VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 59 of 84
  • CVE-2026-23704MedFeb 4, 2026
    risk 0.42cvss 6.5epss 0.00

    A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the…

  • CVE-2020-36973MedJan 28, 2026
    risk 0.42cvss 6.5epss 0.00

    PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. Attackers can upload a .txt webshell, rename it to .php, and move it to accessible directories using…

  • CVE-2026-0911HigJan 24, 2026
    risk 0.42cvss 7.5epss 0.01

    The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for…

  • CVE-2025-52078MedAug 5, 2025
    risk 0.42cvss 6.5epss 0.00

    File upload vulnerability in Writebot AI Content Generator SaaS React Template thru 4.0.0, allowing remote attackers to gain escalated privileges via a crafted POST request to the /file-upload endpoint.

  • CVE-2025-54962MedAug 4, 2025
    risk 0.42cvss 6.4epss 0.00

    /edit-user in webserver in OpenPLC Runtime 3 through 9cd8f1b allows authenticated users to upload arbitrary files (such as .html or .svg), and these are then publicly accessible under the /static URI.

  • CVE-2025-1725MedJun 3, 2025
    risk 0.42cvss 6.4epss 0.00

    The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7 due to insufficient input sanitization and output…

  • CVE-2024-9544MedMay 22, 2025
    risk 0.42cvss 6.4epss 0.00

    The MapSVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 8.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level…

  • CVE-2025-32215MedApr 10, 2025
    risk 0.42cvss 6.5epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Ability, Inc Accessibility Suite online-accessibility allows Stored XSS.This issue affects Accessibility Suite: from n/a through <= 4.18.

  • CVE-2025-0731MedFeb 26, 2025
    risk 0.42cvss 6.5epss 0.01

    An unauthenticated remote attacker can upload a .aspx file instead of a PV system picture through the demo account. The code can only be executed in the security context of the user.

  • CVE-2024-41454MedJan 15, 2025
    risk 0.42cvss 6.5epss 0.00

    An arbitrary file upload vulnerability in the UI login page logo upload function of Process Maker pm4core-docker 4.1.21-RC7 allows attackers to execute arbitrary code via uploading a crafted PHP or HTML file.

  • CVE-2024-1332MedMay 24, 2024
    risk 0.42cvss 6.4epss 0.00

    The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…

  • CVE-2024-28520MedApr 4, 2024
    risk 0.42cvss 6.5epss 0.00

    File Upload vulnerability in Byzoro Networks Smart multi-service security gateway intelligent management platform version S210, allows an attacker to obtain sensitive information via the uploadfile.php component.

  • CVE-2022-45377MedDec 21, 2023
    risk 0.42cvss 6.5epss 0.01

    Unrestricted Upload of File with Dangerous Type vulnerability in Glen Don L. Mongaya Drag and Drop Multiple File Upload for WooCommerce.This issue affects Drag and Drop Multiple File Upload for WooCommerce: from n/a through 1.0.8.

  • CVE-2023-6827HigDec 15, 2023
    risk 0.42cvss 7.5epss 0.01

    The Essential Real Estate plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'ajaxUploadFonts' function in versions up to, and including, 4.3.5. This makes it possible for authenticated attackers with subscriber-level…

  • CVE-2023-34660MedJun 16, 2023
    risk 0.42cvss 6.5epss 0.01

    jjeecg-boot V3.5.0 has an unauthorized arbitrary file upload in /jeecg-boot/jmreport/upload interface.

  • CVE-2021-31542HigMay 5, 2021
    risk 0.42cvss 7.5epss 0.05

    In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

  • CVE-2021-21351MedMar 23, 2021
    risk 0.42cvss 5.4epss 0.82

    XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is…

  • CVE-2020-15839MedSep 22, 2020
    risk 0.42cvss 6.5epss 0.02

    Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files.

  • CVE-2020-1469HigJul 14, 2020
    risk 0.42cvss 7.5epss 0.05

    A denial of service vulnerability exists when the .NET implementation of Bond improperly parses input, aka 'Bond Denial of Service Vulnerability'.

  • CVE-2020-9280HigApr 15, 2020
    risk 0.42cvss 7.5epss 0.02

    In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x.…