Skip to main content

CWE-351

Insufficient Type Distinction

10 CVEs Avg CVSS 5.7 MITRE
1
CRITICAL
1
HIGH
6
MEDIUM
2
LOW
0
POC
0
KEV

Monthly

CVE-2026-15305 MEDIUM PATCH This Month

MIME type restriction bypass in TYPO3 CMS 14.2.0-14.3.5 allows unauthenticated attackers to upload files of arbitrary MIME types through forms configured with FileUpload or ImageUpload elements, circumventing the allowedMimeTypes restriction entirely. The flaw originates from a lifecycle ordering defect in the server-side form framework: MimeTypeValidator is registered before concrete form definition properties are applied, so it is absent from the validation pipeline at runtime. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the network-accessible, zero-prerequisite-auth nature of the bypass elevates practical risk wherever affected forms are publicly exposed.

Information Disclosure
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-41341 npm LOW PATCH Monitor

OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2025-65960 PHP MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

PHP Information Disclosure Contao
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-47939 PHP MEDIUM PATCH This Month

TYPO3 is an open source, PHP based web content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure PHP Typo3
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-30510 CRITICAL Act Now

An attacker can upload an arbitrary file instead of a plant image. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cloud Portal
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-32035 LOW PATCH Monitor

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.

Microsoft Information Disclosure Dotnetnuke
NVD GitHub
CVSS 3.1
2.6
EPSS
0.1%
CVE-2024-45676 MEDIUM This Month

IBM Cognos Controller 11.0.0 and 11.0.1 could allow an authenticated user to upload insecure files, due to insufficient file type distinction. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Information Disclosure Cognos Controller
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-4769 MEDIUM This Month

When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
5.9
EPSS
0.4%
CVE-2023-2866 HIGH This Week

If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Webaccess
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2020-10134 MEDIUM This Month

Pairing in Bluetooth® Core v5.2 and earlier may permit an unauthenticated attacker to acquire credentials with two pairing devices via adjacent access when the unauthenticated user initiates. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Bluetooth Core
NVD
CVSS 3.1
6.3
EPSS
0.7%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

MIME type restriction bypass in TYPO3 CMS 14.2.0-14.3.5 allows unauthenticated attackers to upload files of arbitrary MIME types through forms configured with FileUpload or ImageUpload elements, circumventing the allowedMimeTypes restriction entirely. The flaw originates from a lifecycle ordering defect in the server-side form framework: MimeTypeValidator is registered before concrete form definition properties are applied, so it is absent from the validation pipeline at runtime. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the network-accessible, zero-prerequisite-auth nature of the bypass elevates practical risk wherever affected forms are publicly exposed.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

PHP Information Disclosure Contao
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

TYPO3 is an open source, PHP based web content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure PHP Typo3
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

An attacker can upload an arbitrary file instead of a plant image. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cloud Portal
NVD
EPSS 0% CVSS 2.6
LOW PATCH Monitor

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.

Microsoft Information Disclosure Dotnetnuke
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

IBM Cognos Controller 11.0.0 and 11.0.1 could allow an authenticated user to upload insecure files, due to insufficient file type distinction. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Information Disclosure Cognos Controller
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Webaccess
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

Pairing in Bluetooth® Core v5.2 and earlier may permit an unauthenticated attacker to acquire credentials with two pairing devices via adjacent access when the unauthenticated user initiates. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Bluetooth Core
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy