CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

CWE-669

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,190)

page 12 of 60

CVE	Sev	Risk	CVSS	Published	Description
CVE-2017-20224	Cri	0.64	9.8	Mar 16, 2026	Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious content by exploiting enabled WebDAV HTTP methods. Attackers can use PUT, DELETE, MKCOL, MOVE, COPY, and PROPPATCH methods to upload executable code, delete files, or manipulate server content for remote code execution or denial of service.
CVE-2026-3891	Cri	0.64	9.8	Mar 13, 2026	The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2026-24960	Cri	0.64	9.9	Mar 5, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Charety charety allows Using Malicious Files.This issue affects Charety: from n/a through < 2.0.2.
CVE-2025-68555	Cri	0.64	9.9	Mar 5, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Nutrie nutrie allows Upload a Web Shell to a Web Server.This issue affects Nutrie: from n/a through < 2.0.1.
CVE-2025-68554	Cri	0.64	9.9	Mar 5, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Keenarch keenarch allows Using Malicious Files.This issue affects Keenarch: from n/a through < 2.0.1.
CVE-2025-68553	Cri	0.64	9.9	Mar 5, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Lendiz lendiz allows Upload a Web Shell to a Web Server.This issue affects Lendiz: from n/a through < 2.0.1.
CVE-2025-69403	Cri	0.64	9.9	Feb 20, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.3.0.
CVE-2025-68549	Cri	0.64	9.9	Feb 20, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Wiguard wiguard allows Upload a Web Shell to a Web Server.This issue affects Wiguard: from n/a through < 2.0.1.
CVE-2026-2550	Cri	0.64	9.8	Feb 16, 2026	A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-1358	Cri	0.64	9.8	Feb 12, 2026	Airleader Master versions 6.381 and prior allow for file uploads without restriction to multiple webpages running maximum privileges. This could allow an unauthenticated user to potentially obtain remote code execution on the server.
CVE-2025-14014	Cri	0.64	9.8	Feb 12, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in NTN Information Processing Services Computer Software Hardware Industry and Trade Ltd. Co. Smart Panel allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Smart Panel: before 20251215.
CVE-2025-13374	Cri	0.64	9.8	Jan 24, 2026	The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-68986	Cri	0.64	9.9	Jan 22, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Miion miion allows Upload a Web Shell to a Web Server.This issue affects Miion: from n/a through <= 1.2.7.
CVE-2025-68910	Cri	0.64	9.9	Jan 22, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogzee blogzee allows Using Malicious Files.This issue affects Blogzee: from n/a through <= 1.0.5.
CVE-2025-68909	Cri	0.64	9.9	Jan 22, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogistic blogistic allows Using Malicious Files.This issue affects Blogistic: from n/a through <= 1.0.5.
CVE-2025-67968	Cri	0.64	9.9	Jan 22, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in InspiryThemes Real Homes CRM realhomes-crm allows Using Malicious Files.This issue affects Real Homes CRM: from n/a through <= 1.0.0.
CVE-2025-62056	Cri	0.64	9.9	Jan 22, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes News Event news-event.This issue affects News Event: from n/a through <= 1.0.1.
CVE-2025-62050	Cri	0.64	9.9	Jan 22, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogmatic blogmatic.This issue affects Blogmatic: from n/a through <= 1.0.3.
CVE-2021-47819	Cri	0.64	9.8	Jan 15, 2026	ProjeQtOr Project Management 9.1.4 contains a file upload vulnerability that allows guest users to upload malicious PHP files with arbitrary code execution capabilities. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded file with a specially crafted request parameter.
CVE-2025-67924	Cri	0.64	9.9	Jan 8, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload a Web Shell to a Web Server.This issue affects Corpkit: from n/a through <= 2.0.

CVE-2017-20224CriMar 16, 2026
risk 0.64cvss 9.8epss 0.00
Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious content by exploiting enabled WebDAV HTTP methods. Attackers can use PUT, DELETE, MKCOL, MOVE, COPY, and PROPPATCH methods to upload executable code, delete files, or manipulate server content for remote code execution or denial of service.
CVE-2026-3891CriMar 13, 2026
risk 0.64cvss 9.8epss 0.00
The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2026-24960CriMar 5, 2026
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Charety charety allows Using Malicious Files.This issue affects Charety: from n/a through < 2.0.2.
CVE-2025-68555CriMar 5, 2026
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Nutrie nutrie allows Upload a Web Shell to a Web Server.This issue affects Nutrie: from n/a through < 2.0.1.
CVE-2025-68554CriMar 5, 2026
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Keenarch keenarch allows Using Malicious Files.This issue affects Keenarch: from n/a through < 2.0.1.
CVE-2025-68553CriMar 5, 2026
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Lendiz lendiz allows Upload a Web Shell to a Web Server.This issue affects Lendiz: from n/a through < 2.0.1.
CVE-2025-69403CriFeb 20, 2026
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.3.0.
CVE-2025-68549CriFeb 20, 2026
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Wiguard wiguard allows Upload a Web Shell to a Web Server.This issue affects Wiguard: from n/a through < 2.0.1.
CVE-2026-2550CriFeb 16, 2026
risk 0.64cvss 9.8epss 0.00
A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-1358CriFeb 12, 2026
risk 0.64cvss 9.8epss 0.00
Airleader Master versions 6.381 and prior allow for file uploads without restriction to multiple webpages running maximum privileges. This could allow an unauthenticated user to potentially obtain remote code execution on the server.
CVE-2025-14014CriFeb 12, 2026
risk 0.64cvss 9.8epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in NTN Information Processing Services Computer Software Hardware Industry and Trade Ltd. Co. Smart Panel allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Smart Panel: before 20251215.
CVE-2025-13374CriJan 24, 2026
risk 0.64cvss 9.8epss 0.00
The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-68986CriJan 22, 2026
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Miion miion allows Upload a Web Shell to a Web Server.This issue affects Miion: from n/a through <= 1.2.7.
CVE-2025-68910CriJan 22, 2026
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogzee blogzee allows Using Malicious Files.This issue affects Blogzee: from n/a through <= 1.0.5.
CVE-2025-68909CriJan 22, 2026
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogistic blogistic allows Using Malicious Files.This issue affects Blogistic: from n/a through <= 1.0.5.
CVE-2025-67968CriJan 22, 2026
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in InspiryThemes Real Homes CRM realhomes-crm allows Using Malicious Files.This issue affects Real Homes CRM: from n/a through <= 1.0.0.
CVE-2025-62056CriJan 22, 2026
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes News Event news-event.This issue affects News Event: from n/a through <= 1.0.1.
CVE-2025-62050CriJan 22, 2026
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogmatic blogmatic.This issue affects Blogmatic: from n/a through <= 1.0.3.
CVE-2021-47819CriJan 15, 2026
risk 0.64cvss 9.8epss 0.00
ProjeQtOr Project Management 9.1.4 contains a file upload vulnerability that allows guest users to upload malicious PHP files with arbitrary code execution capabilities. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded file with a specially crafted request parameter.
CVE-2025-67924CriJan 8, 2026
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload a Web Shell to a Web Server.This issue affects Corpkit: from n/a through <= 2.0.