Skip to main content

File Upload

4034 CVEs technique

Monthly

CVE-2018-7665 CRITICAL POC THREAT Emergency

An issue was discovered in ClipBucket before 4.0.0 Release 4902. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Clipbucket
NVD
CVSS 3.0
9.8
EPSS
16.2%
CVE-2018-7567 HIGH POC This Week

In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE Otrs
NVD
CVSS 3.0
7.2
EPSS
5.3%
CVE-2018-7486 HIGH POC This Week

Blue River Mura CMS before v7.0.7029 supports inline function calls with an [m] tag and [/m] end tag, without proper restrictions on file types or pathnames, which allows remote attackers to execute. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE Path Traversal Muracms
NVD
CVSS 3.0
7.2
EPSS
2.5%
CVE-2018-7316 CRITICAL POC Act Now

Arbitrary File Upload exists in the Proclaim 9.1.1 component for Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Proclaim
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
8.2%
CVE-2018-7217 HIGH This Week

In Bravo Tejari Procurement Portal, uploaded files are not properly validated by the application either on the client or the server side. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Bravo Solution
NVD
CVSS 3.0
8.8
EPSS
1.9%
CVE-2018-6860 HIGH POC This Week

Arbitrary File Upload and Remote Code Execution exist in PHP Scripts Mall Schools Alert Management Script 2.0.2 via a profile picture. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP Schools Alert Management Script
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
2.5%
CVE-2018-1000062 MEDIUM PATCH This Month

WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

File Upload XSS Wondercms
NVD GitHub
CVSS 3.0
4.4
EPSS
0.6%
CVE-2018-5307 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 2.x before 2.14.6 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload XSS Nexus Repository Manager
NVD
CVSS 3.0
6.1
EPSS
1.2%
CVE-2018-5306 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 3.x before 3.8 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload XSS Nexus Repository Manager
NVD
CVSS 3.0
6.1
EPSS
1.1%
CVE-2018-6580 CRITICAL POC THREAT Act Now

Arbitrary file upload exists in the Jimtawl 2.1.6 and 2.2.5 component for Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Jimtawl
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
36.9%
CVE-2018-1342 CRITICAL Act Now

A Vulnerability exists on Admin Console where an attacker can upload files to the Admin Console server, and potentially execute them. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Access Manager
NVD
CVSS 3.0
9.8
EPSS
1.2%
CVE-2018-5997 CRITICAL POC THREAT Act Now

An issue was discovered in the HTTP Server in RAVPower Filehub 2.000.056. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE Path Traversal Filehub Firmware
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
23.5%
CVE-2018-5749 CRITICAL POC Act Now

install.php in Minecraft Servers List Lite before commit c1cd164 and Premium Minecraft Servers List before 2.0.4 does not sanitize input before saving database connection information in connect.php,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Premium Minecraft Servers List Minecraft Servers List Lite
NVD
CVSS 3.0
9.8
EPSS
2.5%
CVE-2018-2642 MEDIUM PATCH This Month

Vulnerability in the Oracle Argus Safety component of Oracle Health Sciences Applications (subcomponent: File Upload). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Oracle Denial Of Service File Upload Argus Safety
NVD
CVSS 3.0
6.5
EPSS
0.6%
CVE-2018-5724 CRITICAL POC THREAT Act Now

MASTER IPCAMERA01 3.3.4.2103 devices allow Unauthenticated Configuration Download and Upload, as demonstrated by restore.cgi. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Master Ip Camera01 Firmware
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
11.5%
CVE-2018-3814 PHP HIGH POC This Week

Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Craft Cms
NVD GitHub
CVSS 3.0
8.8
EPSS
1.4%
CVE-2017-17987 HIGH POC This Week

PHP Scripts Mall Muslim Matrimonial Script allows arbitrary file upload via admin/mydetails_edit.php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Muslim Matrimonial Script
NVD GitHub
CVSS 3.0
7.2
EPSS
0.3%
CVE-2017-17874 HIGH POC This Week

Vanguard Marketplace Digital Products PHP 1.4 allows arbitrary file upload via an "Add a new product" or "Add a product preview" action, which can make a .php file accessible under a uploads/ URI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Marketplace Digital Products Php
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
2.4%
CVE-2017-16949 CRITICAL POC THREAT Emergency

An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 38.8%.

RCE WordPress PHP File Upload Anonymous Post Pro
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
38.8%
Threat
4.6
CVE-2017-15876 HIGH POC This Week

Unrestricted File Upload vulnerability in GPWeb 8.4.61 allows remote authenticated users to upload any type of file, including a PHP shell. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Gpweb
NVD
CVSS 3.0
7.2
EPSS
1.1%
CVE-2017-17727 HIGH This Week

DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PHP File Upload Dedecms
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2017-17593 HIGH POC THREAT Act Now

Simple Chatting System 1.0 allows Arbitrary File Upload via view/my_profile.php, which places files under uploads/. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.2%.

PHP File Upload Simple Chatting System
NVD Exploit-DB
CVSS 3.0
7.5
EPSS
16.2%
CVE-2017-13156 HIGH POC PATCH THREAT Act Now

An elevation of privilege vulnerability in the Android system (art). Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 59.7%.

Google File Upload Android
NVD Exploit-DB
CVSS 3.0
7.8
EPSS
59.7%
Threat
4.9
CVE-2017-12332 MEDIUM This Month

A vulnerability in Cisco NX-OS System Software patch installation could allow an authenticated, local attacker to write a file to arbitrary locations. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Cisco File Upload Unified Computing System Nx Os
NVD
CVSS 3.0
4.4
EPSS
0.2%
CVE-2017-15673 HIGH This Week

The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Cs Cart
NVD
CVSS 3.0
7.2
EPSS
0.4%
CVE-2017-15054 PHP HIGH POC PATCH This Week

An arbitrary file upload vulnerability, present in TeamPass before 2.1.27.9, allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.

PHP File Upload Teampass
NVD GitHub
CVSS 3.0
7.5
EPSS
1.9%
CVE-2017-16941 HIGH This Week

October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP code by downloading a theme ZIP archive from. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload October
NVD GitHub
CVSS 3.0
8.8
EPSS
0.5%
CVE-2017-2738 CRITICAL Act Now

VCM5010 with software versions earlier before V100R002C50SPC100 has an authentication bypass vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Vcm5010 Firmware
NVD
CVSS 3.0
9.8
EPSS
1.2%
CVE-2017-2737 HIGH This Week

VCM5010 with software versions earlier before V100R002C50SPC100 has an arbitrary file upload vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Vcm5010 Firmware
NVD
CVSS 3.0
8.8
EPSS
0.2%
CVE-2017-2699 HIGH This Week

The Huawei Themes APP in versions earlier than PLK-UL00C17B385, versions earlier than CRR-L09C432B380, versions earlier than LYO-L21C577B128 has a privilege elevation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Huawei File Upload Honor 7 Firmware Mate S Firmware +1
NVD
CVSS 3.0
7.8
EPSS
0.2%
CVE-2017-8862 CRITICAL Act Now

The webupgrade function on the Cohu 3960HD does not verify the firmware upgrade files or process, allowing an attacker to upload a specially crafted postinstall.sh file that will be executed with. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload 3960Hd Firmware
NVD
CVSS 3.0
9.8
EPSS
0.3%
CVE-2017-1000238 HIGH POC This Week

InvoicePlane version 1.4.10 is vulnerable to a Arbitrary File Upload resulting in an authenticated user can upload a malicious file to the webserver. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Invoiceplane
NVD
CVSS 3.0
8.8
EPSS
0.6%
CVE-2017-1000194 PHP CRITICAL PATCH Act Now

October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site compromise and possibly other applications on the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Apache File Upload October
NVD GitHub
CVSS 3.0
9.8
EPSS
0.4%
CVE-2017-16524 HIGH POC THREAT Act Now

Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 74.7%.

Samsung PHP File Upload Web Viewer
NVD GitHub Exploit-DB
CVSS 3.0
8.8
EPSS
74.7%
Threat
5.5
CVE-2017-15990 CRITICAL POC Act Now

Php Inventory & Invoice Management System allows Arbitrary File Upload via dashboard/edit_myaccountdetail/. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Phpinventory
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
8.8%
CVE-2017-15962 CRITICAL POC THREAT Emergency

iStock Management System 1.0 allows Arbitrary File Upload via user/profile. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 18.2%.

File Upload Istock Management System
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
18.2%
Threat
4.0
CVE-2017-15957 HIGH POC This Week

my_profile.php in Ingenious School Management System 2.3.0 allows a student or teacher to upload an arbitrary file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Ingenious School Management System
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
3.3%
CVE-2017-15948 MEDIUM POC This Month

Perch Content Management System 3.0.3 allows unrestricted file upload (with resultant XSS) via the Asset Title field in conjunction with the Select File field. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS File Upload Perch
NVD
CVSS 3.1
4.8
EPSS
0.2%
CVE-2017-15580 CRITICAL POC THREAT Emergency

osTicket 1.10.1 provides a functionality to upload 'html' files with associated formats. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 35.8%.

PHP File Upload Osticket
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
35.8%
Threat
4.5
CVE-2014-2664 HIGH This Week

Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE PHP File Upload X2Crm
NVD
CVSS 3.0
8.8
EPSS
6.9%
CVE-2015-2780 CRITICAL POC PATCH THREAT Act Now

Unrestricted file upload vulnerability in Berta CMS allows remote attackers to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 31.9%.

RCE File Upload Berta Cms
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
31.9%
Threat
4.4
CVE-2017-8025 HIGH This Week

RSA Archer GRC Platform prior to 6.2.0.5 is affected by an arbitrary file upload vulnerability. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.

