindeni, Mahlamusa | 2 Multi Purpose Mail Form, Multi Purpose Mail Form | 2026-01-23 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in mahlamusa Multi Purpose Mail Form allows Upload a Web Shell to a Web Server.This issue affects Multi Purpose Mail Form: from n/a through 1.0.2. | ||||
| CVE-2024-51791 | 1 Madeit | 1 Forms | 2026-01-23 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms allows Upload a Web Shell to a Web Server.This issue affects Forms: from n/a through 2.8.0. | ||||
| CVE-2024-51793 | 1 Webfulcreations | 1 Computer Repair Shop | 2026-01-22 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Webful Creations Computer Repair Shop allows Upload a Web Shell to a Web Server.This issue affects Computer Repair Shop: from n/a through 3.8115. | ||||
| CVE-2023-51409 | 2 Ai Engine Project, Meowapps | 2 Ai Engine, Ai Engine | 2026-01-22 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98. | ||||
| CVE-2022-50893 | 1 Viaviweb | 1 Wallpaper Admin | 2026-01-22 | 9.8 Critical |
| VIAVIWEB Wallpaper Admin 1.0 contains an unauthenticated remote code execution vulnerability in the image upload functionality. Attackers can upload a malicious PHP file through the add_gallery_image.php endpoint to execute arbitrary code on the server. | ||||