Skip to main content

CWE-434

Unrestricted Upload of File with Dangerous Type

3048 CVEs Avg CVSS 8.4 MITRE
1256
CRITICAL
1323
HIGH
411
MEDIUM
51
LOW
1451
POC
20
KEV

Monthly

CVE-2026-50124 HIGH This Week

Remote authenticated code execution in DataEase before 2.10.23 lets a low-privileged user abuse the Excel/datasource upload workflow to run arbitrary Java. By uploading a crafted payload.zip via /datasource/upload and defining an H2 datasource that references the archive through the zip: protocol, an attacker forces CalciteProvider.jdbcFetchResultField to execute a query that triggers precompiled Java aliases embedded in test.mv.db. The vendor CVSS 4.0 vector scores this 7.1 (confidentiality-only), but the underlying primitive is full arbitrary code execution; no public exploit identified at time of analysis and it is not listed in CISA KEV.

File Upload Java RCE Dataease
NVD GitHub
CVSS 4.0
7.1
CVE-2026-61457 MEDIUM PATCH This Month

Remote code execution in the Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 is achievable by authenticated API users holding the api.media.write permission via a double-extension file upload bypass. The HandlesMediaUploads::validateFileExtension() method uses PHP's pathinfo() to inspect only the final file extension, meaning a file named shell.php.jpg passes the dangerous-extension blocklist while retaining a .php segment that certain web server configurations will execute as PHP. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique is well-understood and exploitation is low-complexity once permission prerequisites are met.

File Upload PHP RCE Grav
NVD GitHub VulDB
CVSS 4.0
5.3
CVE-2026-11579 MEDIUM POC PATCH This Month

Unauthenticated file upload to the WordPress Media Library is possible in Kali Forms - Contact Form & Drag-and-Drop Builder versions before 2.4.17, because the plugin's upload handler accepts file submissions without verifying that a corresponding form with a file-upload field actually exists on the site. Any unauthenticated remote attacker can directly invoke the upload endpoint and deposit files into the Media Library. Impact is bounded by WordPress's core MIME type allowlist, which prevents upload of executable files and thereby rules out code execution; a publicly available proof-of-concept is confirmed by WPScan, and no CISA KEV listing is present at time of analysis.

File Upload RCE WordPress Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-48356 CRITICAL Act Now

Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file upload (CWE-434) that runs in the context of the current user, letting an attacker inject malicious scripts and hijack a victim's account or session. Exploitation is network-reachable and marked unauthenticated by the CVSS vector but requires the victim to visit a crafted URL or interact with a compromised page, and the scope is changed (impact extends beyond the vulnerable component). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; Adobe rates it CVSS 9.6 critical.

File Upload RCE Adobe Adobe Commerce Adobe Commerce B2B +2
NVD
CVSS 3.1
9.6
EPSS
28.3%
CVE-2026-15677 MEDIUM POC This Month

Unrestricted file upload in code-projects Online Job Portal 1.0 exposes unauthenticated remote attackers to arbitrary file upload via the txtFile parameter in /JobSeekerInsert.php, enabling likely webshell deployment and subsequent server-side code execution. A public proof-of-concept exploit exists (no KEV listing), substantially lowering the exploitation barrier for any internet-exposed instance. The CVSS 4.0 impact metrics are conservatively rated Low across C/I/A, which understates the realistic post-exploitation potential of an unrestricted PHP file upload - successful webshell placement typically yields full OS command execution in the web server process context.

PHP File Upload Online Job Portal
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-58409 CRITICAL Act Now

Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by installing a plugin ZIP that contains a webshell. Because 'php' is explicitly whitelisted in ALLOWED_EXTENSIONS and the DENIED_EXTENSIONS denylist fails to catch standard .php files, any PHP file inside the archive is extracted directly under the web root and becomes immediately executable over HTTP without the plugin ever being enabled. The /plugins/install-url route additionally allows the archive to be sourced from any attacker-controlled HTTPS URL, validated only against an attacker-supplied SHA-256 hash. No public exploit identified at time of analysis and it is not on CISA KEV.

PHP File Upload RCE Crm
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-14906 MEDIUM This Month

PDF save functionality in Firefox for iOS allows maliciously crafted page titles to manipulate the output file path, enabling overwrites of existing PDF files or bundled application content within the Firefox iOS sandbox. All versions prior to 152.4 on Apple iOS devices are affected. An attacker operating a malicious website can lure a user into saving a page as PDF, causing the crafted title to resolve to an unintended file path within the app sandbox - potentially corrupting application state or stored documents. No public exploit has been identified at time of analysis, though SSVC classifies the vulnerability as automatable with partial technical impact.

Apple File Upload Mozilla Firefox For Ios
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-49972 HIGH PATCH This Week

Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

PHP Nginx RCE File Upload Apache +1
NVD GitHub
CVSS 4.0
7.7
EPSS
0.8%
CVE-2026-57719 CRITICAL Act Now

Arbitrary file upload in CodeRevolution's Aimogen Pro WordPress plugin (versions up to and including 2.8.3) lets attackers upload files of dangerous types, typically enabling deployment of a PHP web shell and full remote code execution on the host. The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) rates it 10.0 critical, reflecting network-reachable, low-complexity, unauthenticated exploitation with a scope change. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

File Upload Aimogen Pro
NVD
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-57710 CRITICAL Act Now

Arbitrary file upload in the WoowBot Pro Max WordPress plugin (quantumcloud) through version 14.1.7 allows an authenticated attacker to upload files of dangerous types, leading to remote code execution on the underlying WordPress host. The scope-change CVSS 9.9 reflects that a low-privileged account can pivot to full server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Patchstack has confirmed and cataloged the flaw.

File Upload Woowbot Pro Max
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVSS 7.1
HIGH This Week

Remote authenticated code execution in DataEase before 2.10.23 lets a low-privileged user abuse the Excel/datasource upload workflow to run arbitrary Java. By uploading a crafted payload.zip via /datasource/upload and defining an H2 datasource that references the archive through the zip: protocol, an attacker forces CalciteProvider.jdbcFetchResultField to execute a query that triggers precompiled Java aliases embedded in test.mv.db. The vendor CVSS 4.0 vector scores this 7.1 (confidentiality-only), but the underlying primitive is full arbitrary code execution; no public exploit identified at time of analysis and it is not listed in CISA KEV.

File Upload Java RCE +1
NVD GitHub
CVSS 5.3
MEDIUM PATCH This Month

Remote code execution in the Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 is achievable by authenticated API users holding the api.media.write permission via a double-extension file upload bypass. The HandlesMediaUploads::validateFileExtension() method uses PHP's pathinfo() to inspect only the final file extension, meaning a file named shell.php.jpg passes the dangerous-extension blocklist while retaining a .php segment that certain web server configurations will execute as PHP. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique is well-understood and exploitation is low-complexity once permission prerequisites are met.

File Upload PHP RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Unauthenticated file upload to the WordPress Media Library is possible in Kali Forms - Contact Form & Drag-and-Drop Builder versions before 2.4.17, because the plugin's upload handler accepts file submissions without verifying that a corresponding form with a file-upload field actually exists on the site. Any unauthenticated remote attacker can directly invoke the upload endpoint and deposit files into the Media Library. Impact is bounded by WordPress's core MIME type allowlist, which prevents upload of executable files and thereby rules out code execution; a publicly available proof-of-concept is confirmed by WPScan, and no CISA KEV listing is present at time of analysis.

File Upload RCE WordPress +1
NVD WPScan VulDB
EPSS 28% CVSS 9.6
CRITICAL Act Now

Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file upload (CWE-434) that runs in the context of the current user, letting an attacker inject malicious scripts and hijack a victim's account or session. Exploitation is network-reachable and marked unauthenticated by the CVSS vector but requires the victim to visit a crafted URL or interact with a compromised page, and the scope is changed (impact extends beyond the vulnerable component). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; Adobe rates it CVSS 9.6 critical.

File Upload RCE Adobe +4
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unrestricted file upload in code-projects Online Job Portal 1.0 exposes unauthenticated remote attackers to arbitrary file upload via the txtFile parameter in /JobSeekerInsert.php, enabling likely webshell deployment and subsequent server-side code execution. A public proof-of-concept exploit exists (no KEV listing), substantially lowering the exploitation barrier for any internet-exposed instance. The CVSS 4.0 impact metrics are conservatively rated Low across C/I/A, which understates the realistic post-exploitation potential of an unrestricted PHP file upload - successful webshell placement typically yields full OS command execution in the web server process context.

PHP File Upload Online Job Portal
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by installing a plugin ZIP that contains a webshell. Because 'php' is explicitly whitelisted in ALLOWED_EXTENSIONS and the DENIED_EXTENSIONS denylist fails to catch standard .php files, any PHP file inside the archive is extracted directly under the web root and becomes immediately executable over HTTP without the plugin ever being enabled. The /plugins/install-url route additionally allows the archive to be sourced from any attacker-controlled HTTPS URL, validated only against an attacker-supplied SHA-256 hash. No public exploit identified at time of analysis and it is not on CISA KEV.

PHP File Upload RCE +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

PDF save functionality in Firefox for iOS allows maliciously crafted page titles to manipulate the output file path, enabling overwrites of existing PDF files or bundled application content within the Firefox iOS sandbox. All versions prior to 152.4 on Apple iOS devices are affected. An attacker operating a malicious website can lure a user into saving a page as PDF, causing the crafted title to resolve to an unintended file path within the app sandbox - potentially corrupting application state or stored documents. No public exploit has been identified at time of analysis, though SSVC classifies the vulnerability as automatable with partial technical impact.

Apple File Upload Mozilla +1
NVD VulDB
EPSS 1% CVSS 7.7
HIGH PATCH This Week

Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

PHP Nginx RCE +3
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL Act Now

Arbitrary file upload in CodeRevolution's Aimogen Pro WordPress plugin (versions up to and including 2.8.3) lets attackers upload files of dangerous types, typically enabling deployment of a PHP web shell and full remote code execution on the host. The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) rates it 10.0 critical, reflecting network-reachable, low-complexity, unauthenticated exploitation with a scope change. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

File Upload Aimogen Pro
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Arbitrary file upload in the WoowBot Pro Max WordPress plugin (quantumcloud) through version 14.1.7 allows an authenticated attacker to upload files of dangerous types, leading to remote code execution on the underlying WordPress host. The scope-change CVSS 9.9 reflects that a low-privileged account can pivot to full server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Patchstack has confirmed and cataloged the flaw.

File Upload Woowbot Pro Max
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy