Skip to main content

File Upload

4031 CVEs technique

Monthly

CVE-2025-46490 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in wordwebsoftware Crossword Compiler Puzzles allows Upload a Web Shell to a Web Server.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-31916 CRITICAL Act Now

Unrestricted file upload in JP Students Result Management System Premium WordPress plugin versions 1.1.7 and later enables remote unauthenticated attackers to upload and execute malicious web shells, achieving complete server compromise with high complexity exploitation requirements. Reported by Patchstack security researchers, this vulnerability carries a 0.31% EPSS exploitation probability (54th percentile), indicating moderate but not negligible real-world risk. No active exploitation confirmed in CISA KEV at time of analysis, though the cross-scope impact (S:C in CVSS vector) suggests potential for lateral movement beyond the WordPress application itself.

File Upload
NVD
CVSS 3.1
9.0
EPSS
0.3%
CVE-2025-30173 MEDIUM This Month

File upload vulnerabilities are present in ASPECT if session administrator credentials become compromised08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 4.0
6.0
EPSS
0.3%
CVE-2025-30169 MEDIUM This Month

File upload and execute vulnerabilities in ASPECT allow PHP script injection if session administrator credentials become compromised.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload
NVD
CVSS 4.0
6.0
EPSS
0.3%
CVE-2025-3444 MEDIUM This Month

Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Manageengine Servicedesk Plus Msp Manageengine Supportcenter Plus
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2024-9544 MEDIUM This Month

The MapSVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 8.6.4 due to insufficient input sanitization and output. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS File Upload
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-5059 MEDIUM POC This Month

A vulnerability classified as critical has been found in Campcodes Online Shopping Portal 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload Online Shopping Portal
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2025-39402 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS allows Upload a Web Shell to a Web Server.0 (17-08-2023). Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-39401 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS allows Upload a Web Shell to a Web Server.0 (17-08-2023). Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.5%
CVE-2025-39380 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System allows Upload a Web Shell to a Web Server.0(20-11-2023). Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2025-47577 CRITICAL POC Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Upload a Web Shell to a Web Server.10.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress File Upload
NVD
CVSS 3.1
10.0
EPSS
0.7%
CVE-2025-26892 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Celestial Aura allows Using Malicious Files.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2025-26872 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Eximius allows Using Malicious Files.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-4926 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Car Rental Project 1.0 and classified as critical. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload Car Rental Portal
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2025-4923 MEDIUM POC This Week

A vulnerability, which was classified as critical, has been found in SourceCodester Client Database Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload Client Database Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2025-4893 MEDIUM POC This Month

A vulnerability classified as critical has been found in jammy928 CoinExchange_CryptoExchange_Java up to 8adf508b996020d3efbeeb2473d7235bd01436fa. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal File Upload Java
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-4868 MEDIUM POC This Month

A vulnerability was found in merikbest ecommerce-spring-reactjs up to 464e610bb11cc2619cf6ce8212ccc2d1fd4277fd. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal File Upload Java
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-4391 CRITICAL Act Now

The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload PHP
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2025-4389 CRITICAL Act Now

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload PHP
NVD
CVSS 3.1
9.8
EPSS
2.6%
CVE-2025-4768 MEDIUM This Month

A vulnerability classified as critical has been found in feng_ha_ha/megagao ssm-erp and production_ssm 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-4735 MEDIUM POC This Month

A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload Sales And Inventory System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2025-47929 LOW Monitor

DumbDrop, a file upload application that provides an interface for dragging and dropping files, has a DOM cross-site scripting vulnerability in the upload functionality prior to commit. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS File Upload
NVD GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2025-47787 HIGH POC PATCH This Week

Emlog is an open source website building system. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP RCE File Upload Emlog
NVD GitHub
CVSS 4.0
8.9
EPSS
1.8%
CVE-2025-3917 CRITICAL Act Now

The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2025-4648 HIGH This Month

The content of a SVG file, received as input in Centreon web, was not properly checked. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS File Upload Centreon Web
NVD GitHub
CVSS 3.1
8.4
EPSS
0.3%
CVE-2024-51446 MEDIUM This Month

A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS File Upload Polarion Alm
NVD
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-4317 HIGH This Week

The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE File Upload PHP
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2024-55466 MEDIUM POC This Month

An arbitrary file upload vulnerability in the Image Gallery of ThingsBoard Community, ThingsBoard Cloud and ThingsBoard Professional v3.8.1 allows attackers to execute arbitrary code via uploading a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE File Upload Thingsboard
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2025-26841 MEDIUM This Month

Cross Site Scripting vulnerability in WPEVEREST Everest Forms before 3.0.9 allows an attacker to execute arbitrary code via a file upload. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS File Upload Everest Forms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-4561 HIGH This Month

The KFOX from KingFor has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privilege to upload and execute web shell backdoors, thereby enabling arbitrary code execution. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload
NVD
CVSS 4.0
8.7
EPSS
1.2%
CVE-2025-4556 CRITICAL Act Now

The web management interface of Okcat Parking Management Platform from ZONG YU has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload
NVD
CVSS 4.0
9.3
EPSS
2.6%
CVE-2025-4538 MEDIUM This Month

A vulnerability was found in kkFileView 4.4.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Kkfileview
NVD VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2025-46191 CRITICAL Act Now

Arbitrary File Upload in user_payment_update.php in SourceCodester Client Database Management System 1.0 allows unauthenticated users to upload arbitrary files via the uploaded_file_cancelled field. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PHP Code Injection File Upload Client Database Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-46193 CRITICAL This Week

SourceCodester Client Database Management System 1.0 is vulnerable to Remote code execution via Arbitrary file upload in user_proposal_update_order.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP RCE File Upload Client Database Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
3.6%
CVE-2025-4403 CRITICAL Act Now

The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user‐supplied. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload PHP
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2025-4468 MEDIUM POC This Month

A vulnerability was found in SourceCodester Online Student Clearance System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload Online Student Clearance System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2025-3455 HIGH This Week

The 1 Click WordPress Migration Plugin - 100% FREE for a limited time plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'start_restore'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE File Upload
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2024-11617 CRITICAL Act Now

The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'zetra_languageUpload' and 'zetra_fontsUpload' functions in all versions up. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2023-31585 CRITICAL Act Now

Grocery-CMS-PHP-Restful-API v1.3 is vulnerable to File Upload via /admin/add-category.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP File Upload
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-20188 CRITICAL POC CERT-EU Act Now

A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Cisco Apple Authentication Bypass File Upload Path Traversal +1
NVD
CVSS 3.1
10.0
EPSS
3.9%
CVE-2025-47550 MEDIUM POC This Month

Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio allows Upload a Web Shell to a Web Server.3.16. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload
NVD GitHub
CVSS 3.1
6.6
EPSS
0.4%
CVE-2025-47549 CRITICAL POC Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF allows Upload a Web Shell to a Web Server.6.10. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2025-0984 HIGH This Week

Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netoloji Software E-Flow allows Accessing. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS File Upload
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-40625 CRITICAL Act Now

Unrestricted file upload in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Gim
NVD
CVSS 4.0
9.3
EPSS
2.3%
CVE-2025-4333 MEDIUM This Month

A vulnerability was found in feng_ha_ha/megagao ssm-erp and production_ssm up to 0.0.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Java
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-4310 MEDIUM POC This Month

A vulnerability classified as critical has been found in itsourcecode Content Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload Content Management System
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2025-4305 MEDIUM This Month

A vulnerability has been found in kefaming mayi up to 1.3.9 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-4291 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in IdeaCMS up to 1.6. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Ideacms
NVD VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2025-4279 HIGH This Week

The External image replace plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'external_image_replace_get_posts::replace_post' function in all. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE File Upload PHP
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-51991 PHP LOW PATCH Monitor

