Total
3401 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-48953 | 1 Umbraco | 1 Umbraco Cms | 2025-06-24 | 5.5 Medium |
| Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that doesn't adhere with the configured allowable file extensions via a manipulated API request. The issue is patched in versions 15.4.2 and 16.0.0. No known workarounds are available. | ||||
| CVE-2025-4291 | 1 Ideacms | 1 Ideacms | 2025-06-24 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in IdeaCMS up to 1.6. Affected is the function saveUpload. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-47452 | 1 Rextheme | 1 Wp Vr | 2025-06-24 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in RexTheme WP VR allows Upload a Web Shell to a Web Server. This issue affects WP VR: from n/a through 8.5.26. | ||||
| CVE-2025-26319 | 1 Flowiseai | 1 Flowise | 2025-06-24 | 9.8 Critical |
| FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments. | ||||
| CVE-2025-23171 | 1 Versa | 1 Director | 2025-06-23 | 7.2 High |
| The Versa Director SD-WAN orchestration platform provides an option to upload various types of files. The Versa Director does not correctly limit file upload permissions. The UI appears not to allow file uploads but uploads still succeed. In addition, the Versa Director discloses the full filename of uploaded temporary files, including the UUID prefix. Insecure UCPE image upload in Versa Director allows an authenticated attacker to upload a webshell. Exploitation Status: Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers. Workarounds or Mitigation: There are no workarounds to disable the GUI option. Versa recommends that Director be upgraded to one of the remediated software versions. | ||||
| CVE-2025-6266 | 2025-06-23 | 6.3 Medium | ||
| A vulnerability was found in FLIR AX8 up to 1.46. It has been declared as critical. This vulnerability affects unknown code of the file /upload.php. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-43946 | 1 Tcpwave | 1 Ddi | 2025-06-23 | 9.8 Critical |
| TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal). | ||||
| CVE-2025-45855 | 1 Erupt | 1 Erupt | 2025-06-23 | 5.4 Medium |
| An arbitrary file upload vulnerability in the component /upload/GoodsCategory/image of erupt v1.12.19 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2023-31505 | 1 Schlix | 1 Cms | 2025-06-20 | 7.2 High |
| An arbitrary file upload vulnerability in Schlix CMS v2.2.8-1, allows remote authenticated attackers to execute arbitrary code and obtain sensitive information via a crafted .phtml file. | ||||
| CVE-2024-35079 | 1 Inxedu | 1 Inxedu | 2025-06-20 | 9.8 Critical |
| An arbitrary file upload vulnerability in the uploadAudio method of inxedu v2024.4 allows attackers to execute arbitrary code via uploading a crafted .jsp file. | ||||
| CVE-2024-35080 | 2 Inexdu, Inxedu | 2 Inexdu, Inxedu | 2025-06-20 | 9.8 Critical |
| An arbitrary file upload vulnerability in the gok4 method of inxedu v2024.4 allows attackers to execute arbitrary code via uploading a crafted .jsp file. | ||||
| CVE-2024-35570 | 1 Inxedu | 1 Inxedu | 2025-06-20 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component \controller\ImageUploadController.class of inxedu v2.0.6 allows attackers to execute arbitrary code via uploading a crafted jsp file. | ||||
| CVE-2023-51925 | 1 Yonyou | 1 Yonbip | 2025-06-20 | 9.8 Critical |
| An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2021-31314 | 1 Ejinshan | 1 Terminal Security System | 2025-06-20 | 9.8 Critical |
| File upload vulnerability in ejinshan v8+ terminal security system allows attackers to upload arbitrary files to arbitrary locations on the server. | ||||
| CVE-2023-51806 | 1 Ujcms | 1 Ujcms | 2025-06-20 | 7.8 High |
| File Upload vulnerability in Ujcms v.8.0.2 allows a local attacker to execute arbitrary code via a crafted file. | ||||
| CVE-2023-4536 | 1 Koalaapps | 1 My Account Page Editor | 2025-06-20 | 8.8 High |
| The My Account Page Editor WordPress plugin before 1.3.2 does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE | ||||
| CVE-2022-1538 | 1 Themely | 1 Theme Demo Import | 2025-06-20 | 7.2 High |
| Theme Demo Import WordPress plugin before 1.1.1 does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed. | ||||
| CVE-2025-47687 | 1 Woocommerce | 1 Storekeeper | 2025-06-20 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Upload a Web Shell to a Web Server. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4. | ||||
| CVE-2024-31777 | 1 Openeclass | 1 Openeclass | 2025-06-18 | 9.8 Critical |
| File Upload vulnerability in openeclass v.3.15 and before allows an attacker to execute arbitrary code via a crafted file to the certbadge.php endpoint. | ||||
| CVE-2023-5957 | 1 Naziinfotech | 1 Ni Purchase Order\(po\) For Woocommerce | 2025-06-18 | 7.2 High |
| The Ni Purchase Order(PO) For WooCommerce WordPress plugin through 1.2.1 does not validate logo and signature image files uploaded in the settings, allowing high privileged user to upload arbitrary files to the web server, triggering an RCE vulnerability by uploading a web shell. | ||||