CWE-434
Unrestricted Upload of File with Dangerous Type
Description
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1
CVEs mapped to this weakness (1,669)
page 50 of 84| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-11474 | Hig | 0.47 | 7.3 | 0.00 | Jun 8, 2026 | A security flaw has been discovered in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected is an unknown function of the file service/RegisterService.php of the component Registration Endpoint. Performing a manipulation of the argument… | ||
| CVE-2026-7537 | Hig | 0.47 | 7.2 | 0.01 | Jun 6, 2026 | The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This… | ||
| CVE-2026-11344 | Hig | 0.47 | 7.3 | 0.00 | Jun 5, 2026 | A vulnerability was found in code-projects Vehicle Management System 1.0. This impacts an unknown function of the file newdriver.php of the component New Driver Registration Form. Performing a manipulation of the argument photo results in unrestricted upload. The attack may be… | ||
| CVE-2026-39292 | Hig | 0.47 | 7.3 | 0.00 | May 29, 2026 | Falco Solutions PHPPageBuilder v0.31.0 contains an unrestricted file upload vulnerability in the pagemanager/pagebuilder module that allows remote attackers to upload arbitrary files and achieve remote code execution. The vulnerability exists due to insufficient validation of… | ||
| CVE-2026-10072 | Hig | 0.47 | 7.2 | 0.00 | May 29, 2026 | DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||
| CVE-2026-9421 | Hig | 0.47 | 7.3 | 0.00 | May 25, 2026 | A vulnerability was determined in KLiK SocialMediaWebsite 1.0. This vulnerability affects the function uniqid of the file upload.inc.php of the component File Handler. This manipulation causes unrestricted upload. The attack can be initiated remotely. The exploit has been… | ||
| CVE-2026-8758 | Hig | 0.47 | 7.3 | 0.00 | May 17, 2026 | A vulnerability was determined in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. This impacts an unknown function of the file /common/jsp/upload3.jsp. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The… | ||
| CVE-2026-37430 | Hig | 0.47 | 7.3 | 0.00 | May 13, 2026 | An arbitrary file upload vulnerability in the ShopOrderImportController.java component of qihang-wms commit 75c15a allows attackers to execute arbitrary code via uploading a crafted file. | ||
| CVE-2026-38751 | Hig | 0.47 | 7.2 | 0.00 | May 4, 2026 | OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php) | ||
| CVE-2026-7733 | — | Hig | 0.47 | 7.3 | 0.00 | May 4, 2026 | A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The… | |
| CVE-2026-7711 | — | Hig | 0.47 | 7.3 | 0.00 | May 4, 2026 | A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed… | |
| CVE-2026-7490 | Hig | 0.47 | 7.2 | 0.00 | May 2, 2026 | CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||
| CVE-2026-37748 | Hig | 0.47 | 7.2 | 0.01 | Apr 21, 2026 | Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File Upload in vms/php/admin_user_insert.php and vms/php/update_1.php. The move_uploaded_file() function is called without any MIME type, extension, or content validation, allowing an authenticated admin… | ||
| CVE-2026-6602 | Hig | 0.47 | 7.3 | 0.00 | Apr 20, 2026 | A vulnerability was found in rickxy Hospital Management System up to 88a4290d957dc5bdde8a56e5ad451ad14f7f90f4. Affected is an unknown function of the file /backend/admin/his_admin_account.php. The manipulation of the argument ad_dpic results in unrestricted upload. The attack… | ||
| CVE-2026-30804 | Hig | 0.47 | 7.2 | 0.00 | Apr 13, 2026 | Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS: from 777 through 800 | ||
| CVE-2026-4808 | Hig | 0.47 | 7.2 | 0.01 | Apr 8, 2026 | The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers, with… | ||
| CVE-2026-33273 | Hig | 0.47 | 7.2 | 0.00 | Apr 8, 2026 | Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server. | ||
| CVE-2026-5573 | Hig | 0.47 | 7.3 | 0.01 | Apr 5, 2026 | A weakness has been identified in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. This impacts an unknown function of the file /fs. Executing a manipulation of the argument cwd can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made… | ||
| CVE-2026-5261 | Hig | 0.47 | 7.3 | 0.00 | Apr 1, 2026 | A vulnerability was identified in Shandong Hoteam InforCenter PLM up to 8.3.8. The impacted element is the function uploadFileToIIS of the file /Base/BaseHandler.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack… | ||
| CVE-2026-5001 | Hig | 0.47 | 7.3 | 0.00 | Mar 28, 2026 | A flaw has been found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. The affected element is the function do_POST of the file backend/server.py. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The… |
- risk 0.47cvss 7.3epss 0.00
A security flaw has been discovered in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected is an unknown function of the file service/RegisterService.php of the component Registration Endpoint. Performing a manipulation of the argument…
- risk 0.47cvss 7.2epss 0.01
The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was found in code-projects Vehicle Management System 1.0. This impacts an unknown function of the file newdriver.php of the component New Driver Registration Form. Performing a manipulation of the argument photo results in unrestricted upload. The attack may be…
- risk 0.47cvss 7.3epss 0.00
Falco Solutions PHPPageBuilder v0.31.0 contains an unrestricted file upload vulnerability in the pagemanager/pagebuilder module that allows remote attackers to upload arbitrary files and achieve remote code execution. The vulnerability exists due to insufficient validation of…
- risk 0.47cvss 7.2epss 0.00
DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
- risk 0.47cvss 7.3epss 0.00
A vulnerability was determined in KLiK SocialMediaWebsite 1.0. This vulnerability affects the function uniqid of the file upload.inc.php of the component File Handler. This manipulation causes unrestricted upload. The attack can be initiated remotely. The exploit has been…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was determined in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. This impacts an unknown function of the file /common/jsp/upload3.jsp. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The…
- risk 0.47cvss 7.3epss 0.00
An arbitrary file upload vulnerability in the ShopOrderImportController.java component of qihang-wms commit 75c15a allows attackers to execute arbitrary code via uploading a crafted file.
- risk 0.47cvss 7.2epss 0.00
OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php)
- risk 0.47cvss 7.3epss 0.00
A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The…
- risk 0.47cvss 7.3epss 0.00
A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed…
- risk 0.47cvss 7.2epss 0.00
CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
- risk 0.47cvss 7.2epss 0.01
Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File Upload in vms/php/admin_user_insert.php and vms/php/update_1.php. The move_uploaded_file() function is called without any MIME type, extension, or content validation, allowing an authenticated admin…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was found in rickxy Hospital Management System up to 88a4290d957dc5bdde8a56e5ad451ad14f7f90f4. Affected is an unknown function of the file /backend/admin/his_admin_account.php. The manipulation of the argument ad_dpic results in unrestricted upload. The attack…
- risk 0.47cvss 7.2epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS: from 777 through 800
- risk 0.47cvss 7.2epss 0.01
The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers, with…
- risk 0.47cvss 7.2epss 0.00
Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server.
- risk 0.47cvss 7.3epss 0.01
A weakness has been identified in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. This impacts an unknown function of the file /fs. Executing a manipulation of the argument cwd can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was identified in Shandong Hoteam InforCenter PLM up to 8.3.8. The impacted element is the function uploadFileToIIS of the file /Base/BaseHandler.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack…
- risk 0.47cvss 7.3epss 0.00
A flaw has been found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. The affected element is the function do_POST of the file backend/server.py. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The…