Total
4023 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-47904 | 1 Phreesoft | 1 Phreebookserp | 2026-04-15 | 8.8 High |
| PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server. | ||||
| CVE-2024-31680 | 1 Shibangcommunications | 1 Ip Network Intercom Broadcasting System | 2026-04-15 | 8.8 High |
| File Upload vulnerability in Shibang Communications Co., Ltd. IP network intercom broadcasting system v.1.0 allows a local attacker to execute arbitrary code via the my_parser.php component. | ||||
| CVE-2025-13094 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-10412 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2026-04-15 | 9.8 Critical |
| The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.55. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-8450 | 1 Fortra | 2 Filecatalyst Direct, Filecatalyst Workflow | 2026-04-15 | 8.2 High |
| Improper Access Control issue in the Workflow component of Fortra's FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page. | ||||
| CVE-2024-9108 | 1 Xunhuweb | 1 Wechat Social Login | 2026-04-15 | 9.8 Critical |
| The Wechat Social login plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'convert_remoteimage_to_local' function in versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-46088 | 1 Zhejiang University | 1 Entersoft Customer Resource Management | 2026-04-15 | 9.8 Critical |
| An arbitrary file upload vulnerability in the ProductAction.entphone interface of Zhejiang University Entersoft Customer Resource Management System v2002 to v2024 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2025-6327 | 2 Kingaddons, Wordpress | 2 King Addons For Elementor, Wordpress | 2026-04-15 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in KingAddons.com King Addons for Elementor king-addons allows Upload a Web Shell to a Web Server.This issue affects King Addons for Elementor: from n/a through <= 51.1.36. | ||||
| CVE-2025-2819 | 2026-04-15 | 6.6 Medium | ||
| There is a risk of unauthorized file uploads in GT-SoftControl and potential file overwrites due to insufficient validation in the file selection process. This could lead to data integrity issues and unauthorized access by an authenticated privileged user. | ||||
| CVE-2025-10755 | 1 Selleo | 1 Mentingo | 2026-04-15 | 6.3 Medium |
| A vulnerability was detected in Selleo Mentingo 2025.08.27. The impacted element is an unknown function of the component Content-Type Handler. The manipulation of the argument userAvatar results in unrestricted upload. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-49398 | 1 Elvaco | 1 Cme3100 Firmware | 2026-04-15 | N/A |
| The affected product is vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute code. | ||||
| CVE-2025-53283 | 2 Borisolhor, Wordpress | 2 Drop Uploader For Cf7, Wordpress | 2026-04-15 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in borisolhor Drop Uploader for CF7 - Drag&Drop File Uploader Addon drop-uploader-for-contact-form-7-dragdrop-file-uploader-addon allows Upload a Web Shell to a Web Server.This issue affects Drop Uploader for CF7 - Drag&Drop File Uploader Addon: from n/a through <= 2.4.1. | ||||
| CVE-2013-10055 | 1 Havalite | 2 Cms, Havalite | 2026-04-15 | N/A |
| An unauthenticated arbitrary file upload vulnerability exists in Havalite CMS version 1.1.7 (and possibly earlier) in the upload.php script. The application fails to enforce proper file extension validation and authentication checks, allowing remote attackers to upload malicious PHP files via a crafted multipart/form-data POST request. Once uploaded, the attacker can access the file directly under havalite/tmp/files/, resulting in remote code execution. | ||||
| CVE-2025-62016 | 2 Hogash, Wordpress | 2 Kallyas, Wordpress | 2026-04-15 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in hogash KALLYAS kallyas.This issue affects KALLYAS: from n/a through <= 4.22.0. | ||||
| CVE-2025-60235 | 3 Plugify, Woocommerce, Wordpress | 3 Helpdesk Support Ticket System For Woocommerce, Woocommerce, Wordpress | 2026-04-15 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Plugify Support Ticket System for WooCommerce (Premium) support-ticket-system-for-woocommerce allows Using Malicious Files.This issue affects Support Ticket System for WooCommerce (Premium): from n/a through <= 2.0.7. | ||||
| CVE-2025-10669 | 1 Airsonic | 1 Airsonic | 2026-04-15 | 6.3 Medium |
| A vulnerability was detected in Airsonic-Advanced up to 10.6.0. This vulnerability affects unknown code of the component Playlist Upload Handler. Performing manipulation results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used. | ||||
| CVE-2023-50897 | 2 Meow Apps, Wordpress | 2 Media File Renamer, Wordpress | 2026-04-15 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7. | ||||
| CVE-2025-53970 | 2026-04-15 | N/A | ||
| SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to upload arbitrary files and execute OS commands with SYSTEM privileges. | ||||
| CVE-2025-54762 | 2026-04-15 | N/A | ||
| SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to upload arbitrary files and execute OS commands with SYSTEM privileges. | ||||
| CVE-2024-28520 | 2026-04-15 | 6.5 Medium | ||
| File Upload vulnerability in Byzoro Networks Smart multi-service security gateway intelligent management platform version S210, allows an attacker to obtain sensitive information via the uploadfile.php component. | ||||