VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 65 of 84
  • CVE-2024-43662MedJan 9, 2025
    risk 0.34cvss epss 0.01

    The .exe or .exe CGI binary can be used to upload arbitrary files to /tmp/upload/ or /tmp/ respectively as any user, although the user interface for uploading files is only shown to the iocadmin user. This issue affects Iocharger firmware for AC models…

  • CVE-2020-36825MedMar 24, 2024
    risk 0.34cvss 6.3epss 0.00

    ** UNSUPPORTED WHEN ASSIGNED ** ** DISPUTED ** A vulnerability has been found in cyberaz0r WebRAT up to 20191222 and classified as critical. This vulnerability affects the function download_file of the file Server/api.php. The manipulation of the argument name leads to…

  • CVE-2015-0796MedMar 2, 2018
    risk 0.34cvss 6.3epss 0.01

    In open buildservice 2.6 before 2.6.3, 2.5 before 2.5.7 and 2.4 before 2.4.8 the source service patch application could generate non-standard files like symlinks or device nodes, which could allow buildservice users to break of confinement or cause denial of service attacks on…

  • CVE-2026-5704MedApr 6, 2026
    risk 0.33cvss 5.0epss 0.00

    A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce…

  • CVE-2025-61768MedOct 6, 2025
    risk 0.33cvss epss 0.00

    KUNO CMS is a fully deployable full-stack blog application. In versions prior to 1.3.15, an SSRF (Server-Side Request Forgery) vulnerability exists in the Media module of the Kuno CMS administrative panel. A logged-in administrator can upload a specially crafted SVG file…

  • CVE-2025-3169MedApr 3, 2025
    risk 0.33cvss 5.0epss 0.00

    A vulnerability was found in Projeqtor up to 12.0.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /tool/saveAttachment.php. The manipulation of the argument attachmentFiles leads to unrestricted upload. The attack may be…

  • CVE-2018-16397MedSep 3, 2018
    risk 0.32cvss 4.9epss 0.01

    In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary file,

  • CVE-2018-16373MedSep 3, 2018
    risk 0.32cvss 4.9epss 0.01

    Frog CMS 0.9.5 has an Upload vulnerability that can create files via /admin/?/plugin/file_manager/save.

  • CVE-2017-11405MedJul 18, 2017
    risk 0.32cvss 4.9epss 0.01

    In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a CMSContentManager action to admin/moduleinterface.php, followed by a FilePicker action to admin/moduleinterface.php in which type=image is changed to type=file.

  • CVE-2017-11404MedJul 18, 2017
    risk 0.32cvss 4.9epss 0.01

    In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a FileManager action to admin/moduleinterface.php.

  • CVE-2026-11621MedJun 9, 2026
    risk 0.31cvss 4.7epss 0.00

    A weakness has been identified in Dcat-Admin up to 2.2.3-beta. This impacts the function editorMDUpload of the file /admin/dcat-api/editor-md/upload of the component User Setting Page. This manipulation of the argument editormd-image-file causes unrestricted upload. The attack…

  • CVE-2026-7673MedMay 3, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was detected in crmeb_java up to 1.3.4. This vulnerability affects unknown code of the file crmeb/crmeb-service/src/main/java/com/zbkj/service/service/impl/UploadServiceImpl.java of the component Admin Upload. Performing a manipulation of the argument model…

  • CVE-2026-7578MedMay 1, 2026
    risk 0.31cvss 4.7epss 0.00

    A weakness has been identified in MacCMS Pro up to 2022.1.3. This vulnerability affects the function install of the file /admi.php/admin/addon/add.html of the component Plugin Installation Handler. Executing a manipulation can lead to unrestricted upload. The attack may be…

  • CVE-2026-7393MedApr 29, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. Affected is the function save_menu of the file /admin/admin_class_novo.php of the component File Extension Handler. Performing a manipulation of the argument img results in unrestricted upload. The attack…

  • CVE-2026-7238MedApr 28, 2026
    risk 0.31cvss 4.7epss 0.00

    A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminUpdateAlbum.php. This manipulation of the argument txtimage causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has…

  • CVE-2026-7134MedApr 27, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was identified in code-projects Online Lot Reservation System 1.0. Affected is an unknown function of the file /edithousepic.php. Such manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit is publicly…

  • CVE-2026-7133MedApr 27, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was determined in code-projects Online Lot Reservation System 1.0. This impacts an unknown function of the file /activity.php. This manipulation of the argument directory causes unrestricted upload. The attack can be initiated remotely. The exploit has been…

  • CVE-2026-6650MedApr 20, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was identified in Z-BlogPHP 1.7.5. This affects the function App::UnPack of the file /zb_users/plugin/AppCentre/app_upload.php of the component ZBA File Handler. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit is…

  • CVE-2026-6561MedApr 19, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was detected in EyouCMS up to 1.7.1. This issue affects the function edit_adminlogo of the file application/admin/controller/Index.php. Performing a manipulation of the argument filename results in unrestricted upload. The attack is possible to be carried out…

  • CVE-2026-5576MedApr 5, 2026
    risk 0.31cvss 4.7epss 0.00

    A flaw has been found in SourceCodester/jkev Record Management System 1.0. Affected by this issue is some unknown functionality of the file save_emp.php of the component Add Employee Page. This manipulation causes unrestricted upload. Remote exploitation of the attack is…