VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 70 of 84
  • CVE-2025-13462LowMar 12, 2026
    risk 0.14cvss 3.3epss 0.00

    The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to…

  • CVE-2025-58769LowOct 1, 2025
    risk 0.14cvss 3.3epss 0.00

    auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept…

  • CVE-2017-9279LowMar 2, 2018
    risk 0.13cvss 2.0epss 0.01

    NetIQ Identity Manager before 4.5.6.1 allowed uploading files with double extensions or non-image content in the Themes handling of the User Application Administration, allowing malicious user administrators to potentially execute code or mislead users.

  • CVE-2020-13671KEVNov 20, 2020
    risk 0.12cvss epss 0.04

    Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0…

  • CVE-2018-9206Oct 11, 2018
    risk 0.11cvss epss 0.97

    Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0

  • CVE-2014-8739Feb 8, 2020
    risk 0.10cvss epss 0.92

    Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote…

  • CVE-2018-17553HigOct 3, 2018
    risk 0.09cvss 8.8epss 0.79

    An "Unrestricted Upload of File with Dangerous Type" issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated attackers to achieve remote code execution via a POST request with engine=picnik and id=../../../navigate_info.php.

  • CVE-2026-53724LowJun 12, 2026
    risk 0.07cvss epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would…

  • CVE-2025-26319Mar 4, 2025
    risk 0.07cvss epss 0.51

    FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.

  • CVE-2021-36711Jul 16, 2022
    risk 0.07cvss epss 0.12

    WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.

  • CVE-2021-43617Nov 14, 2021
    risk 0.07cvss epss 0.20

    Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE…

  • CVE-2021-21351Mar 22, 2021
    risk 0.07cvss epss 0.82

    XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is…

  • CVE-2019-12409Nov 18, 2019
    risk 0.07cvss epss 0.22

    The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring…

  • CVE-2020-10963Mar 25, 2020
    risk 0.05cvss epss 0.15

    FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted file upload (and consequently Remote Code Execution) via admin/tips_image/image/file_upload image upload with PHP content within a GIF image that has the .php extension. NOTE: this product is discontinued.

  • CVE-2012-6081Jan 3, 2013
    risk 0.05cvss epss 0.31

    Multiple unrestricted file upload vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to execute arbitrary code by uploading a file with an…

  • CVE-2023-24249Feb 27, 2023
    risk 0.04cvss epss 0.02

    An arbitrary file upload vulnerability in laravel-admin v1.8.19 allows attackers to execute arbitrary code via a crafted PHP file.

  • CVE-2022-26149Feb 26, 2022
    risk 0.04cvss epss 0.09

    MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Uploadable File Types setting can be changed by an administrator.

  • CVE-2020-14209Sep 2, 2020
    risk 0.04cvss epss 0.27

    Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be…

  • CVE-2004-2262Dec 31, 2004
    risk 0.04cvss epss 0.15

    ImageManager in e107 before 0.617 does not properly check the types of uploaded files, which allows remote attackers to execute arbitrary code by uploading a PHP file via the upload parameter to images.php.

  • CVE-2023-50386Feb 9, 2024
    risk 0.03cvss epss 0.84

    Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In…