CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

CWE-669

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,190)

page 23 of 60

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2026-28114	Cri	0.59	9.1	0.00	Mar 5, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in firassaidi WooCommerce License Manager fs-license-manager allows Upload a Web Shell to a Web Server.This issue affects WooCommerce License Manager: from n/a through <= 7.0.6.
CVE-2026-23802	Cri	0.59	9.1	0.00	Mar 5, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through <= 3.3.2.
CVE-2025-69312	Cri	0.59	9.1	0.00	Jan 22, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1.
CVE-2025-67910	Cri	0.59	9.1	0.00	Jan 8, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload a Web Shell to a Web Server.This issue affects Contentstudio: from n/a through <= 1.3.7.
CVE-2023-50897	Cri	0.59	9.1	0.00	Jan 5, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7.
CVE-2025-66074	Cri	0.59	9.0	0.00	Dec 18, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8.
CVE-2025-58996	Cri	0.59	9.1	0.00	Nov 6, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in Helmut Wandl Advanced Settings advanced-settings allows Upload a Web Shell to a Web Server.This issue affects Advanced Settings: from n/a through <= 3.1.1.
CVE-2025-52758	Cri	0.59	9.1	0.00	Oct 22, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy zippy allows Using Malicious Files.This issue affects Zippy: from n/a through <= 1.7.0.
CVE-2025-42910	Cri	0.59	9.0	0.00	Oct 14, 2025	Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker could cause high impact on confidentiality, integrity and availability of the application.
CVE-2025-58819	Cri	0.59	9.1	0.00	Sep 5, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.This issue affects Bulk Featured Image: from n/a through <= 1.2.4.
CVE-2025-57148	Cri	0.59	9.1	0.00	Sep 3, 2025	phpgurukul Online Shopping Portal 2.0 is vulnerable to Arbitrary File Upload in /admin/insert-product.php, due to the lack of extension validation.
CVE-2025-54677	Cri	0.59	9.1	0.00	Aug 20, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Using Malicious Files.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.3.
CVE-2025-54693	Cri	0.59	9.0	0.00	Aug 14, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in epiphyt Form Block form-block allows Upload a Web Shell to a Web Server.This issue affects Form Block: from n/a through <= 1.5.5.
CVE-2014-125119	Hig	0.59	—	0.16	Jul 25, 2025	A filename spoofing vulnerability exists in WinRAR when opening specially crafted ZIP archives. The issue arises due to inconsistencies between the Central Directory and Local File Header entries in ZIP files. When viewed in WinRAR, the file name from the Central Directory is displayed to the user, while the file from the Local File Header is extracted and executed. An attacker can leverage this flaw to spoof filenames and trick users into executing malicious payloads under the guise of harmless files, potentially leading to remote code execution.
CVE-2025-48300	Cri	0.59	9.1	0.00	Jul 16, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in Adrian Tobey Groundhogg groundhogg allows Upload a Web Shell to a Web Server.This issue affects Groundhogg: from n/a through <= 4.2.1.
CVE-2025-28951	Cri	0.59	9.1	0.00	Jul 4, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.This issue affects Bulk Featured Image: from n/a through <= 1.2.4.
CVE-2025-23968	Cri	0.59	9.1	0.00	Jul 3, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in WebFactory AiBud WP aibuddy-openai-chatgpt allows Upload a Web Shell to a Web Server.This issue affects AiBud WP: from n/a through <= 1.9.
CVE-2025-53260	Cri	0.59	9.1	0.00	Jun 27, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in getredhawkstudio File Manager Plugin For Wordpress file-manager-plugin-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects File Manager Plugin For Wordpress: from n/a through <= 7.5.
CVE-2025-31916	Cri	0.59	9.0	0.00	May 23, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in joy2012bd JP Students Result Management System Premium allows Upload a Web Shell to a Web Server. This issue affects JP Students Result Management System Premium: from 1.1.7 through n/a.
CVE-2025-47549	Cri	0.59	9.1	0.00	May 7, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF beaf-before-and-after-gallery allows Upload a Web Shell to a Web Server.This issue affects BEAF: from n/a through <= 4.6.10.

CVE-2026-28114CriMar 5, 2026
risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in firassaidi WooCommerce License Manager fs-license-manager allows Upload a Web Shell to a Web Server.This issue affects WooCommerce License Manager: from n/a through <= 7.0.6.
CVE-2026-23802CriMar 5, 2026
risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through <= 3.3.2.
CVE-2025-69312CriJan 22, 2026
risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1.
CVE-2025-67910CriJan 8, 2026
risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload a Web Shell to a Web Server.This issue affects Contentstudio: from n/a through <= 1.3.7.
CVE-2023-50897CriJan 5, 2026
risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7.
CVE-2025-66074CriDec 18, 2025
risk 0.59cvss 9.0epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8.
CVE-2025-58996CriNov 6, 2025
risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Helmut Wandl Advanced Settings advanced-settings allows Upload a Web Shell to a Web Server.This issue affects Advanced Settings: from n/a through <= 3.1.1.
CVE-2025-52758CriOct 22, 2025
risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy zippy allows Using Malicious Files.This issue affects Zippy: from n/a through <= 1.7.0.
CVE-2025-42910CriOct 14, 2025
risk 0.59cvss 9.0epss 0.00
Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker could cause high impact on confidentiality, integrity and availability of the application.
CVE-2025-58819CriSep 5, 2025
risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.This issue affects Bulk Featured Image: from n/a through <= 1.2.4.
CVE-2025-57148CriSep 3, 2025
risk 0.59cvss 9.1epss 0.00
phpgurukul Online Shopping Portal 2.0 is vulnerable to Arbitrary File Upload in /admin/insert-product.php, due to the lack of extension validation.
CVE-2025-54677CriAug 20, 2025
risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Using Malicious Files.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.3.
CVE-2025-54693CriAug 14, 2025
risk 0.59cvss 9.0epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in epiphyt Form Block form-block allows Upload a Web Shell to a Web Server.This issue affects Form Block: from n/a through <= 1.5.5.
CVE-2014-125119HigJul 25, 2025
risk 0.59cvss —epss 0.16
A filename spoofing vulnerability exists in WinRAR when opening specially crafted ZIP archives. The issue arises due to inconsistencies between the Central Directory and Local File Header entries in ZIP files. When viewed in WinRAR, the file name from the Central Directory is displayed to the user, while the file from the Local File Header is extracted and executed. An attacker can leverage this flaw to spoof filenames and trick users into executing malicious payloads under the guise of harmless files, potentially leading to remote code execution.
CVE-2025-48300CriJul 16, 2025
risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Adrian Tobey Groundhogg groundhogg allows Upload a Web Shell to a Web Server.This issue affects Groundhogg: from n/a through <= 4.2.1.
CVE-2025-28951CriJul 4, 2025
risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.This issue affects Bulk Featured Image: from n/a through <= 1.2.4.
CVE-2025-23968CriJul 3, 2025
risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in WebFactory AiBud WP aibuddy-openai-chatgpt allows Upload a Web Shell to a Web Server.This issue affects AiBud WP: from n/a through <= 1.9.
CVE-2025-53260CriJun 27, 2025
risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in getredhawkstudio File Manager Plugin For Wordpress file-manager-plugin-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects File Manager Plugin For Wordpress: from n/a through <= 7.5.
CVE-2025-31916CriMay 23, 2025
risk 0.59cvss 9.0epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in joy2012bd JP Students Result Management System Premium allows Upload a Web Shell to a Web Server. This issue affects JP Students Result Management System Premium: from 1.1.7 through n/a.
CVE-2025-47549CriMay 7, 2025
risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF beaf-before-and-after-gallery allows Upload a Web Shell to a Web Server.This issue affects BEAF: from n/a through <= 4.6.10.