CWE-434
Unrestricted Upload of File with Dangerous Type
Description
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1
CVEs mapped to this weakness (1,669)
page 26 of 84| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-14521 | Hig | 0.61 | 8.8 | 0.07 | Jan 26, 2018 | In WonderCMS 2.3.1, the upload functionality accepts random application extensions and leads to malicious File Upload. | ||
| CVE-2017-17874 | Hig | 0.61 | 8.8 | 0.06 | Dec 27, 2017 | Vanguard Marketplace Digital Products PHP 1.4 allows arbitrary file upload via an "Add a new product" or "Add a product preview" action, which can make a .php file accessible under a uploads/ URI. | ||
| CVE-2017-15957 | Hig | 0.61 | 8.8 | 0.04 | Oct 29, 2017 | my_profile.php in Ingenious School Management System 2.3.0 allows a student or teacher to upload an arbitrary file. | ||
| CVE-2011-4334 | Hig | 0.61 | 8.8 | 0.06 | Oct 23, 2017 | edit.php in LabWiki 1.1 and earlier does not properly verify uploaded user files, which allows remote authenticated users to upload arbitrary PHP files via a PHP file with a .gif extension in the userfile parameter. | ||
| CVE-2017-14704 | Hig | 0.61 | 8.8 | 0.08 | Sep 26, 2017 | Multiple unrestricted file upload vulnerabilities in the (1) imageSubmit and (2) proof_submit functions in Claydip Laravel Airbnb Clone 1.0 allow remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct… | ||
| CVE-2017-12929 | Hig | 0.61 | 8.8 | 0.10 | Sep 21, 2017 | Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 version >1.5.10 allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. | ||
| CVE-2017-9380 | Hig | 0.61 | 8.8 | 0.15 | Jun 2, 2017 | OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application. | ||
| CVE-2015-3884 | Hig | 0.61 | 8.8 | 0.14 | Mar 17, 2017 | Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing… | ||
| CVE-2026-5482 | Cri | 0.60 | — | 0.00 | Jun 15, 2026 | Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. This project is unmaintained at the time of CVE assignment. The vulnerability was found in… | ||
| CVE-2011-10041 | Cri | 0.60 | — | 0.01 | Jan 15, 2026 | Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation. An unauthenticated remote attacker can upload arbitrary files to the affected WordPress site, which may allow… | ||
| CVE-2024-58298 | Cri | 0.60 | — | 0.01 | Dec 11, 2025 | Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web… | ||
| CVE-2025-31342 | Cri | 0.60 | — | 0.00 | Oct 20, 2025 | An unrestricted upload of file with dangerous type vulnerability in the upload file function of Galaxy Software Services Corporation Vitals ESP Forum Module through 1.3 version allows remote authenticated users to execute arbitrary system commands via a malicious file. | ||
| CVE-2023-7305 | Cri | 0.60 | — | 0.00 | Oct 15, 2025 | SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or… | ||
| CVE-2025-61678 | Hig | 0.60 | — | 0.50 | Oct 14, 2025 | FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains an authenticated arbitrary file upload vulnerability affecting… | ||
| CVE-2025-54473 | Cri | 0.60 | — | 0.00 | Aug 15, 2025 | An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. The issue allows code execution via the unzip feature. | ||
| CVE-2024-10392 | Cri | 0.60 | 9.8 | 0.13 | Oct 31, 2024 | The AI Power: Complete AI Pack plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_image_upload' function in all versions up to, and including, 1.8.89. This makes it possible for unauthenticated attackers to upload… | ||
| CVE-2023-47873 | Cri | 0.60 | 9.1 | 0.02 | Mar 26, 2024 | Unrestricted Upload of File with Dangerous Type vulnerability in WEN Solutions WP Child Theme Generator.This issue affects WP Child Theme Generator: from n/a through 1.0.9. | ||
| CVE-2023-38388 | Cri | 0.60 | 9.0 | 0.01 | Mar 26, 2024 | Unrestricted Upload of File with Dangerous Type vulnerability in Artbees JupiterX Core.This issue affects JupiterX Core: from n/a through 3.3.5. | ||
| CVE-2021-43421 | Cri | 0.60 | 9.8 | 0.43 | Apr 7, 2022 | A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code. | ||
| CVE-2020-24407 | Cri | 0.60 | 9.1 | 0.06 | Nov 9, 2020 | Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import… |
- risk 0.61cvss 8.8epss 0.07
In WonderCMS 2.3.1, the upload functionality accepts random application extensions and leads to malicious File Upload.
- risk 0.61cvss 8.8epss 0.06
Vanguard Marketplace Digital Products PHP 1.4 allows arbitrary file upload via an "Add a new product" or "Add a product preview" action, which can make a .php file accessible under a uploads/ URI.
- risk 0.61cvss 8.8epss 0.04
my_profile.php in Ingenious School Management System 2.3.0 allows a student or teacher to upload an arbitrary file.
- risk 0.61cvss 8.8epss 0.06
edit.php in LabWiki 1.1 and earlier does not properly verify uploaded user files, which allows remote authenticated users to upload arbitrary PHP files via a PHP file with a .gif extension in the userfile parameter.
- risk 0.61cvss 8.8epss 0.08
Multiple unrestricted file upload vulnerabilities in the (1) imageSubmit and (2) proof_submit functions in Claydip Laravel Airbnb Clone 1.0 allow remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct…
- risk 0.61cvss 8.8epss 0.10
Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 version >1.5.10 allows remote authenticated users to upload arbitrary files leading to Remote Command Execution.
- risk 0.61cvss 8.8epss 0.15
OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application.
- risk 0.61cvss 8.8epss 0.14
Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing…
- risk 0.60cvss —epss 0.00
Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. This project is unmaintained at the time of CVE assignment. The vulnerability was found in…
- risk 0.60cvss —epss 0.01
Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation. An unauthenticated remote attacker can upload arbitrary files to the affected WordPress site, which may allow…
- risk 0.60cvss —epss 0.01
Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web…
- risk 0.60cvss —epss 0.00
An unrestricted upload of file with dangerous type vulnerability in the upload file function of Galaxy Software Services Corporation Vitals ESP Forum Module through 1.3 version allows remote authenticated users to execute arbitrary system commands via a malicious file.
- risk 0.60cvss —epss 0.00
SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or…
- risk 0.60cvss —epss 0.50
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains an authenticated arbitrary file upload vulnerability affecting…
- risk 0.60cvss —epss 0.00
An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. The issue allows code execution via the unzip feature.
- risk 0.60cvss 9.8epss 0.13
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_image_upload' function in all versions up to, and including, 1.8.89. This makes it possible for unauthenticated attackers to upload…
- risk 0.60cvss 9.1epss 0.02
Unrestricted Upload of File with Dangerous Type vulnerability in WEN Solutions WP Child Theme Generator.This issue affects WP Child Theme Generator: from n/a through 1.0.9.
- risk 0.60cvss 9.0epss 0.01
Unrestricted Upload of File with Dangerous Type vulnerability in Artbees JupiterX Core.This issue affects JupiterX Core: from n/a through 3.3.5.
- risk 0.60cvss 9.8epss 0.43
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
- risk 0.60cvss 9.1epss 0.06
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import…