October is a Content Management System (CMS) and web platform. Rated low severity (CVSS 1.1), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload October
NVD GitHub
CVSS 4.0
1.1
EPSS
0.3%
CVE-2025-28168 MEDIUM This Month

The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Multiple File Upload
NVD GitHub
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-4259 MEDIUM POC This Month

A vulnerability has been found in newbee-mall 1.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Newbee Mall
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2025-4258 MEDIUM This Month

A vulnerability, which was classified as critical, was found in zhangyanbo2007 youkefu up to 4.2.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Youkefu
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2024-13418 HIGH This Week

Multiple plugins and/or themes for WordPress are vulnerable to Arbitrary File Uploads due to a missing capability check on the ajaxUploadFonts() function in various versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE File Upload April Auteur +2
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2025-4178 MEDIUM POC This Month

A vulnerability was found in xiaowei1118 java_server up to 11a5bac8f4ba1c17e4bc1b27cad6d24868500e3a on Windows and classified as critical.java of the component File Upload API. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Path Traversal File Upload Java Java Server +1
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-25016 MEDIUM PATCH This Month

Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Elastic File Upload Kibana
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-11390 MEDIUM PATCH This Month

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

XSS Elastic File Upload Kibana
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2022-42449 MEDIUM This Month

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Domino Leap
NVD
CVSS 3.1
4.6
EPSS
0.3%
CVE-2022-27562 MEDIUM This Month

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Domino Leap
NVD
CVSS 3.1
4.6
EPSS
0.3%
CVE-2025-0520 PHP CRITICAL PATCH Act Now

An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.8.7. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload
NVD GitHub
CVSS 4.0
9.4
EPSS
2.0%
CVE-2025-46349 PHP HIGH POC PATCH This Week

YesWiki is a wiki system written in PHP. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS File Upload Yeswiki
NVD GitHub
CVSS 3.1
7.6
EPSS
0.4%
CVE-2025-4006 MEDIUM This Month

A vulnerability classified as critical has been found in youyiio BeyongCms 1.6.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload
NVD VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2025-3969 MEDIUM POC This Month

A vulnerability was found in codeprojects News Publishing Site Dashboard 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload News Publishing Site Dashboard
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2024-53636 MEDIUM POC This Month

An arbitrary file upload vulnerability via writefile.php of Serosoft Academia Student Information System (SIS) EagleR-1.0.118 allows attackers to execute arbitrary code via ../ in the filePath. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE File Upload Student Information System
NVD GitHub
CVSS 3.1
6.4
EPSS
2.9%
CVE-2025-3914 HIGH PATCH This Week

The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropage_media_downloader' function in all versions up to, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress RCE File Upload Aeropage Sync For Airtable PHP
NVD
CVSS 3.1
8.8
EPSS
3.1%
CVE-2025-46616 CRITICAL Act Now

Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload
NVD
CVSS 3.1
9.9
EPSS
1.6%
CVE-2022-44760 MEDIUM This Month

Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Hcl Leap
NVD
CVSS 3.1
4.6
EPSS
0.3%
CVE-2025-31324 CRITICAL POC KEV THREAT Emergency

SAP NetWeaver Visual Composer Metadata Uploader lacks proper authorization, allowing unauthenticated agents to upload malicious executable binaries for critical system compromise (CVSS 10.0).

SAP File Upload Netweaver
NVD
CVSS 3.1
10.0
EPSS
32.2%
Threat
6.0
CVE-2025-46264 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Angelo Mandato PowerPress Podcasting allows Upload a Web Shell to a Web Server.12.5. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-43946 CRITICAL POC Act Now

TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal File Upload Ddi
NVD GitHub
CVSS 3.1
9.8
EPSS
5.6%
CVE-2023-43958 CRITICAL POC Act Now

An arbitrary file upload vulnerability in the component /jquery-file-upload/server/php/index.php of Hospital Management System v4.0 allows an unauthenticated attacker to upload any file to the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection File Upload Hospital Management System
NVD
CVSS 3.1
9.8
EPSS
3.8%
CVE-2025-3518 MEDIUM This Month

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Spark
NVD
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-3616 HIGH PATCH This Week

The Greenshift - animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gspb_make_proxy_api_request() function in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress RCE File Upload Greenshift Animation And Page Builder Blocks PHP
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2025-29287 Maven CRITICAL POC PATCH Act Now

An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Mcms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2025-3830 MEDIUM POC This Month

A vulnerability was found in kuangstudy KuangSimpleBBS 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Java Kuangsimplebbs
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2025-3807 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in zhenfeng13 My-BBS 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Java My Bbs
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2025-3798 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in WCMS 11.php of the component Advertisement Image Handler. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload Wcms
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.4%
CVE-2021-4455 CRITICAL POC Act Now

The Wordpress Plugin Smart Product Review plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress RCE File Upload
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
2.1%
CVE-2025-1093 CRITICAL Act Now

The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions up to, and including, 1.3.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload PHP
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2025-3783 MEDIUM POC This Month

A vulnerability classified as critical was found in SourceCodester Web-based Pharmacy Product Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2025-3765 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload Web Based Pharmacy Product Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2025-3764 MEDIUM POC This Month

A vulnerability classified as critical was found in SourceCodester Web-based Pharmacy Product Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload Web Based Pharmacy Product Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2025-39436 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in aidraw I Draw allows Using Malicious Files.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-32682 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG Lite allows Upload a Web Shell to a Web Server.5.34. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2025-32660 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in JoomSky JS Job Manager allows Upload a Web Shell to a Web Server.0.2. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2025-32652 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in solacewp Solace Extra allows Using Malicious Files.3.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-27282 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in rockgod100 Theme File Duplicator allows Using Malicious Files.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-31339 MEDIUM This Month

An unrestricted upload of file with dangerous type vulnerability in the course management function of Wisdom Master Pro versions 5.0 through 5.2 allows remote authenticated users to craft a malicious. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 4.0
5.3
EPSS
0.8%
CVE-2025-29709 CRITICAL POC Act Now

SourceCodester Company Website CMS 1.0 has a File upload vulnerability via the "Create portfolio" file /dashboard/portfolio. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Company Website Cms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-29708 CRITICAL POC Act Now

SourceCodester Company Website CMS 1.0 contains a file upload vulnerability via the "Create Services" file /dashboard/Services. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Company Website Cms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in wordwebsoftware Crossword Compiler Puzzles allows Upload a Web Shell to a Web Server.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 0% CVSS 9.0
CRITICAL Act Now

Unrestricted file upload in JP Students Result Management System Premium WordPress plugin versions 1.1.7 and later enables remote unauthenticated attackers to upload and execute malicious web shells, achieving complete server compromise with high complexity exploitation requirements. Reported by Patchstack security researchers, this vulnerability carries a 0.31% EPSS exploitation probability (54th percentile), indicating moderate but not negligible real-world risk. No active exploitation confirmed in CISA KEV at time of analysis, though the cross-scope impact (S:C in CVSS vector) suggests potential for lateral movement beyond the WordPress application itself.

File Upload
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

File upload vulnerabilities are present in ASPECT if session administrator credentials become compromised08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

File upload and execute vulnerabilities in ASPECT allow PHP script injection if session administrator credentials become compromised.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Manageengine Servicedesk Plus Msp Manageengine Supportcenter Plus
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The MapSVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 8.6.4 due to insufficient input sanitization and output. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS File Upload
NVD
EPSS 0% CVSS 5.1
MEDIUM POC This Month

A vulnerability classified as critical has been found in Campcodes Online Shopping Portal 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS allows Upload a Web Shell to a Web Server.0 (17-08-2023). Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS allows Upload a Web Shell to a Web Server.0 (17-08-2023). Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System allows Upload a Web Shell to a Web Server.0(20-11-2023). Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL POC Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Upload a Web Shell to a Web Server.10.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress File Upload
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Celestial Aura allows Using Malicious Files.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Eximius allows Using Malicious Files.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 0% CVSS 5.1
MEDIUM POC This Month

A vulnerability was found in PHPGurukul Car Rental Project 1.0 and classified as critical. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability, which was classified as critical, has been found in SourceCodester Client Database Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability classified as critical has been found in jammy928 CoinExchange_CryptoExchange_Java up to 8adf508b996020d3efbeeb2473d7235bd01436fa. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal File Upload Java
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in merikbest ecommerce-spring-reactjs up to 464e610bb11cc2619cf6ce8212ccc2d1fd4277fd. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal File Upload Java
NVD GitHub VulDB
EPSS 2% CVSS 9.8
CRITICAL Act Now

The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload +1
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability classified as critical has been found in feng_ha_ha/megagao ssm-erp and production_ssm 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

DumbDrop, a file upload application that provides an interface for dragging and dropping files, has a DOM cross-site scripting vulnerability in the upload functionality prior to commit. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS File Upload
NVD GitHub
EPSS 2% CVSS 8.9
HIGH POC PATCH This Week

Emlog is an open source website building system. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP RCE File Upload +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload
NVD
EPSS 0% CVSS 8.4
HIGH This Month

The content of a SVG file, received as input in Centreon web, was not properly checked. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS File Upload Centreon Web
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS File Upload Polarion Alm
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE File Upload +1
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

An arbitrary file upload vulnerability in the Image Gallery of ThingsBoard Community, ThingsBoard Cloud and ThingsBoard Professional v3.8.1 allows attackers to execute arbitrary code via uploading a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE File Upload +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross Site Scripting vulnerability in WPEVEREST Everest Forms before 3.0.9 allows an attacker to execute arbitrary code via a file upload. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS File Upload +1
NVD GitHub
EPSS 1% CVSS 8.7
HIGH This Month

The KFOX from KingFor has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privilege to upload and execute web shell backdoors, thereby enabling arbitrary code execution. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload
NVD
EPSS 3% CVSS 9.3
CRITICAL Act Now

The web management interface of Okcat Parking Management Platform from ZONG YU has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability was found in kkFileView 4.4.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Kkfileview
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Arbitrary File Upload in user_payment_update.php in SourceCodester Client Database Management System 1.0 allows unauthenticated users to upload arbitrary files via the uploaded_file_cancelled field. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PHP Code Injection +2
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL This Week

SourceCodester Client Database Management System 1.0 is vulnerable to Remote code execution via Arbitrary file upload in user_proposal_update_order.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP RCE File Upload +1
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL Act Now

The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user‐supplied. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload +1
NVD
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in SourceCodester Online Student Clearance System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload +1
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH This Week

The 1 Click WordPress Migration Plugin - 100% FREE for a limited time plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'start_restore'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE File Upload
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'zetra_languageUpload' and 'zetra_fontsUpload' functions in all versions up. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Grocery-CMS-PHP-Restful-API v1.3 is vulnerable to File Upload via /admin/add-category.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP File Upload
NVD GitHub
EPSS 4% CVSS 10.0
CRITICAL POC Act Now

A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Cisco Apple Authentication Bypass +3
NVD
EPSS 0% CVSS 6.6
MEDIUM POC This Month

Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio allows Upload a Web Shell to a Web Server.3.16. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF allows Upload a Web Shell to a Web Server.6.10. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netoloji Software E-Flow allows Accessing. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS File Upload
NVD VulDB
EPSS 2% CVSS 9.3
CRITICAL Act Now

Unrestricted file upload in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Gim
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability was found in feng_ha_ha/megagao ssm-erp and production_ssm up to 0.0.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Java
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

A vulnerability classified as critical has been found in itsourcecode Content Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability has been found in kefaming mayi up to 1.3.9 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in IdeaCMS up to 1.6. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Ideacms
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

The External image replace plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'external_image_replace_get_posts::replace_post' function in all. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE File Upload +1
NVD
EPSS 0% CVSS 1.1
LOW PATCH Monitor

October is a Content Management System (CMS) and web platform. Rated low severity (CVSS 1.1), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload October
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Multiple File Upload
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability has been found in newbee-mall 1.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Newbee Mall
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability, which was classified as critical, was found in zhangyanbo2007 youkefu up to 4.2.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Youkefu
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Multiple plugins and/or themes for WordPress are vulnerable to Arbitrary File Uploads due to a missing capability check on the ajaxUploadFonts() function in various versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE File Upload +4
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in xiaowei1118 java_server up to 11a5bac8f4ba1c17e4bc1b27cad6d24868500e3a on Windows and classified as critical.java of the component File Upload API. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Path Traversal File Upload +3
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Elastic File Upload Kibana
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

XSS Elastic File Upload +1
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Domino Leap
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Domino Leap
NVD
EPSS 2% CVSS 9.4
CRITICAL PATCH Act Now

An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.8.7. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload
NVD GitHub
EPSS 0% CVSS 7.6
HIGH POC PATCH This Week

YesWiki is a wiki system written in PHP. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS File Upload Yeswiki
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

A vulnerability classified as critical has been found in youyiio BeyongCms 1.6.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in codeprojects News Publishing Site Dashboard 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload +1
NVD GitHub VulDB
EPSS 3% CVSS 6.4
MEDIUM POC This Month

An arbitrary file upload vulnerability via writefile.php of Serosoft Academia Student Information System (SIS) EagleR-1.0.118 allows attackers to execute arbitrary code via ../ in the filePath. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE File Upload +1
NVD GitHub
EPSS 3% CVSS 8.8
HIGH PATCH This Week

The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropage_media_downloader' function in all versions up to, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress RCE File Upload +2
NVD
EPSS 2% CVSS 9.9
CRITICAL Act Now

Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Hcl Leap
NVD
EPSS 32% 6.0 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

SAP NetWeaver Visual Composer Metadata Uploader lacks proper authorization, allowing unauthenticated agents to upload malicious executable binaries for critical system compromise (CVSS 10.0).

SAP File Upload Netweaver
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Angelo Mandato PowerPress Podcasting allows Upload a Web Shell to a Web Server.12.5. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 6% CVSS 9.8
CRITICAL POC Act Now

TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal File Upload +1
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL POC Act Now

An arbitrary file upload vulnerability in the component /jquery-file-upload/server/php/index.php of Hospital Management System v4.0 allows an unauthenticated attacker to upload any file to the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +2
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Spark
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The Greenshift - animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gspb_make_proxy_api_request() function in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress RCE File Upload +2
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Mcms
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in kuangstudy KuangSimpleBBS 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Java +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in zhenfeng13 My-BBS 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Java +1
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in WCMS 11.php of the component Advertisement Image Handler. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload +1
NVD GitHub VulDB
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

The Wordpress Plugin Smart Product Review plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress RCE File Upload
NVD Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL Act Now

The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions up to, and including, 1.3.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload +1
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability classified as critical was found in SourceCodester Web-based Pharmacy Product Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability classified as critical was found in SourceCodester Web-based Pharmacy Product Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in aidraw I Draw allows Using Malicious Files.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG Lite allows Upload a Web Shell to a Web Server.5.34. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in JoomSky JS Job Manager allows Upload a Web Shell to a Web Server.0.2. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in solacewp Solace Extra allows Using Malicious Files.3.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in rockgod100 Theme File Duplicator allows Using Malicious Files.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

An unrestricted upload of file with dangerous type vulnerability in the course management function of Wisdom Master Pro versions 5.0 through 5.2 allows remote authenticated users to craft a malicious. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

SourceCodester Company Website CMS 1.0 has a File upload vulnerability via the "Create portfolio" file /dashboard/portfolio. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Company Website Cms
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

SourceCodester Company Website CMS 1.0 contains a file upload vulnerability via the "Create Services" file /dashboard/Services. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Company Website Cms
NVD GitHub
Prev Page 12 of 45 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy