Export limit exceeded: 16335 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (3940 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14632 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 4.4 Medium |
| The Filr – Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the 'filr' post type. | ||||
| CVE-2026-1222 | 1 Browan Communications | 1 Prismx Mx100 Ap Controller | 2026-01-26 | 7.2 High |
| PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||||
| CVE-2025-10856 | 1 Solvera Software | 1 Teknoera | 2026-01-26 | 8.1 High |
| Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection.This issue affects Teknoera: through 01102025. | ||||
| CVE-2025-69828 | 1 Tms | 1 Management Console | 2026-01-26 | 10 Critical |
| File Upload vulnerability in TMS Global Software TMS Management Console v.6.3.7.27386.20250818 allows a remote attacker to execute arbitrary code via the Logo upload in /Customer/AddEdit | ||||
| CVE-2021-47904 | 1 Phreesoft | 1 Phreebookserp | 2026-01-26 | 8.8 High |
| PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server. | ||||
| CVE-2021-47899 | 1 Mfscripts | 1 Yetishare | 2026-01-26 | 4 Medium |
| YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files like /etc/passwd by using file:/// protocol. | ||||
| CVE-2026-1021 | 1 Gotac | 2 Police Statistics Database System, Statistical Database System | 2026-01-23 | 9.8 Critical |
| Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||||
| CVE-2023-25444 | 2 Joomsky, Wordpress | 2 Js Help Desk, Wordpress | 2026-01-23 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Using Malicious Files.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.7. | ||||
| CVE-2022-1952 | 1 Syntacticsinc | 1 Easync | 2026-01-23 | 9.8 Critical |
| The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps. | ||||
| CVE-2026-22241 | 1 Openeclass | 1 Openeclass | 2026-01-23 | 7.2 High |
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file system. The main cause of the issue is that no validation or sanitization of the file's present inside the zip archive. This leads to remote code execution on the web server. Version 4.2 patches the issue. | ||||
| CVE-2021-47753 | 1 Phpkf | 2 Cms, Phpkf | 2026-01-23 | 9.8 Critical |
| phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter. | ||||
| CVE-2025-14894 | 2 Bee Interactive, Livewire-filemanager | 2 Livewire Filemanager, Filemanager | 2026-01-23 | 7.5 High |
| Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed. | ||||
| CVE-2024-9932 | 1 Jurre De Klijn | 1 Wux Blog Editor | 2026-01-23 | 9.8 Critical |
| The Wux Blog Editor plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'wuxbt_insertImageNew' function in versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-51409 | 2 Ai Engine Project, Meowapps | 2 Ai Engine, Ai Engine | 2026-01-22 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98. | ||||
| CVE-2022-50893 | 1 Viaviweb | 1 Wallpaper Admin | 2026-01-22 | 9.8 Critical |
| VIAVIWEB Wallpaper Admin 1.0 contains an unauthenticated remote code execution vulnerability in the image upload functionality. Attackers can upload a malicious PHP file through the add_gallery_image.php endpoint to execute arbitrary code on the server. | ||||
| CVE-2024-47259 | 1 Axis | 2 Axis Os, Axis Os 2024 | 2026-01-22 | 3.5 Low |
| Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | ||||
| CVE-2025-66837 | 1 Softwareag | 1 Aris | 2026-01-21 | 6.8 Medium |
| A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to execute arbitrary code via uploading a crafted PDF file/Malware | ||||
| CVE-2025-46068 | 1 Automai | 1 Director | 2026-01-21 | 8.8 High |
| An issue in Automai Director v.25.2.0 allows a remote attacker to execute arbitrary code via the update mechanism | ||||
| CVE-2026-22799 | 1 Emlog | 1 Emlog | 2026-01-21 | 8.8 High |
| Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a valid API key or admin session cookie) to upload arbitrary files (including malicious PHP scripts) to the server. An attacker can obtain the API key either by gaining administrator access to enable the REST API setting, or via information disclosure vulnerabilities in the application. Once uploaded, the malicious PHP file can be executed to gain remote code execution (RCE) on the target server, leading to full server compromise. | ||||
| CVE-2026-22789 | 1 Wem-project | 1 Wem | 2026-01-21 | 5.4 Medium |
| WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19. | ||||