Skip to main content

File Upload

4034 CVEs technique

Monthly

CVE-2016-6127 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS File Upload Request Tracker
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-6044 CRITICAL Act Now

An Improper Authorization issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Airlink Raven Xe Firmware Airlink Raven Xt Firmware
NVD
CVSS 3.0
9.8
EPSS
7.7%
CVE-2017-6041 CRITICAL Act Now

An Unrestricted Upload issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload A320 Firmware A325 Firmware A371 Firmware A520 Master Firmware +18
NVD
CVSS 3.0
9.8
EPSS
0.6%
CVE-2017-9840 PHP HIGH This Week

Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Dolibarr
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2017-4990 CRITICAL Act Now

In EMC Avamar Server Software 7.4.1-58, 7.4.0-242, 7.3.1-125, 7.3.0-233, 7.3.0-226, an unauthorized attacker may leverage the file upload feature of the system maintenance page to load a maliciously. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Avamar Server
NVD
CVSS 3.0
9.8
EPSS
1.7%
CVE-2017-9602 CRITICAL POC Act Now

KBVault Mysql Free Knowledge Base application package 0.16a comes with a FileExplorer/Explorer.aspx?id=/Uploads file-management component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Kbvault Mysql
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
7.4%
CVE-2017-9613 MEDIUM This Month

Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors before b1705.1234962 allows remote authenticated users to inject arbitrary web script or HTML via the file upload functionality. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP File Upload Successfactors
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2017-9380 HIGH POC This Week

OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Openemr
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
0.9%
CVE-2017-9364 CRITICAL POC PATCH Act Now

Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

File Upload Bigtree Cms
NVD GitHub
CVSS 3.0
9.8
EPSS
0.3%
CVE-2015-4455 CRITICAL POC THREAT Emergency

Unrestricted file upload vulnerability in includes/upload.php in the Aviary Image Editor Add-on For Gravity Forms plugin 3.0 beta for WordPress allows remote attackers to execute arbitrary code by. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.3%.

RCE WordPress PHP File Upload Aviary Image Editor Add On For Gravity Forms
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
80.3%
Threat
5.9
CVE-2017-9101 CRITICAL POC THREAT Emergency

import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.0%.

RCE PHP File Upload Playsms
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
80.0%
Threat
5.9
CVE-2017-9080 HIGH POC THREAT Act Now

PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 73.5%.

RCE PHP File Upload Playsms
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
73.5%
Threat
5.5
CVE-2017-6027 CRITICAL Act Now

An Arbitrary File Upload issue was discovered in 3S-Smart Software Solutions GmbH CODESYS Web Server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Web Server
NVD
CVSS 3.0
9.8
EPSS
1.9%
CVE-2017-9069 PHP HIGH POC PATCH This Week

In MODX Revolution before 2.5.7, a user with file upload permissions is able to execute arbitrary code by uploading a file with the name .htaccess. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE File Upload Modx Revolution
NVD GitHub
CVSS 3.0
8.8
EPSS
1.0%
CVE-2017-8080 HIGH PATCH This Week

Atlassian Hipchat Server before 2.2.4 allows remote authenticated users with user level privileges to execute arbitrary code via vectors involving image uploads. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE Atlassian File Upload Hipchat Server
NVD
CVSS 3.0
8.8
EPSS
1.6%
CVE-2017-7989 MEDIUM PATCH This Month

In Joomla!. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload Joomla
NVD
CVSS 3.0
6.5
EPSS
0.0%
CVE-2017-7357 CRITICAL PATCH Act Now

Hipchat Server before 2.2.3 allows remote authenticated users with Server Administrator level privileges to execute arbitrary code by importing a file. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE File Upload Hipchat Server
NVD
CVSS 3.0
9.1
EPSS
2.2%
CVE-2016-1713 HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 61.9%.

RCE PHP File Upload Vtiger Crm
NVD Exploit-DB
CVSS 3.0
7.3
EPSS
61.9%
Threat
4.8
CVE-2015-6567 HIGH POC PATCH This Week

Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not validate the parameter "filename" properly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE PHP File Upload Wolf Cms
NVD GitHub Exploit-DB
CVSS 3.0
8.8
EPSS
5.9%
CVE-2017-7281 HIGH POC This Week

An issue was discovered in Unitrends Enterprise Backup before 9.1.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Enterprise Backup
NVD
CVSS 3.0
8.8
EPSS
7.4%
CVE-2017-7695 CRITICAL POC PATCH Act Now

Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP File Upload Bigtree Cms
NVD GitHub
CVSS 3.0
9.8
EPSS
0.4%
CVE-2016-8973 MEDIUM PATCH This Month

IBM Rhapsody DM 4.0, 5.0 and 6.0 contains an undisclosed vulnerability that may allow an authenticated user to upload infected malicious files to the server. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

IBM File Upload Rational Rhapsody Design Manager
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2015-3884 HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 72.9%.

RCE File Upload Qdpm
NVD
CVSS 3.1
8.8
EPSS
72.9%
Threat
5.4
CVE-2017-6104 HIGH POC THREAT Act Now

Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 38.6%.

WordPress Authentication Bypass File Upload Zen Mobile App Native
NVD Exploit-DB
CVSS 3.0
7.5
EPSS
38.6%
Threat
4.2
CVE-2016-9351 HIGH POC This Week

An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.

Path Traversal File Upload Susiaccess
NVD Exploit-DB
CVSS 3.0
7.0
EPSS
3.7%
CVE-2016-6104 HIGH PATCH This Week

IBM Tivoli Key Lifecycle Manager 2.5, and 2.6 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions, which could allow the attacker to execute. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE IBM File Upload Security Key Lifecycle Manager
NVD
CVSS 3.0
7.2
EPSS
2.4%
CVE-2016-8938 CRITICAL PATCH Act Now

IBM UrbanCode Deploy could allow a user to execute code using a specially crafted file upload that would replace code on the server. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Authentication Bypass File Upload Urbancode Deploy
NVD
CVSS 3.0
10.0
EPSS
0.8%
CVE-2016-8921 HIGH This Week

IBM FileNet WorkPlace XT could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE IBM File Upload Filenet Workplace Xt
NVD
CVSS 3.0
8.8
EPSS
2.7%
CVE-2016-6124 HIGH This Week

IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE IBM File Upload Kenexa Lms On Cloud
NVD
CVSS 3.0
8.8
EPSS
2.7%
CVE-2016-6600 CRITICAL POC THREAT Emergency

Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.6%.

Path Traversal File Upload Zoho Webnms Framework
NVD GitHub Exploit-DB VulDB
CVSS 3.0
9.8
EPSS
90.6%
Threat
6.2
CVE-2017-5520 HIGH POC This Week

The media rename feature in GeniXCMS through 0.0.8 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to rename and execute files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Genixcms
NVD GitHub VulDB
CVSS 3.0
8.8
EPSS
0.5%
CVE-2017-5518 HIGH POC This Week

The media-file upload feature in GeniXCMS through 0.0.8 allows remote attackers to conduct SSRF attacks via a URL, as demonstrated by a URL with an intranet IP address. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF File Upload Genixcms
NVD GitHub VulDB
CVSS 3.0
7.4
EPSS
0.4%
CVE-2017-5489 HIGH This Week

Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF File Upload
NVD VulDB
CVSS 3.0
8.8
EPSS
0.5%
CVE-2016-7902 HIGH PATCH This Week

Unrestricted file upload vulnerability in the fileUnzip->unzip method in Dotclear before 2.10.3 allows remote authenticated users with permissions to manage media items to execute arbitrary code by. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE PHP File Upload Dotclear
NVD
CVSS 3.0
8.8
EPSS
2.4%
CVE-2016-1000156 CRITICAL POC THREAT Emergency

Mailcwp remote file upload vulnerability incomplete fix v1.100. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.4%.

