VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 69 of 84
  • CVE-2025-53891MedJul 15, 2025
    risk 0.28cvss 4.3epss 0.00

    The timelineofficial/Time-Line- repository contains the source code for the TIME LINE website. A vulnerability was found in the TIME LINE website where uploaded files (instruction/message media) are not strictly validated for type and size. A user may upload renamed or oversized…

  • CVE-2025-27127MedJul 8, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been identified in TIA Project-Server (All versions < V2.1.1), TIA Project-Server V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions), Totally…

  • CVE-2025-36519MedJun 24, 2025
    risk 0.28cvss 4.3epss 0.00

    Unrestricted upload of file with dangerous type issue exists in WRC-2533GST2, WRC-1167GST2, WRC-2533GST2, WRC-2533GS2V-B,WRC-2533GS2-B v1.69 and earlier, WRC-2533GS2-W, WRC-1167GST2, WRC-1167GS2-B, and WRC-1167GS2H-B. If a specially crafted file is uploaded by a remote…

  • CVE-2023-39933MedMar 18, 2024
    risk 0.28cvss 4.3epss 0.00

    Insufficient verification vulnerability exists in Broadcast Mail CGI (pmc.exe) included in A.K.I Software's PMailServer/PMailServer2 products. If this vulnerability is exploited, a user who can upload files through the product may execute an arbitrary executable file with the…

  • CVE-2018-0571MedJun 26, 2018
    risk 0.28cvss 4.3epss 0.01

    baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and earlier versions) allows remote attackers with a site operator privilege to upload arbitrary files.

  • CVE-2018-0587MedMay 14, 2018
    risk 0.28cvss 4.3epss 0.01

    Unrestricted file upload vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated users to upload arbitrary image files via unspecified vectors.

  • CVE-2018-2404MedApr 10, 2018
    risk 0.28cvss 4.3epss 0.02

    SAP Disclosure Management 10.1 allows an attacker to upload any file without proper file format validation.

  • CVE-2016-8973MedMar 20, 2017
    risk 0.28cvss 4.3epss 0.01

    IBM Rhapsody DM 4.0, 5.0 and 6.0 contains an undisclosed vulnerability that may allow an authenticated user to upload infected malicious files to the server. IBM Reference #: 1999960.

  • CVE-2026-33809MedMar 25, 2026
    risk 0.27cvss 5.3epss 0.00

    A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

  • CVE-2026-33221MedMar 20, 2026
    risk 0.27cvss 5.3epss 0.00

    Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an…

  • CVE-2025-9467MedSep 4, 2025
    risk 0.27cvss epss 0.00

    When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product…

  • CVE-2025-33023MedAug 12, 2025
    risk 0.27cvss 4.1epss 0.00

    A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions), RUGGEDCOM ROX MX5000RE (All versions), RUGGEDCOM ROX RX1400 (All versions), RUGGEDCOM ROX RX1500 (All versions), RUGGEDCOM ROX RX1501 (All versions), RUGGEDCOM ROX RX1510 (All versions), RUGGEDCOM ROX…

  • CVE-2021-47899MedJan 23, 2026
    risk 0.26cvss 4.0epss 0.00

    YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files…

  • CVE-2005-0254LowMay 2, 2005
    risk 0.24cvss 3.7epss 0.02

    BibORB 1.3.2, and possibly earlier versions, does not properly enforce a restriction for uploading only PDF and PS files, which allows remote attackers to upload arbitrary files that are presented to other users with PDF or PS icons, which may trick some users into downloading…

  • CVE-2026-3219MedApr 20, 2026
    risk 0.23cvss epss 0.00

    pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior…

  • CVE-2026-41408MedApr 28, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions,…

  • CVE-2025-55251LowJan 19, 2026
    risk 0.20cvss 3.1epss 0.00

    HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.

  • CVE-2026-1791LowFeb 4, 2026
    risk 0.18cvss 2.7epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Hillstone Networks Operation and Maintenance Security Gateway on Linux allows Upload a Web Shell to a Web Server.This issue affects Operation and Maintenance Security Gateway: V5.5ST00001B113.

  • CVE-2025-42883LowNov 11, 2025
    risk 0.18cvss 2.7epss 0.00

    Migration Workbench (DX Workbench) in SAP NetWeaver Application Server for ABAP fails to trigger a malware scan when an attacker with administrative privileges uploads files to the application server. An attacker could leverage this and upload a malicious file into the system.…

  • CVE-2018-10521LowApr 27, 2018
    risk 0.18cvss 2.7epss 0.01

    In CMS Made Simple (CMSMS) through 2.2.7, the "file move" operation in the admin dashboard contains an arbitrary file movement vulnerability that can cause DoS, exploitable by an admin user, because config.php can be moved into an incorrect directory.