File Upload

Unauthenticated administrators in WWBN AVideo versions before 24.0 can achieve remote code execution by uploading malicious ZIP files through the plugin upload functionality, which extracts files without proper validation into web-accessible directories. This allows attackers to execute arbitrary PHP code on the server with high impact to confidentiality, integrity, and availability. No patch is currently available for affected PHP installations using vulnerable AVideo versions.

RCE in Microsoft Devices Pricing Program.

Unauthenticated RCE via file upload in industrial/enterprise application.

WP Chill Filr filr-protection is affected by unrestricted upload of file with dangerous type (CVSS 8.1).

Unrestricted file upload in Charety (charety) WordPress theme allows uploading web shells for remote code execution.

Arbitrary file upload in AI Engine WordPress plugin.

Unrestricted file upload in Nutrie (nutrie) WordPress theme allows uploading web shells for remote code execution.

Unrestricted file upload in Keenarch (keenarch) WordPress theme allows uploading web shells for remote code execution.

Tranzman versions up to 4.0 is affected by insufficient verification of data authenticity (CVSS 7.2).

Impact versions up to 19.11.2.10-20210118042150283 is affected by unrestricted upload of file with dangerous type (CVSS 8.0).

Kiteworks versions prior to 9.2.0 lack proper file validation in their configuration upload functionality, allowing authenticated administrators to upload arbitrary files to the system. An attacker with administrative privileges could exploit this to introduce malicious or unauthorized file types, potentially compromising system integrity. A patch is available in version 9.2.0 and later.

Stored cross-site scripting (XSS) in Vikunja prior to version 2.0.0 allows authenticated attackers to steal authentication tokens by uploading malicious SVG files containing JavaScript that executes when accessed directly. The vulnerability exists because the application fails to sanitize SVG content before storage and renders it inline under the application origin, enabling token theft from localStorage. Public exploit code exists for this vulnerability and no patch is currently available for affected versions.

Arbitrary file upload via subtitle loading in asbplayer v1.13.0 allows execution of malicious files through crafted subtitle files.

Unrestricted file uploads in Sz Boot Parent versions up to 1.3.2-beta allow authenticated remote attackers to upload malicious files via the /api/admin/sys-file/upload API endpoint. Public exploit code exists for this vulnerability, which has been patched in version 1.3.3-beta through the addition of file extension and MIME type whitelisting controls. Immediate upgrade to the patched version is strongly recommended.

Remote code execution in Dell Wyse Management Suite versions before 5.5 via unrestricted file upload allows high-privileged attackers with network access to execute arbitrary commands on affected systems. The vulnerability stems from insufficient validation of uploaded file types, enabling attackers to bypass security controls and gain code execution. A patch is available for affected organizations to remediate this risk.

Smart Heating Integrated Management Platform versions up to 1.0.0 is affected by improper access control (CVSS 7.3).

Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by uploading unsanitized SVG files as device images, exploiting improper Content-Type handling. Public exploit code exists for this reflected cross-site scripting vulnerability, which could enable session hijacking or credential theft with no patch currently available.

FastApiAdmin up to 2.2.0 contains an unrestricted file upload vulnerability in the user avatar upload endpoint that allows authenticated remote attackers to upload arbitrary files. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials could leverage this to compromise system integrity and potentially execute malicious code.

Unrestricted file upload in FastApiAdmin up to version 2.2.0 allows authenticated remote attackers to upload arbitrary files through the Scheduled Task API endpoint. Public exploit code exists for this vulnerability, enabling potential remote code execution or system compromise. Affected organizations should immediately upgrade beyond version 2.2.0 or implement access controls on the upload functionality until a patch is released.

FastApiAdmin versions up to 2.2.0 contain an unrestricted file upload vulnerability in the Scheduled Task API's upload controller that allows authenticated attackers to upload arbitrary files remotely. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials could leverage this to achieve unauthorized file write access and potentially further compromise the application.

Unrestricted file upload in Bravis Addons (bravis-addons) WordPress theme allows uploading web shells for remote code execution.

Electronic Archives System versions up to 3.2.210802 is affected by improper access control (CVSS 7.3).

Unrestricted file upload in mingSoft MCMS 6.1.1's template archive handler allows authenticated attackers with high privileges to upload arbitrary files via manipulation of the File parameter in /ms/file/uploadTemplate.do. Public exploit code exists for this vulnerability and no patch is currently available. The attack requires network access and high-level authentication but could lead to remote code execution or system compromise.

ipTIME A6004MX router has an access control vulnerability in VPN client configuration enabling unauthorized network access.

Arbitrary file upload in midi-Synth WordPress plugin via 'export' AJAX action.

Unrestricted file upload in Airleader Master versions 6.381 and prior. Multiple webpages allow unauthenticated file upload with maximum privileges.

Unrestricted file upload in NTN software enables web shell upload and RCE.

Cipace versions up to 9.17. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

Agentflow versions up to - is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

my little forum PHP forum software has an unrestricted file upload allowing authenticated users to upload dangerous file types.

Birtech Information Technologies Industry and Trade Ltd. Co. Sensaway is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

Unrestricted file upload in Yshopmall up to version 1.9.1 allows authenticated attackers to upload arbitrary files via manipulation of the updateAvatar function in the FileUtil component. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vendor has not yet released a patch despite early notification.

HedgeDoc prior to version 1.10.6 allows attackers to bypass content security policies on files served from the /uploads/ endpoint, enabling them to host malicious interactive content such as fake login forms via SVG files. This network-based attack requires user interaction but can lead to credential theft or social engineering attacks. A patch is available in version 1.10.6.

WP Duplicate WordPress plugin has a missing authorization vulnerability leading to arbitrary file deletion that can destroy the WordPress installation.

Jizhicms versions up to 1.6.7 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

Coto versions up to 11.4.0 is affected by unrestricted upload of file with dangerous type (CVSS 6.5).

Movable Type allows non-administrative users to upload arbitrary files that execute malicious scripts in an administrator's browser when accessed, enabling cross-site scripting attacks with medium impact on confidentiality, integrity, and availability. This vulnerability affects both current and end-of-life versions (7.x and 8.4 series) with no patch currently available. An attacker with basic user privileges can compromise administrator sessions through stored script execution.

Open Eclass Platform versions up to 4.2 is affected by unrestricted upload of file with dangerous type (CVSS 4.3).

MediaCrush through version 1.0.1 allows unauthenticated arbitrary file upload without file type restrictions, enabling web shell deployment and remote code execution.

Unauthenticated file upload leading to stored XSS and potential RCE in Samsung MagicInfo9 Server. HTML files uploaded without authentication.

The VPN service in EFM ipTIME A8004T firmware 14.18.2 contains an unrestricted file upload vulnerability in the commit_vpncli_file_upload function that allows authenticated remote attackers to upload arbitrary files. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. An attacker with high-level privileges could exploit this to upload malicious files and potentially compromise the device.

An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions up to 2025 is affected by unrestricted upload of file with dangerous type.

A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. [CVSS 5.4 MEDIUM]

Unrestricted file upload in PHPGurukul News Portal 1.0's profile picture handler allows remote attackers to upload arbitrary files with high-level privileges. Public exploit code exists for this vulnerability, and no patch is currently available. An authenticated attacker could potentially upload malicious files to compromise the application or underlying system.

Xpro Elementor Addons WordPress plugin has an unrestricted file upload allowing attackers to upload dangerous file types through the Elementor builder integration.

g-FFL Checkout WordPress plugin has an unrestricted file upload vulnerability allowing attackers to upload web shells for remote code execution.

Farost Energia WordPress plugin allows unrestricted file upload enabling attackers to upload web shells and achieve remote code execution on the WordPress server.

Solvera Software Services Trade Inc. Teknoera is affected by unrestricted upload of file with dangerous type (CVSS 8.1).

HAMASTAR MeetingHub has an arbitrary file upload vulnerability allowing unauthenticated remote attackers to upload web shells and achieve full server compromise.

Horilla is a free and open source Human Resource Management System (HRMS). [CVSS 4.3 MEDIUM]

Horilla versions up to 1.5.0 contains a vulnerability that allows attackers to deploy phishing attacks (CVSS 8.0).

Authenticated staff users in Saleor e-commerce platform versions 3.0.0 through 3.22.26 can upload malicious HTML and SVG files containing JavaScript that execute in users' browsers when served from the same domain as the dashboard, potentially allowing token theft. An attacker with staff privileges could craft script injections to compromise other staff members' sessions and access tokens. This vulnerability affects deployments where media files are hosted on the same domain as the dashboard and patches are available in versions 3.20.108, 3.21.43, and 3.22.27.

Remote code execution in BROWAN COMMUNICATIONS PrismX MX100 AP controller allows high-privileged remote attackers to upload arbitrary files and execute web shell backdoors without user interaction. This vulnerability affects administrators with elevated credentials and enables complete compromise of the affected access point. No patch is currently available to remediate this issue.

HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. [CVSS 3.1 LOW]

Aion versions up to 2.0 contains a vulnerability that allows attackers to malicious file uploads, potentially resulting in unauthorized code execution or (CVSS 2.7).

Mpay versions up to 1.2.4 contain an unrestricted file upload vulnerability in the QR Code Image Handler component via the codeimg parameter, allowing remote attackers with high privileges to upload arbitrary files. Public exploit code exists for this vulnerability, though no patch is currently available. The attack requires administrative credentials but carries moderate risk with potential impacts to confidentiality, integrity, and availability.

Omnispace Agora Project (before 25.10) allows RCE through crafted PDF upload that exploits the ImageMagick MSL engine via the thumbnail function.

Agora-Project versions up to 25.10 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. [CVSS 7.2 HIGH]

Pega Customer Service Framework versions 8.7.0 versions up to 25.1.0 is affected by unrestricted upload of file with dangerous type.

Hub v2.0 property management system allows unauthenticated arbitrary file upload via /utils/uploadFile. Malicious PDF files can be uploaded and may achieve code execution.

Director versions up to 25.2.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

Operation And Maintenance Security Management System versions up to 3.0.8. is affected by improper access control (CVSS 7.3).

Corpkit WordPress theme (through 2.0) allows unauthenticated web shell upload via unrestricted file type upload.

Contentstudio WordPress plugin (through 1.3.7) allows unauthenticated web shell upload, enabling immediate server compromise.

A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to execute arbitrary code via uploading a crafted PDF file/Malware [CVSS 6.8 MEDIUM]

In Aris v10.0.23.0.3587512 and before, the file upload functionality does not enforce any rate limiting or throttling, allowing users to upload files at an unrestricted rate. [CVSS 6.5 MEDIUM]

Media File Renamer WordPress plugin (through 5.7.7) by Meow Apps allows administrators to upload files with dangerous types, achieving OS-level code execution with scope change. While admin access is required, the scope break makes this critical.

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. [CVSS 8.8 HIGH]

A vulnerability has been found in xnx3 wangmarket up to 6.4. The impacted element is the function uploadImage of the file /sits/uploadImage.do of the component XML File Handler. [CVSS 4.7 MEDIUM]

CSRF vulnerability in WING WordPress Migrator plugin through version 1.2.0 permits unauthenticated attackers to upload web shells to affected WordPress sites by tricking site administrators into visiting a malicious webpage. The vulnerability exploits missing nonce verification in file upload functionality, enabling arbitrary code execution with web server privileges. No public exploit code or active exploitation confirmed at time of analysis.

Local file inclusion vulnerability in CodexThemes TheGem Theme Elements (for Elementor) WordPress plugin through version 5.10.5.1 allows attackers to read arbitrary files from the server via improper control of filename parameters in PHP include/require statements. The vulnerability carries a low EPSS score of 0.17% (38th percentile), indicating minimal real-world exploitation probability despite being a classic PHP file inclusion flaw affecting an Elementor page builder plugin.

Unauthenticated arbitrary file upload vulnerability in File Uploader for WooCommerce (WordPress plugin versions ≤1.0.3) enables remote code execution. Missing file type validation in the 'add-image-data' REST API endpoint allows attackers to upload malicious files to Uploadcare service and retrieve them to the web server, achieving code execution without authentication. Exploitation requires no user interaction or special privileges (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis.

Authenticated arbitrary file upload in Infility Global WordPress plugin versions ≤2.14.42 permits remote code execution. The upload_file function accepts spoofed MIME types without verifying file extensions, while import_data lacks capability checks, allowing subscriber-level users to upload malicious files (e.g., PHP webshells) to the server. CVSS:3.1 score 8.8 (High) reflects network-accessible, low-complexity exploitation requiring only low-privilege authentication. No public exploit identified at time of analysis. EPSS 0.35% indicates low observed exploitation activity.

A critical authentication bypass and path traversal vulnerability in PipesHub AI platform allows unauthenticated remote attackers to upload files with directory traversal sequences, enabling arbitrary file writes anywhere the service account has permissions. This vulnerability affects PipesHub versions prior to 0.1.0-beta and has a publicly available proof-of-concept exploit, making it an immediate priority for organizations using this enterprise search and workflow automation platform. With a CVSS score of 9.8 and the ability to plant malicious code or overwrite critical files, this represents a severe risk to affected systems.

A vulnerability was found in Yottamaster DM2, DM3 and DM200 up to 1.2.23/1.9.12. Affected by this issue is some unknown functionality of the component File Upload. Performing manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

A security vulnerability has been detected in ORICO CD3510 1.9.12. This affects an unknown function of the component File Upload. The manipulation leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_running.php. Executing a manipulation of the argument product_image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

A flaw has been found in Verysync 微力同步 up to 2.21.3. This impacts an unknown function of the file /rest/f/api/resources/f96956469e7be39d/tmp/text.txt?override=false of the component Web Administration Module. Executing manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A security flaw has been discovered in code-projects Employee Profile Management System 1.0. Impacted is an unknown function of the file /profiling/add_file_query.php. The manipulation of the argument per_file results in unrestricted upload. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Flexsense DiskBoss 7.7.14 allows unauthenticated attackers to upload arbitrary files via /Command/Search Files/Directory field, leading to a denial of service by crashing the application.

zdh_web is a data collection, processing, monitoring, scheduling, and management platform. In zdh_web thru 5.6.17, insufficient validation of file upload paths in the application allows an authenticated user to write arbitrary files to the server file system, potentially overwriting existing files and leading to privilege escalation or remote code execution.

File upload vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store arbitrary files on the filesystem.

The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the cstu_update_post() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.