File Upload Archer Grc Platform
NVD
CVSS 3.0
7.4
EPSS
0.8%
CVE-2017-1000119 PHP HIGH POC THREAT Act Now

October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 76.2%.

RCE PHP File Upload October
NVD Exploit-DB
CVSS 3.0
7.2
EPSS
76.2%
Threat
5.2
CVE-2017-12617 Maven HIGH POC KEV PATCH THREAT Act Now

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Actively exploited in the wild (cisa kev) and public exploit code available.

Apache Tomcat File Upload
NVD Exploit-DB
CVSS 3.1
8.1
EPSS
94.4%
Threat
7.5
CVE-2017-6090 HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 86.9%.

RCE PHP File Upload Phpcollab
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
86.9%
Threat
5.9
CVE-2017-14771 MEDIUM This Month

Skybox Manager Client Application prior to 8.5.501 is prone to an arbitrary file upload vulnerability due to insufficient input validation of user-supplied files path when uploading files via the. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

File Upload Skybox Manager Client Application
NVD
CVSS 3.0
5.5
EPSS
0.1%
CVE-2017-14958 HIGH PATCH This Week

lib.php in PivotX 2.3.11 does not properly block uploads of dangerous file types by admin users, which allows remote PHP code execution via an upload of a .php file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE PHP File Upload Pivotx
NVD
CVSS 3.0
7.2
EPSS
0.6%
CVE-2017-14841 MEDIUM POC This Month

Mojoomla Annual Maintenance Contract (AMC) Management System allows Arbitrary File Upload in profilesetting image handling. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Annual Maintenance Contract Management System
NVD Exploit-DB
CVSS 3.0
6.5
EPSS
1.7%
CVE-2017-14840 HIGH POC This Week

TeamWork TicketPlus allows Arbitrary File Upload in updateProfile. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Ticketplus
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
2.4%
CVE-2017-14839 HIGH POC This Week

TeamWork Photo Fusion allows Arbitrary File Upload in changeAvatar and changeCover. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Photo Fusion
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
2.4%
CVE-2017-14838 HIGH POC This Week

TeamWork Job Links allows Arbitrary File Upload in profileChange and coverChange. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Job Links
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
2.4%
CVE-2015-8249 CRITICAL POC THREAT Emergency

The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and execute arbitrary files via the ConnectionId parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.2%.

File Upload Zoho Desktop Central
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
80.2%
Threat
5.9
CVE-2017-14704 HIGH POC This Week

Multiple unrestricted file upload vulnerabilities in the (1) imageSubmit and (2) proof_submit functions in Claydip Laravel Airbnb Clone 1.0 allow remote authenticated users to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Airbnb Clone
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
1.9%
CVE-2017-14079 HIGH PATCH Act Now

Unrestricted file uploads in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attackers to execute arbitrary code on vulnerable installations. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.2%.

RCE Trend Micro File Upload Mobile Security
NVD
CVSS 3.0
8.8
EPSS
13.2%
CVE-2017-12929 HIGH POC This Week

Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 version >1.5.10 allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Dlx Spot Player4
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
3.9%
CVE-2014-9619 HIGH POC This Week

Unrestricted file upload vulnerability in webadmin/ajaxfilemanager/ajaxfilemanager.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote authenticated users with. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Netsweeper
NVD Exploit-DB
CVSS 3.0
7.2
EPSS
6.5%
CVE-2017-12615 Maven HIGH POC KEV PATCH THREAT Act Now

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Actively exploited in the wild (cisa kev) and public exploit code available.

Apache Microsoft Tomcat File Upload
NVD GitHub Exploit-DB
CVSS 3.1
8.1
EPSS
94.2%
Threat
7.4
CVE-2017-1002016 CRITICAL POC THREAT Emergency

Vulnerability in wordpress plugin flickr-picture-backup v0.7, The code in flickr-picture-download.php doesn't check to see if the user is authenticated or that they have permission to upload files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.6%.

WordPress PHP File Upload Flickr Picture Backup
NVD
CVSS 3.1
9.8
EPSS
14.6%
CVE-2017-1002008 CRITICAL POC THREAT Emergency

Vulnerability in wordpress plugin membership-simplified-for-oap-members-only v1.58, The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 40.0%.

WordPress PHP File Upload Membership Simplified
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
40.0%
Threat
4.7
CVE-2017-1002003 CRITICAL POC THREAT Emergency

Vulnerability in wordpress plugin wp2android-turn-wp-site-into-android-app v1.1.4, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 47.7%.

WordPress Google File Upload Wp2Android Turn Wp Site Into Android App
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
47.7%
Threat
4.9
CVE-2017-1002002 CRITICAL POC THREAT Emergency

Vulnerability in wordpress plugin webapp-builder v2.0, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 51.2%.

WordPress File Upload Webapp Builder
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
51.2%
Threat
5.0
CVE-2017-1002001 CRITICAL POC THREAT Emergency

Vulnerability in wordpress plugin mobile-app-builder-by-wappress v1.05, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 44.5%.

WordPress File Upload Mobile App Builder By Wappress
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
44.5%
Threat
4.8
CVE-2017-1002000 CRITICAL POC THREAT Emergency

Vulnerability in wordpress plugin mobile-friendly-app-builder-by-easytouch v3.0, The code in file ./mobile-friendly-app-builder-by-easytouch/server/images.php doesn't require authentication or check. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 64.3%.

WordPress PHP File Upload Mobile Friendly App Builder By Easytouch
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
64.3%
Threat
5.4
CVE-2017-14399 HIGH This Week

In BlackCat CMS 1.2.2, unrestricted file upload is possible in backend\media\ajax_rename.php via the extension parameter, as demonstrated by changing the extension from .jpg to .php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Blackcat Cms
NVD GitHub
CVSS 3.0
8.8
EPSS
0.4%
CVE-2017-14346 CRITICAL POC Act Now

upload.php in tianchoy/blog through 2017-09-12 allows unrestricted file upload and PHP code execution by using the image/jpeg, image/pjpeg, image/png, or image/gif content type for a .php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Blog
NVD GitHub
CVSS 3.0
9.8
EPSS
1.0%
CVE-2015-9228 HIGH This Week

In post-new.php in the Photocrati NextGEN Gallery plugin 2.1.10 for WordPress, unrestricted file upload is available via the name parameter, if a file extension is changed from .jpg to .php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP File Upload Nextgen Gallery
NVD GitHub
CVSS 3.0
8.8
EPSS
5.0%
CVE-2017-14251 PHP HIGH POC PATCH This Week

Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP File Upload Typo3
NVD
CVSS 3.0
8.8
EPSS
3.5%
CVE-2017-14123 HIGH POC PATCH This Week

Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP File Upload Zoho Manageengine Firewall Analyzer
NVD
CVSS 3.1
8.8
EPSS
4.4%
CVE-2017-14050 HIGH This Week

In BlackCat CMS 1.2, backend/addons/install.php allows remote authenticated users to execute arbitrary PHP code via a ZIP archive that contains a .php file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Blackcat Cms
NVD GitHub
CVSS 3.0
8.8
EPSS
0.5%
CVE-2013-7426 CRITICAL PATCH Act Now

Insecure Temporary file vulnerability in /tmp/kamailio_fifo in kamailio 4.0.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload Kamailio
NVD
CVSS 3.0
9.8
EPSS
1.4%
CVE-2016-0354 MEDIUM PATCH This Month

IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user to upload a malicious file to a Sametime meeting room, that could be downloaded by unsuspecting users which. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

IBM File Upload Sametime
NVD
CVSS 3.0
5.5
EPSS
0.3%
CVE-2014-9312 HIGH POC THREAT Act Now

Unrestricted File Upload vulnerability in Photo Gallery 1.2.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 76.5%.

File Upload Photo Gallery
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
76.5%
Threat
5.6
CVE-2017-9650 HIGH POC This Week

An Unrestricted Upload of File with Dangerous Type issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior;. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload I Vu Sitescan Web Automatedlogic Webctrl
NVD Exploit-DB
CVSS 3.0
7.8
EPSS
1.4%
CVE-2017-9509 MEDIUM This Month

The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Atlassian File Upload Crucible Fisheye
NVD
CVSS 3.0
5.4
EPSS
0.2%
CVE-2017-11357 CRITICAL POC KEV THREAT Emergency

Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

RCE File Upload
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
93.9%
Threat
7.8
CVE-2017-12882 Maven MEDIUM PATCH This Month

Stored Cross-site scripting (XSS) vulnerability in Spring Batch Admin before 1.3.0 allows remote authenticated users to inject arbitrary JavaScript or HTML via the file upload functionality. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS Java File Upload Spring Batch Admin
NVD
CVSS 3.0
5.4
EPSS
0.2%
CVE-2017-12881 Maven HIGH PATCH This Week

Cross-site request forgery (CSRF) vulnerability in the Spring Batch Admin before 1.3.0 allows remote attackers to hijack the authentication of unspecified victims and submit arbitrary requests, such. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Java File Upload Spring Batch Admin
NVD
CVSS 3.0
8.8
EPSS
0.2%
CVE-2017-3108 CRITICAL PATCH Act Now

Adobe Experience Manager 6.2 and earlier has a malicious file execution vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.2%.

Adobe File Upload Experience Manager
NVD
CVSS 3.0
9.8
EPSS
10.2%
CVE-2017-11154 HIGH POC This Week

Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Synology PHP File Upload Photo Station
NVD Exploit-DB
CVSS 3.0
7.2
EPSS
6.9%
CVE-2017-12678 HIGH PATCH This Week

In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefactory.cpp has a pointer to cast vulnerability, which allows remote attackers to cause a denial of service or possibly have. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Denial Of Service File Upload Taglib Debian Linux
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2015-7571 HIGH POC This Week

Unrestricted file upload vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Yeager Cms
NVD Exploit-DB
CVSS 3.0
7.8
EPSS
3.3%
CVE-2017-11756 HIGH This Week

In Earcms Ear Music through 4.1 build 20170710, remote authenticated users can execute arbitrary PHP code by changing the allowable music-upload extensions to include .php in addition to .mp3 and. Rated high severity (CVSS 7.0). No vendor patch available.

PHP File Upload Ear Music
NVD
CVSS 3.0
7.0
EPSS
0.3%
CVE-2015-4463 MEDIUM POC This Month

The file_manager component in eFront CMS before 3.6.15.5 allows remote authenticated users to bypass intended file-upload restrictions by appending a crafted parameter to the file URL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Efront
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2015-4462 MEDIUM POC This Month

Absolute path traversal vulnerability in the file_manager component of eFront CMS before 3.6.15.5 allows remote authenticated users to read arbitrary files via a full pathname in the "Upload file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP File Upload Efront
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2017-11326 HIGH POC This Week

An issue was discovered in Tilde CMS 1.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Tilde Cms
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2017-11466 HIGH POC PATCH This Week

Arbitrary file upload vulnerability in com/dotmarketing/servlets/AjaxFileUploadServlet.class in dotCMS 4.1.1 allows remote authenticated administrators to upload .jsp files to arbitrary locations via. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE File Upload Path Traversal Dotcms
NVD GitHub
CVSS 3.0
7.2
EPSS
3.1%
CVE-2017-10961 HIGH This Week

REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF File Upload Redcap
NVD GitHub
CVSS 3.0
8.8
EPSS
0.1%
CVE-2017-11405 MEDIUM POC This Month

In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a CMSContentManager action to admin/moduleinterface.php, followed by a FilePicker action to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Cms Made Simple
NVD
CVSS 3.0
4.9
EPSS
0.2%
CVE-2017-11404 MEDIUM POC This Month

In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a FileManager action to admin/moduleinterface.php. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Cms Made Simple
NVD
CVSS 3.0
4.9
EPSS
0.2%
CVE-2017-1000081 CRITICAL Act Now

Linux foundation ONOS 1.9.0 is vulnerable to unauthenticated upload of applications (.oar) resulting in remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Onos
NVD
CVSS 3.1
9.8
EPSS
8.3%
EPSS 16% CVSS 9.8
CRITICAL POC THREAT Emergency

An issue was discovered in ClipBucket before 4.0.0 Release 4902. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Clipbucket
NVD
EPSS 5% CVSS 7.2
HIGH POC This Week

In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE Otrs
NVD
EPSS 3% CVSS 7.2
HIGH POC This Week

Blue River Mura CMS before v7.0.7029 supports inline function calls with an [m] tag and [/m] end tag, without proper restrictions on file types or pathnames, which allows remote attackers to execute. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE Path Traversal +1
NVD
EPSS 8% CVSS 9.8
CRITICAL POC Act Now

Arbitrary File Upload exists in the Proclaim 9.1.1 component for Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Proclaim
NVD Exploit-DB
EPSS 2% CVSS 8.8
HIGH This Week

In Bravo Tejari Procurement Portal, uploaded files are not properly validated by the application either on the client or the server side. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Bravo Solution
NVD
EPSS 3% CVSS 8.8
HIGH POC This Week

Arbitrary File Upload and Remote Code Execution exist in PHP Scripts Mall Schools Alert Management Script 2.0.2 via a profile picture. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP +1
NVD Exploit-DB
EPSS 1% CVSS 4.4
MEDIUM PATCH This Month

WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

File Upload XSS Wondercms
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 2.x before 2.14.6 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload XSS Nexus Repository Manager
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 3.x before 3.8 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload XSS Nexus Repository Manager
NVD
EPSS 37% CVSS 9.8
CRITICAL POC THREAT Act Now

Arbitrary file upload exists in the Jimtawl 2.1.6 and 2.2.5 component for Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Jimtawl
NVD Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL Act Now

A Vulnerability exists on Admin Console where an attacker can upload files to the Admin Console server, and potentially execute them. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Access Manager
NVD
EPSS 24% CVSS 9.8
CRITICAL POC THREAT Act Now

An issue was discovered in the HTTP Server in RAVPower Filehub 2.000.056. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE Path Traversal +1
NVD Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

install.php in Minecraft Servers List Lite before commit c1cd164 and Premium Minecraft Servers List before 2.0.4 does not sanitize input before saving database connection information in connect.php,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Premium Minecraft Servers List +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Vulnerability in the Oracle Argus Safety component of Oracle Health Sciences Applications (subcomponent: File Upload). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Oracle Denial Of Service File Upload +1
NVD
EPSS 12% CVSS 9.8
CRITICAL POC THREAT Act Now

MASTER IPCAMERA01 3.3.4.2103 devices allow Unauthenticated Configuration Download and Upload, as demonstrated by restore.cgi. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Master Ip Camera01 Firmware
NVD Exploit-DB
EPSS 1% CVSS 8.8
HIGH POC This Week

Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Craft Cms
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC This Week

PHP Scripts Mall Muslim Matrimonial Script allows arbitrary file upload via admin/mydetails_edit.php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Muslim Matrimonial Script
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC This Week

Vanguard Marketplace Digital Products PHP 1.4 allows arbitrary file upload via an "Add a new product" or "Add a product preview" action, which can make a .php file accessible under a uploads/ URI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Marketplace Digital Products Php
NVD Exploit-DB
EPSS 39% 4.6 CVSS 9.8
CRITICAL POC THREAT Emergency

An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 38.8%.

RCE WordPress PHP +2
NVD Exploit-DB
EPSS 1% CVSS 7.2
HIGH POC This Week

Unrestricted File Upload vulnerability in GPWeb 8.4.61 allows remote authenticated users to upload any type of file, including a PHP shell. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Gpweb
NVD
EPSS 1% CVSS 8.8
HIGH This Week

DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PHP File Upload +1
NVD
EPSS 16% CVSS 7.5
HIGH POC THREAT Act Now

Simple Chatting System 1.0 allows Arbitrary File Upload via view/my_profile.php, which places files under uploads/. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.2%.

PHP File Upload Simple Chatting System
NVD Exploit-DB
EPSS 60% 4.9 CVSS 7.8
HIGH POC PATCH THREAT Act Now

An elevation of privilege vulnerability in the Android system (art). Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 59.7%.

Google File Upload Android
NVD Exploit-DB
EPSS 0% CVSS 4.4
MEDIUM This Month

A vulnerability in Cisco NX-OS System Software patch installation could allow an authenticated, local attacker to write a file to arbitrary locations. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Cisco File Upload Unified Computing System +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Cs Cart
NVD
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

An arbitrary file upload vulnerability, present in TeamPass before 2.1.27.9, allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.

PHP File Upload Teampass
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP code by downloading a theme ZIP archive from. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload October
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

VCM5010 with software versions earlier before V100R002C50SPC100 has an authentication bypass vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Vcm5010 Firmware
NVD
EPSS 0% CVSS 8.8
HIGH This Week

VCM5010 with software versions earlier before V100R002C50SPC100 has an arbitrary file upload vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Vcm5010 Firmware
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The Huawei Themes APP in versions earlier than PLK-UL00C17B385, versions earlier than CRR-L09C432B380, versions earlier than LYO-L21C577B128 has a privilege elevation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Huawei File Upload +3
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

The webupgrade function on the Cohu 3960HD does not verify the firmware upgrade files or process, allowing an attacker to upload a specially crafted postinstall.sh file that will be executed with. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload 3960Hd Firmware
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

InvoicePlane version 1.4.10 is vulnerable to a Arbitrary File Upload resulting in an authenticated user can upload a malicious file to the webserver. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Invoiceplane
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site compromise and possibly other applications on the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Apache File Upload October
NVD GitHub
EPSS 75% 5.5 CVSS 8.8
HIGH POC THREAT Act Now

Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 74.7%.

Samsung PHP File Upload +1
NVD GitHub Exploit-DB
EPSS 9% CVSS 9.8
CRITICAL POC Act Now

Php Inventory & Invoice Management System allows Arbitrary File Upload via dashboard/edit_myaccountdetail/. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Phpinventory
NVD Exploit-DB
EPSS 18% 4.0 CVSS 9.8
CRITICAL POC THREAT Emergency

iStock Management System 1.0 allows Arbitrary File Upload via user/profile. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 18.2%.

File Upload Istock Management System
NVD Exploit-DB
EPSS 3% CVSS 8.8
HIGH POC This Week

my_profile.php in Ingenious School Management System 2.3.0 allows a student or teacher to upload an arbitrary file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Ingenious School Management System
NVD Exploit-DB
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Perch Content Management System 3.0.3 allows unrestricted file upload (with resultant XSS) via the Asset Title field in conjunction with the Select File field. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS File Upload Perch
NVD
EPSS 36% 4.5 CVSS 9.8
CRITICAL POC THREAT Emergency

osTicket 1.10.1 provides a functionality to upload 'html' files with associated formats. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 35.8%.

PHP File Upload Osticket
NVD Exploit-DB
EPSS 7% CVSS 8.8
HIGH This Week

Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE PHP File Upload +1
NVD
EPSS 32% 4.4 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Unrestricted file upload vulnerability in Berta CMS allows remote attackers to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 31.9%.

RCE File Upload Berta Cms
NVD Exploit-DB
EPSS 1% CVSS 7.4
HIGH This Week

RSA Archer GRC Platform prior to 6.2.0.5 is affected by an arbitrary file upload vulnerability. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.

File Upload Archer Grc Platform
NVD
EPSS 76% 5.2 CVSS 7.2
HIGH POC THREAT Act Now

October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 76.2%.

RCE PHP File Upload +1
NVD Exploit-DB
EPSS 94% 7.5 CVSS 8.1
HIGH POC KEV PATCH THREAT Act Now

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Actively exploited in the wild (cisa kev) and public exploit code available.

Apache Tomcat File Upload
NVD Exploit-DB
EPSS 87% 5.9 CVSS 8.8
HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 86.9%.

RCE PHP File Upload +1
NVD Exploit-DB
EPSS 0% CVSS 5.5
MEDIUM This Month

Skybox Manager Client Application prior to 8.5.501 is prone to an arbitrary file upload vulnerability due to insufficient input validation of user-supplied files path when uploading files via the. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

File Upload Skybox Manager Client Application
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

lib.php in PivotX 2.3.11 does not properly block uploads of dangerous file types by admin users, which allows remote PHP code execution via an upload of a .php file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE PHP File Upload +1
NVD
EPSS 2% CVSS 6.5
MEDIUM POC This Month

Mojoomla Annual Maintenance Contract (AMC) Management System allows Arbitrary File Upload in profilesetting image handling. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Annual Maintenance Contract Management System
NVD Exploit-DB
EPSS 2% CVSS 8.8
HIGH POC This Week

TeamWork TicketPlus allows Arbitrary File Upload in updateProfile. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Ticketplus
NVD Exploit-DB
EPSS 2% CVSS 8.8
HIGH POC This Week

TeamWork Photo Fusion allows Arbitrary File Upload in changeAvatar and changeCover. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Photo Fusion
NVD Exploit-DB
EPSS 2% CVSS 8.8
HIGH POC This Week

TeamWork Job Links allows Arbitrary File Upload in profileChange and coverChange. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Job Links
NVD Exploit-DB
EPSS 80% 5.9 CVSS 9.8
CRITICAL POC THREAT Emergency

The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and execute arbitrary files via the ConnectionId parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.2%.

File Upload Zoho Desktop Central
NVD Exploit-DB
EPSS 2% CVSS 8.8
HIGH POC This Week

Multiple unrestricted file upload vulnerabilities in the (1) imageSubmit and (2) proof_submit functions in Claydip Laravel Airbnb Clone 1.0 allow remote authenticated users to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Airbnb Clone
NVD Exploit-DB
EPSS 13% CVSS 8.8
HIGH PATCH Act Now

Unrestricted file uploads in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attackers to execute arbitrary code on vulnerable installations. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.2%.

RCE Trend Micro File Upload +1
NVD
EPSS 4% CVSS 8.8
HIGH POC This Week

Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 version >1.5.10 allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Dlx Spot Player4
NVD Exploit-DB
EPSS 6% CVSS 7.2
HIGH POC This Week

Unrestricted file upload vulnerability in webadmin/ajaxfilemanager/ajaxfilemanager.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote authenticated users with. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Netsweeper
NVD Exploit-DB
EPSS 94% 7.4 CVSS 8.1
HIGH POC KEV PATCH THREAT Act Now

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Actively exploited in the wild (cisa kev) and public exploit code available.

Apache Microsoft Tomcat +1
NVD GitHub Exploit-DB
EPSS 15% CVSS 9.8
CRITICAL POC THREAT Emergency

Vulnerability in wordpress plugin flickr-picture-backup v0.7, The code in flickr-picture-download.php doesn't check to see if the user is authenticated or that they have permission to upload files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.6%.

WordPress PHP File Upload +1
NVD
EPSS 40% 4.7 CVSS 9.8
CRITICAL POC THREAT Emergency

Vulnerability in wordpress plugin membership-simplified-for-oap-members-only v1.58, The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 40.0%.

WordPress PHP File Upload +1
NVD Exploit-DB
EPSS 48% 4.9 CVSS 9.8
CRITICAL POC THREAT Emergency

Vulnerability in wordpress plugin wp2android-turn-wp-site-into-android-app v1.1.4, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 47.7%.

WordPress Google File Upload +1
NVD Exploit-DB
EPSS 51% 5.0 CVSS 9.8
CRITICAL POC THREAT Emergency

Vulnerability in wordpress plugin webapp-builder v2.0, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 51.2%.

WordPress File Upload Webapp Builder
NVD Exploit-DB
EPSS 45% 4.8 CVSS 9.8
CRITICAL POC THREAT Emergency

Vulnerability in wordpress plugin mobile-app-builder-by-wappress v1.05, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 44.5%.

WordPress File Upload Mobile App Builder By Wappress
NVD Exploit-DB
EPSS 64% 5.4 CVSS 9.8
CRITICAL POC THREAT Emergency

Vulnerability in wordpress plugin mobile-friendly-app-builder-by-easytouch v3.0, The code in file ./mobile-friendly-app-builder-by-easytouch/server/images.php doesn't require authentication or check. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 64.3%.

WordPress PHP File Upload +1
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH This Week

In BlackCat CMS 1.2.2, unrestricted file upload is possible in backend\media\ajax_rename.php via the extension parameter, as demonstrated by changing the extension from .jpg to .php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Blackcat Cms
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

upload.php in tianchoy/blog through 2017-09-12 allows unrestricted file upload and PHP code execution by using the image/jpeg, image/pjpeg, image/png, or image/gif content type for a .php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload +1
NVD GitHub
EPSS 5% CVSS 8.8
HIGH This Week

In post-new.php in the Photocrati NextGEN Gallery plugin 2.1.10 for WordPress, unrestricted file upload is available via the name parameter, if a file extension is changed from .jpg to .php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP File Upload +1
NVD GitHub
EPSS 4% CVSS 8.8
HIGH POC PATCH This Week

Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP File Upload Typo3
NVD
EPSS 4% CVSS 8.8
HIGH POC PATCH This Week

Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP File Upload Zoho +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

In BlackCat CMS 1.2, backend/addons/install.php allows remote authenticated users to execute arbitrary PHP code via a ZIP archive that contains a .php file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Blackcat Cms
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Insecure Temporary file vulnerability in /tmp/kamailio_fifo in kamailio 4.0.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload Kamailio
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user to upload a malicious file to a Sametime meeting room, that could be downloaded by unsuspecting users which. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

IBM File Upload Sametime
NVD
EPSS 76% 5.6 CVSS 8.8
HIGH POC THREAT Act Now

Unrestricted File Upload vulnerability in Photo Gallery 1.2.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 76.5%.

File Upload Photo Gallery
NVD Exploit-DB
EPSS 1% CVSS 7.8
HIGH POC This Week

An Unrestricted Upload of File with Dangerous Type issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior;. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload I Vu +2
NVD Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM This Month

The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Atlassian File Upload +2
NVD
EPSS 94% 7.8 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

RCE File Upload
NVD Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored Cross-site scripting (XSS) vulnerability in Spring Batch Admin before 1.3.0 allows remote authenticated users to inject arbitrary JavaScript or HTML via the file upload functionality. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS Java File Upload +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-site request forgery (CSRF) vulnerability in the Spring Batch Admin before 1.3.0 allows remote attackers to hijack the authentication of unspecified victims and submit arbitrary requests, such. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Java File Upload +1
NVD
EPSS 10% CVSS 9.8
CRITICAL PATCH Act Now

Adobe Experience Manager 6.2 and earlier has a malicious file execution vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.2%.

Adobe File Upload Experience Manager
NVD
EPSS 7% CVSS 7.2
HIGH POC This Week

Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Synology PHP File Upload +1
NVD Exploit-DB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefactory.cpp has a pointer to cast vulnerability, which allows remote attackers to cause a denial of service or possibly have. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Denial Of Service File Upload Taglib +1
NVD GitHub
EPSS 3% CVSS 7.8
HIGH POC This Week

Unrestricted file upload vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Yeager Cms
NVD Exploit-DB
EPSS 0% CVSS 7.0
HIGH This Week

In Earcms Ear Music through 4.1 build 20170710, remote authenticated users can execute arbitrary PHP code by changing the allowable music-upload extensions to include .php in addition to .mp3 and. Rated high severity (CVSS 7.0). No vendor patch available.

PHP File Upload Ear Music
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The file_manager component in eFront CMS before 3.6.15.5 allows remote authenticated users to bypass intended file-upload restrictions by appending a crafted parameter to the file URL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Efront
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Absolute path traversal vulnerability in the file_manager component of eFront CMS before 3.6.15.5 allows remote authenticated users to read arbitrary files via a full pathname in the "Upload file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP File Upload +1
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

An issue was discovered in Tilde CMS 1.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Tilde Cms
NVD
EPSS 3% CVSS 7.2
HIGH POC PATCH This Week

Arbitrary file upload vulnerability in com/dotmarketing/servlets/AjaxFileUploadServlet.class in dotCMS 4.1.1 allows remote authenticated administrators to upload .jsp files to arbitrary locations via. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE File Upload Path Traversal +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF File Upload Redcap
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM POC This Month

In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a CMSContentManager action to admin/moduleinterface.php, followed by a FilePicker action to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Cms Made Simple
NVD
EPSS 0% CVSS 4.9
MEDIUM POC This Month

In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a FileManager action to admin/moduleinterface.php. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Cms Made Simple
NVD
EPSS 8% CVSS 9.8
CRITICAL Act Now

Linux foundation ONOS 1.9.0 is vulnerable to unauthenticated upload of applications (.oar) resulting in remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Onos
NVD
Prev Page 43 of 45 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy