Total
4009 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-15009 | 2 1000mz, Liweiyi | 2 Chestnutcms, Chestnutcms | 2025-12-31 | 6.3 Medium |
| A flaw has been found in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function FilenameUtils.getExtension of the file /dev-api/common/upload of the component Filename Handler. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used. | ||||
| CVE-2025-63994 | 1 Psolom | 1 Richfilemanager | 2025-12-31 | 9.8 Critical |
| An arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager v2.7.6 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2025-15050 | 2 Code-projects, Fabian | 2 Student Management System, Student File Management System | 2025-12-30 | 6.3 Medium |
| A security vulnerability has been detected in code-projects Student File Management System 1.0. This affects an unknown part of the file /save_file.php. Such manipulation of the argument File leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-2748 | 1 Kentico | 1 Xperience | 2025-12-27 | 6.1 Medium |
| The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178. | ||||
| CVE-2019-25229 | 1 Kentico | 1 Xperience | 2025-12-24 | 8.8 High |
| An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC form file uploader components. Attackers can manipulate file names and upload potentially malicious files to the system, enabling unauthorized file uploads. | ||||
| CVE-2025-14885 | 2 Lerouxyxchire, Sourcecodester | 2 Client Database Management System, Client Database Management System | 2025-12-24 | 6.3 Medium |
| A flaw has been found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /user_leads.php of the component Leads Generation Module. Executing manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | ||||
| CVE-2024-44598 | 1 Fntsoftware | 1 Fnt Command | 2025-12-23 | 8.8 High |
| FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module. | ||||
| CVE-2024-44599 | 1 Fntsoftware | 1 Fnt Command | 2025-12-23 | 8.3 High |
| FNT Command 13.4.0 is vulnerable to Directory Traversal. | ||||
| CVE-2023-52324 | 1 Trendmicro | 1 Apex Central | 2025-12-22 | 8.8 High |
| An unrestricted file upload vulnerability in Trend Micro Apex Central could allow a remote attacker to create arbitrary files on affected installations. Please note: although authentication is required to exploit this vulnerability, this vulnerability could be exploited when the attacker has any valid set of credentials. Also, this vulnerability could be potentially used in combination with another vulnerability to execute arbitrary code. | ||||
| CVE-2018-19453 | 1 Kentico | 1 Xperience | 2025-12-19 | 8.8 High |
| Kentico CMS before 11.0.45 allows unrestricted upload of a file with a dangerous type. | ||||
| CVE-2019-19493 | 1 Kentico | 1 Xperience | 2025-12-19 | 5.4 Medium |
| Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS. | ||||
| CVE-2025-65474 | 1 Easyimages2.0 Project | 1 Easyimages2.0 | 2025-12-19 | 8.8 High |
| An arbitrary file rename vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via renaming a PHP file to a SVG format. | ||||
| CVE-2012-10019 | 2 Scribu, Wordpress | 2 Front-end Editor, Wordpress | 2025-12-19 | 9.8 Critical |
| The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions before 2.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2025-65471 | 1 Easyimages2.0 Project | 1 Easyimages2.0 | 2025-12-18 | 8.8 High |
| An arbitrary file upload vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via uploading a crafted PHP file. | ||||
| CVE-2025-68109 | 1 Churchcrm | 1 Churchcrm | 2025-12-18 | 9.1 Critical |
| ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue. | ||||
| CVE-2023-3417 | 3 Debian, Mozilla, Redhat | 7 Debian Linux, Thunderbird, Enterprise Linux and 4 more | 2025-12-18 | 7.5 High |
| Thunderbird allowed the Text Direction Override Unicode Character in filenames. An email attachment could be incorrectly shown as being a document file, while in fact it was an executable file. Newer versions of Thunderbird will strip the character and show the correct file extension. This vulnerability affects Thunderbird < 115.0.1 and Thunderbird < 102.13.1. | ||||
| CVE-2025-43750 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-18 | 6.5 Medium |
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows remote unauthenticated users (guests) to upload files via the form attachment field without proper validation, enabling extension obfuscation and bypassing MIME type checks. | ||||
| CVE-2020-36897 | 2 Howfor, Qihang Media | 2 Qihang Media Web Digital Signage, Web Digital Signage | 2025-12-17 | 9.8 Critical |
| QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts. Attackers can exploit the file upload functionality by using the 'remotePath' and 'fileToUpload' parameters to write and execute arbitrary system commands on the server. | ||||
| CVE-2025-14642 | 2 Carmelo, Code-projects | 2 Computer Laboratory System, Computer Laboratory System | 2025-12-16 | 4.7 Medium |
| A vulnerability has been found in code-projects Computer Laboratory System 1.0. Impacted is an unknown function of the file technical_staff_pic.php. Such manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-14641 | 2 Carmelo, Code-projects | 2 Computer Laboratory System, Computer Laboratory System | 2025-12-16 | 4.7 Medium |
| A flaw has been found in code-projects Computer Laboratory System 1.0. This issue affects some unknown processing of the file admin/admin_pic.php. This manipulation of the argument image causes unrestricted upload. The attack may be initiated remotely. The exploit has been published and may be used. | ||||