VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 51 of 84
  • CVE-2026-4536HigMar 22, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in Acrel Environmental Monitoring Cloud Platform 1.1.0. This issue affects some unknown processing. Performing a manipulation results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. The…

  • CVE-2026-27043HigMar 19, 2026
    risk 0.47cvss 7.2epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.This issue affects Photography: from n/a before 7.7.6.

  • CVE-2026-4221HigMar 16, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7.17.0. This affects an unknown part of the file /rest/file/uploadLedImage of the component Endpoint. The manipulation of the argument File results in unrestricted upload. The attack may be launched…

  • CVE-2026-4220HigMar 16, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in Technologies Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /SetWebpagePic.jsp. The manipulation of the argument targetPath/Suffix leads to unrestricted upload. The attack may be initiated…

  • CVE-2026-4201HigMar 16, 2026
    risk 0.47cvss 7.3epss 0.00

    A weakness has been identified in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This vulnerability affects the function Upload of the file business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFileController.java. Executing a…

  • CVE-2026-4191HigMar 16, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in JawherKl node-api-postgres up to 2.5. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has…

  • CVE-2026-3025HigFeb 23, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in ShuoRen Smart Heating Integrated Management Platform 1.0.0. Affected by this vulnerability is an unknown functionality of the file /MP/Service/Webservice/ExampleNodeService.asmx. Executing a manipulation of the argument File can lead to unrestricted…

  • CVE-2026-2684HigFeb 19, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was determined in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). The impacted element is an unknown function of the file /Archive/ErecordManage/uploadFile.html. Executing a manipulation of the argument File can lead to unrestricted upload.…

  • CVE-2026-2164HigFeb 8, 2026
    risk 0.47cvss 7.3epss 0.00

    A security flaw has been discovered in detronetdip E-commerce 1.0.0. This issue affects some unknown processing of the file /seller/assets/backend/profile/addadhar.php. Performing a manipulation of the argument File results in unrestricted upload. Remote exploitation of the…

  • CVE-2026-2133HigFeb 8, 2026
    risk 0.47cvss 7.3epss 0.00

    A weakness has been identified in code-projects Online Music Site 1.0. Impacted is an unknown function of the file /Administrator/PHP/AdminUpdateCategory.php. This manipulation of the argument txtimage causes unrestricted upload. The attack is possible to be carried out…

  • CVE-2026-2113HigFeb 7, 2026
    risk 0.47cvss 7.3epss 0.01

    A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible…

  • CVE-2026-1065HigFeb 3, 2026
    risk 0.47cvss 7.2epss 0.00

    The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This…

  • CVE-2026-1222HigJan 20, 2026
    risk 0.47cvss 7.2epss 0.01

    PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

  • CVE-2026-0643HigJan 7, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in projectworlds House Rental and Property Listing 1.0. Impacted is an unknown function of the file /app/register.php?action=reg of the component Signup. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack…

  • CVE-2025-15426HigJan 2, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was identified in jackying H-ui.admin up to 3.1. This affects an unknown function in the library /lib/webuploader/0.1.5/server/preview.php. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly…

  • CVE-2025-15109HigDec 27, 2025
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. This impacts an unknown function of the file Public/javascripts/admin/plupload-2.1.2/examples/upload.php. This manipulation causes unrestricted upload. It is possible to initiate the attack…

  • CVE-2025-14583HigDec 12, 2025
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in campcodes Online Student Enrollment System 1.0. This impacts an unknown function of the file /admin/register.php. Executing a manipulation of the argument photo can lead to unrestricted upload. The attack can be launched remotely. The exploit has been…

  • CVE-2025-13376HigNov 25, 2025
    risk 0.47cvss 7.2epss 0.01

    The ProjectList plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.0. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the…

  • CVE-2025-12973HigNov 21, 2025
    risk 0.47cvss 7.2epss 0.01

    The S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeFile() function in all versions up to, and including, 1.7.8. This makes it possible for…

  • CVE-2025-0645HigNov 20, 2025
    risk 0.47cvss 7.2epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Narkom Communication and Software Technologies Trade Ltd. Co. Pyxis Signage allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Pyxis Signage: through 31012025.