Command Injection File Upload Mailcwp
NVD
CVSS 3.0
9.8
EPSS
16.4%
Threat
4.0
CVE-2016-9268 HIGH PATCH This Week

Unrestricted file upload vulnerability in the Blog appearance in the "Install or upgrade manually" module in Dotclear through 2.10.4 allows remote authenticated super-administrators to execute. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE File Upload Dotclear
NVD
CVSS 3.0
7.2
EPSS
0.9%
CVE-2016-9187 PHP HIGH POC This Week

Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Moodle
NVD
CVSS 3.0
8.8
EPSS
2.1%
CVE-2016-9186 HIGH POC This Week

Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Moodle
NVD
CVSS 3.0
8.8
EPSS
2.1%
CVE-2016-7452 HIGH PATCH This Week

The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to upload a malicious file to any folder on the site via a cpi directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Path Traversal File Upload Exponent Cms
NVD GitHub
CVSS 3.0
7.5
EPSS
1.1%
CVE-2016-7095 CRITICAL Act Now

Exponent CMS before 2.3.9 is vulnerable to an attacker uploading a malicious script file using redirection to place the script in an unprotected folder, one allowing script execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Exponent Cms
NVD GitHub
CVSS 3.0
9.8
EPSS
1.2%
CVE-2016-1000112 CRITICAL POC THREAT Emergency

Unauthenticated remote .jpg file upload in contus-video-comments v1.0 wordpress plugin. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 35.7%.

Path Traversal WordPress File Upload Contus Video Comments
NVD
CVSS 3.1
9.1
EPSS
35.7%
Threat
4.4
CVE-2015-1000013 HIGH POC This Week

Remote file upload vulnerability in wordpress plugin csv2wpec-coupon v1.1. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress File Upload Csv2Wpec Coupon
NVD
CVSS 3.0
7.8
EPSS
6.0%
CVE-2015-1000001 CRITICAL POC Act Now

Remote file upload vulnerability in fast-image-adder v1.1 Wordpress plugin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress File Upload Fast Image Adder
NVD
CVSS 3.0
9.8
EPSS
7.8%
CVE-2015-1000000 CRITICAL POC THREAT Emergency

Remote file upload vulnerability in mailcwp v1.99 wordpress plugin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.3%.

WordPress File Upload Mailcwp
NVD
CVSS 3.0
9.8
EPSS
11.3%
CVE-2016-6483 HIGH POC PATCH THREAT Act Now

The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.3%.

SSRF File Upload Vbulletin
NVD Exploit-DB
CVSS 3.0
8.6
EPSS
16.3%
CVE-2016-5050 CRITICAL Act Now

Unrestricted file upload vulnerability in chat/sendfile.aspx in ReadyDesk 9.1 allows remote attackers to execute arbitrary code by uploading and requesting a .aspx file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Readydesk
NVD
CVSS 3.0
9.8
EPSS
3.4%
CVE-2016-2914 MEDIUM PATCH This Month

Unrestricted file upload vulnerability in the Document Builder in IBM Rational Publishing Engine (aka RPENG) 2.0.1 before ifix002 allows remote authenticated users to execute arbitrary code by. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

IBM RCE File Upload Engineering Lifecycle Optimization Publishing
NVD
CVSS 3.0
5.4
EPSS
3.3%
CVE-2016-3088 Maven CRITICAL POC KEV PATCH THREAT Act Now

Remote code execution in Apache ActiveMQ 5.x before 5.14.0 allows unauthenticated attackers to upload and execute arbitrary files on the message broker server by chaining HTTP PUT and MOVE requests against the Fileserver web application. This vulnerability is confirmed actively exploited (CISA KEV) with EPSS score of 94.29%, publicly available exploit code exists, and vendor-released patch is available in ActiveMQ 5.14.0.

Apache File Upload
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
94.3%
Threat
9.8
CVE-2015-6022 HIGH This Week

Unrestricted file upload vulnerability in QNAP Signage Station before 2.0.1 allows remote authenticated users to execute arbitrary code by uploading an executable file, and then accessing this file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Qnap RCE File Upload Signage Station
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2016-1524 CRITICAL POC THREAT Emergency

Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2). Rated critical severity (CVSS 9.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 65.7%.

Netgear Java File Upload Prosafe Network Management Software 300
NVD Exploit-DB
CVSS 3.0
9.6
EPSS
65.7%
Threat
5.4
CVE-2016-0854 CRITICAL POC THREAT Emergency

Unrestricted file upload vulnerability in the uploadImageCommon function in the UploadAjaxAction script in the WebAccess Dashboard Viewer in Advantech WebAccess before 8.1 allows remote attackers to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 72.2%.

File Upload Webaccess
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
72.2%
Threat
5.6
CVE-2015-2876 HIGH This Week

Unrestricted file upload vulnerability on Seagate GoFlex Satellite, Seagate Wireless Mobile Storage, Seagate Wireless Plus Mobile Storage, and LaCie FUEL devices with firmware before 3.4.1.105 allows. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Lac9000436U Firmware Lac9000464U Firmware Wireless Mobile Storage +2
NVD
CVSS 3.0
8.8
EPSS
2.0%
CVE-2015-7773 MEDIUM PATCH This Month

Unrestricted file upload vulnerability in the Panel component in Bastian Allgeier Kirby before 2.1.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file that lacks an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

PHP File Upload Kirby
NVD
CVSS 2.0
6.5
EPSS
0.4%
CVE-2014-9752 MEDIUM This Month

Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Atutor
NVD
CVSS 2.0
6.5
EPSS
0.7%
CVE-2015-8105 LOW Monitor

Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

XSS File Upload Opensuse Webmail
NVD
CVSS 2.0
3.5
EPSS
0.2%
CVE-2015-8002 MEDIUM PATCH This Month

The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 allows remote authenticated users to cause a denial of service (disk consumption) via a. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service File Upload Mediawiki
NVD
CVSS 2.0
6.8
EPSS
0.5%
CVE-2015-7904 MEDIUM POC PATCH This Month

Unrestricted file upload vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 allows remote authenticated users to execute arbitrary JSP code via vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

File Upload Mango Automation
NVD Exploit-DB
CVSS 2.0
6.5
EPSS
6.5%
CVE-2015-5188 MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) before. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF File Upload Red Hat Jboss Enterprise Application Platform Jboss Wildfly Application Server
NVD
CVSS 2.0
6.8
EPSS
0.3%
CVE-2015-7684 CRITICAL Act Now

Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Glpi
NVD
CVSS 2.0
9.0
EPSS
1.7%
CVE-2015-3203 HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in h5ai before 0.25.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 12.4%.

RCE File Upload H5Ai
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
12.4%
CVE-2015-6967 MEDIUM POC THREAT This Month

Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 79.5%.

RCE PHP File Upload Nibbleblog
NVD Exploit-DB
CVSS 2.0
6.5
EPSS
79.5%
Threat
5.2
CVE-2015-6909 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in the "Create download task via file upload" feature in Synology Download Station before 3.5-2962 allows remote attackers to inject arbitrary web script or. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Synology File Upload Download Station
NVD
CVSS 2.0
4.3
EPSS
0.5%
CVE-2015-6660 MEDIUM PATCH This Month

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF File Upload Drupal
NVD
CVSS 2.0
6.8
EPSS
0.5%
CVE-2015-5681 HIGH POC This Week

Unrestricted file upload vulnerability in upload.php in the Powerplay Gallery plugin 3.3 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE WordPress PHP File Upload Powerplay Gallery
NVD
CVSS 2.0
7.5
EPSS
7.8%
CVE-2015-4524 MEDIUM This Month

Unrestricted file upload vulnerability in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Documentum Administrator Documentum Digital Asset Manager Documentum Taskspace +2
NVD
CVSS 2.0
6.5
EPSS
0.9%
CVE-2015-4607 HIGH PATCH This Week

Unrestricted file upload vulnerability in the Frontend User Upload (feupload) extension 0.5.0 and earlier for TYPO3 allows remote attackers to execute arbitrary code by uploading a file with an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

RCE File Upload Frontend User Upload
NVD
CVSS 2.0
7.5
EPSS
1.6%
CVE-2015-4606 HIGH PATCH This Week

Unrestricted file upload vulnerability in the Job Fair (jobfair) extension before 1.0.1 for TYPO3, when using Apache with mod_mime, allows remote attackers to execute arbitrary code by uploading a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

RCE File Upload Apache Job Fair
NVD
CVSS 2.0
7.5
EPSS
1.7%
CVE-2015-4379 MEDIUM PATCH This Month

Cross-site request forgery (CSRF) vulnerability in the Webform Multiple File Upload module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

CSRF File Upload Webform Multiple File Upload
NVD
CVSS 2.0
6.8
EPSS
0.3%
CVE-2015-2994 MEDIUM POC THREAT This Month

Unrestricted file upload vulnerability in ChangePhoto.jsp in SysAid Help Desk before 15.2 allows remote administrators to execute arbitrary code by uploading a file with a .jsp extension, then. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 76.9%.

RCE File Upload Sysaid
NVD Exploit-DB
CVSS 2.0
6.5
EPSS
76.9%
Threat
5.1
CVE-2015-3181 PHP MEDIUM PATCH This Month

files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not consider the moodle/user:manageownfiles capability before approving a. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity.

PHP Privilege Escalation File Upload Moodle
NVD
CVSS 2.0
4.0
EPSS
0.3%
CVE-2015-4133 HIGH POC PATCH THREAT Act Now

Unrestricted file upload vulnerability in admin/scripts/FileUploader/php.php in the ReFlex Gallery plugin before 3.1.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 75.2%.

WordPress PHP File Upload Reflex Gallery
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
75.2%
Threat
5.3
CVE-2015-2842 CRITICAL POC THREAT Emergency

Unrestricted file upload vulnerability in go_audiostore.php in the audiostore (Voice Files) upload functionality in GoAutoDial GoAdmin CE 3.x before 3.3-1421902800 allows remote attackers to execute. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 43.9%.

RCE PHP File Upload Goadmin Ce
NVD Exploit-DB
CVSS 2.0
10.0
EPSS
43.9%
Threat
4.8
CVE-2015-2825 HIGH POC PATCH THREAT Act Now

Unrestricted file upload vulnerability in sam-ajax-admin.php in the Simple Ads Manager plugin before 2.5.96 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 35.3%.

RCE WordPress PHP File Upload Simple Ads Manager
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
35.3%
Threat
4.1
CVE-2015-0702 CRITICAL Act Now

Unrestricted file upload vulnerability in the Custom Prompts upload implementation in Cisco Unified MeetingPlace 8.6(1.9) allows remote authenticated users to execute arbitrary code by using the. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco RCE File Upload Unified Meetingplace
NVD
CVSS 2.0
9.0
EPSS
1.3%
CVE-2015-0968 HIGH This Week

Unrestricted file upload vulnerability in admin/uploadImage.html in SearchBlox before 8.2 allows remote attackers to execute arbitrary code by uploading a file with an executable extension and the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Searchblox
NVD
CVSS 2.0
7.5
EPSS
1.9%
CVE-2015-0877 HIGH This Week

Unrestricted file upload vulnerability in app/lib/mlf.pl in C-BOARD Moyuku before 1.03b3 allows remote attackers to execute arbitrary code by uploading a file with a \0 character in its name. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload C Board Moyuku
NVD
CVSS 2.0
7.5
EPSS
1.6%
CVE-2014-5428 CRITICAL Act Now

Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Metsys
NVD
CVSS 2.0
10.0
EPSS
2.6%
CVE-2015-2194 MEDIUM POC This Month

Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordpress allows remote authenticated users to execute arbitrary code by uploading a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE WordPress PHP File Upload Fusion
NVD
CVSS 2.0
6.5
EPSS
2.4%
CVE-2015-2087 MEDIUM PATCH This Month

Unrestricted file upload vulnerability in the Avatar Uploader module before 6.x-1.3 for Drupal allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

PHP File Upload Avatar Uploader
NVD
CVSS 2.0
6.5
EPSS
0.4%
CVE-2015-2049 CRITICAL POC THREAT Emergency

Unrestricted file upload vulnerability in D-Link DCS-931L with firmware 1.04 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 82.9%.

RCE D-Link File Upload Dcs 931l Firmware
NVD Exploit-DB
CVSS 2.0
9.0
EPSS
82.9%
Threat
5.8
CVE-2015-1604 MEDIUM POC PATCH This Month

Unrestricted file upload vulnerability in asys/site/files.php in Adminsystems CMS before 4.0.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE PHP File Upload Adminsystems Cms
NVD GitHub
CVSS 2.0
6.5
EPSS
4.4%
CVE-2015-1587 HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in file_to_index.php in Maarch LetterBox 2.8 and earlier and GEC/GED 1.4 and earlier allows remote attackers to execute arbitrary PHP code by uploading a file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 79.2%.

PHP File Upload Gec Ged Letterbox
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
79.2%
Threat
5.4
CVE-2015-1172 HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in admin/upload-file.php in the Holding Pattern theme (aka holding_pattern) 0.6 and earlier for WordPress allows remote attackers to execute arbitrary PHP code. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 81.2%.

WordPress PHP File Upload Holding Pattern
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
81.2%
Threat
5.4
CVE-2015-0868 HIGH This Week

Unrestricted file upload vulnerability in Mrs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Bu2 Bbs
NVD
CVSS 2.0
7.5
EPSS
1.7%
CVE-2015-1374 MEDIUM POC This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to hijack the authentication of administrators for requests that conduct (1). Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF File Upload PHP SQLi XSS +1
NVD GitHub Exploit-DB
CVSS 2.0
6.8
EPSS
1.6%
CVE-2015-1371 HIGH POC This Week

Unrestricted file upload vulnerability in ferretCMS 1.0.4-alpha allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Ferretcms
NVD GitHub Exploit-DB
CVSS 2.0
7.5
EPSS
9.2%
CVE-2015-0515 MEDIUM This Month

Unrestricted file upload vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to execute arbitrary code by uploading and then accessing an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Watch4Net Vipr Srm
NVD
CVSS 2.0
6.5
EPSS
1.2%
CVE-2015-1059 MEDIUM POC This Month

Unrestricted file upload vulnerability in admin/files/add in AdaptCMS 3.0.3 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection File Upload Adaptcms
NVD Exploit-DB
CVSS 2.0
6.5
EPSS
4.5%
CVE-2014-9308 MEDIUM POC PATCH THREAT This Month

Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 82.9%.

RCE WordPress PHP File Upload Wp Easycart
NVD Exploit-DB
CVSS 2.0
6.5
EPSS
82.9%
Threat
5.3
CVE-2014-100015 MEDIUM POC THREAT This Month

Directory traversal vulnerability in pdmwService.exe in SolidWorks Workgroup PDM 2014 allows remote attackers to write to arbitrary files via a .. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 77.3%.

Path Traversal File Upload Product Data Management
NVD Exploit-DB
CVSS 2.0
6.4
EPSS
77.3%
Threat
5.1
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS File Upload Request Tracker
NVD
EPSS 8% CVSS 9.8
CRITICAL Act Now

An Improper Authorization issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Airlink Raven Xe Firmware +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An Unrestricted Upload issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload A320 Firmware A325 Firmware +20
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Dolibarr
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

In EMC Avamar Server Software 7.4.1-58, 7.4.0-242, 7.3.1-125, 7.3.0-233, 7.3.0-226, an unauthorized attacker may leverage the file upload feature of the system maintenance page to load a maliciously. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Avamar Server
NVD
EPSS 7% CVSS 9.8
CRITICAL POC Act Now

KBVault Mysql Free Knowledge Base application package 0.16a comes with a FileExplorer/Explorer.aspx?id=/Uploads file-management component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Kbvault Mysql
NVD Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors before b1705.1234962 allows remote authenticated users to inject arbitrary web script or HTML via the file upload functionality. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS SAP File Upload +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Openemr
NVD GitHub Exploit-DB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

File Upload Bigtree Cms
NVD GitHub
EPSS 80% 5.9 CVSS 9.8
CRITICAL POC THREAT Emergency

Unrestricted file upload vulnerability in includes/upload.php in the Aviary Image Editor Add-on For Gravity Forms plugin 3.0 beta for WordPress allows remote attackers to execute arbitrary code by. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.3%.

RCE WordPress PHP +2
NVD Exploit-DB
EPSS 80% 5.9 CVSS 9.8
CRITICAL POC THREAT Emergency

import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.0%.

RCE PHP File Upload +1
NVD Exploit-DB
EPSS 73% 5.5 CVSS 8.8
HIGH POC THREAT Act Now

PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 73.5%.

RCE PHP File Upload +1
NVD Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL Act Now

An Arbitrary File Upload issue was discovered in 3S-Smart Software Solutions GmbH CODESYS Web Server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Web Server
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

In MODX Revolution before 2.5.7, a user with file upload permissions is able to execute arbitrary code by uploading a file with the name .htaccess. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE File Upload Modx Revolution
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Atlassian Hipchat Server before 2.2.4 allows remote authenticated users with user level privileges to execute arbitrary code via vectors involving image uploads. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE Atlassian File Upload +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

In Joomla!. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload Joomla
NVD
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

Hipchat Server before 2.2.3 allows remote authenticated users with Server Administrator level privileges to execute arbitrary code by importing a file. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE File Upload Hipchat Server
NVD
EPSS 62% 4.8 CVSS 7.3
HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 61.9%.

RCE PHP File Upload +1
NVD Exploit-DB
EPSS 6% CVSS 8.8
HIGH POC PATCH This Week

Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not validate the parameter "filename" properly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE PHP File Upload +1
NVD GitHub Exploit-DB
EPSS 7% CVSS 8.8
HIGH POC This Week

An issue was discovered in Unitrends Enterprise Backup before 9.1.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload +1
NVD
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP File Upload Bigtree Cms
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

IBM Rhapsody DM 4.0, 5.0 and 6.0 contains an undisclosed vulnerability that may allow an authenticated user to upload infected malicious files to the server. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

IBM File Upload Rational Rhapsody Design Manager
NVD
EPSS 73% 5.4 CVSS 8.8
HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 72.9%.

RCE File Upload Qdpm
NVD
EPSS 39% 4.2 CVSS 7.5
HIGH POC THREAT Act Now

Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 38.6%.

WordPress Authentication Bypass File Upload +1
NVD Exploit-DB
EPSS 4% CVSS 7.0
HIGH POC This Week

An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.

Path Traversal File Upload Susiaccess
NVD Exploit-DB
EPSS 2% CVSS 7.2
HIGH PATCH This Week

IBM Tivoli Key Lifecycle Manager 2.5, and 2.6 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions, which could allow the attacker to execute. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE IBM File Upload +1
NVD
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

IBM UrbanCode Deploy could allow a user to execute code using a specially crafted file upload that would replace code on the server. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Authentication Bypass File Upload +1
NVD
EPSS 3% CVSS 8.8
HIGH This Week

IBM FileNet WorkPlace XT could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE IBM File Upload +1
NVD
EPSS 3% CVSS 8.8
HIGH This Week

IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE IBM File Upload +1
NVD
EPSS 91% 6.2 CVSS 9.8
CRITICAL POC THREAT Emergency

Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.6%.

Path Traversal File Upload Zoho +1
NVD GitHub Exploit-DB VulDB
EPSS 1% CVSS 8.8
HIGH POC This Week

The media rename feature in GeniXCMS through 0.0.8 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to rename and execute files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Genixcms
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH POC This Week

The media-file upload feature in GeniXCMS through 0.0.8 allows remote attackers to conduct SSRF attacks via a URL, as demonstrated by a URL with an intranet IP address. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF File Upload Genixcms
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF File Upload
NVD VulDB
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Unrestricted file upload vulnerability in the fileUnzip->unzip method in Dotclear before 2.10.3 allows remote authenticated users with permissions to manage media items to execute arbitrary code by. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE PHP File Upload +1
NVD
EPSS 16% 4.0 CVSS 9.8
CRITICAL POC THREAT Emergency

Mailcwp remote file upload vulnerability incomplete fix v1.100. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.4%.

Command Injection File Upload Mailcwp
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Unrestricted file upload vulnerability in the Blog appearance in the "Install or upgrade manually" module in Dotclear through 2.10.4 allows remote authenticated super-administrators to execute. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE File Upload Dotclear
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Moodle
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Moodle
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to upload a malicious file to any folder on the site via a cpi directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Path Traversal File Upload Exponent Cms
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Exponent CMS before 2.3.9 is vulnerable to an attacker uploading a malicious script file using redirection to place the script in an unprotected folder, one allowing script execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Exponent Cms
NVD GitHub
EPSS 36% 4.4 CVSS 9.1
CRITICAL POC THREAT Emergency

Unauthenticated remote .jpg file upload in contus-video-comments v1.0 wordpress plugin. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 35.7%.

Path Traversal WordPress File Upload +1
NVD
EPSS 6% CVSS 7.8
HIGH POC This Week

Remote file upload vulnerability in wordpress plugin csv2wpec-coupon v1.1. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress File Upload Csv2Wpec Coupon
NVD
EPSS 8% CVSS 9.8
CRITICAL POC Act Now

Remote file upload vulnerability in fast-image-adder v1.1 Wordpress plugin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress File Upload Fast Image Adder
NVD
EPSS 11% CVSS 9.8
CRITICAL POC THREAT Emergency

Remote file upload vulnerability in mailcwp v1.99 wordpress plugin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.3%.

WordPress File Upload Mailcwp
NVD
EPSS 16% CVSS 8.6
HIGH POC PATCH THREAT Act Now

The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.3%.

SSRF File Upload Vbulletin
NVD Exploit-DB
EPSS 3% CVSS 9.8
CRITICAL Act Now

Unrestricted file upload vulnerability in chat/sendfile.aspx in ReadyDesk 9.1 allows remote attackers to execute arbitrary code by uploading and requesting a .aspx file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Readydesk
NVD
EPSS 3% CVSS 5.4
MEDIUM PATCH This Month

Unrestricted file upload vulnerability in the Document Builder in IBM Rational Publishing Engine (aka RPENG) 2.0.1 before ifix002 allows remote authenticated users to execute arbitrary code by. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

IBM RCE File Upload +1
NVD
EPSS 94% 9.8 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Remote code execution in Apache ActiveMQ 5.x before 5.14.0 allows unauthenticated attackers to upload and execute arbitrary files on the message broker server by chaining HTTP PUT and MOVE requests against the Fileserver web application. This vulnerability is confirmed actively exploited (CISA KEV) with EPSS score of 94.29%, publicly available exploit code exists, and vendor-released patch is available in ActiveMQ 5.14.0.

Apache File Upload
NVD Exploit-DB VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Unrestricted file upload vulnerability in QNAP Signage Station before 2.0.1 allows remote authenticated users to execute arbitrary code by uploading an executable file, and then accessing this file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Qnap RCE File Upload +1
NVD
EPSS 66% 5.4 CVSS 9.6
CRITICAL POC THREAT Emergency

Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2). Rated critical severity (CVSS 9.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 65.7%.

Netgear Java File Upload +1
NVD Exploit-DB
EPSS 72% 5.6 CVSS 9.8
CRITICAL POC THREAT Emergency

Unrestricted file upload vulnerability in the uploadImageCommon function in the UploadAjaxAction script in the WebAccess Dashboard Viewer in Advantech WebAccess before 8.1 allows remote attackers to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 72.2%.

File Upload Webaccess
NVD Exploit-DB
EPSS 2% CVSS 8.8
HIGH This Week

Unrestricted file upload vulnerability on Seagate GoFlex Satellite, Seagate Wireless Mobile Storage, Seagate Wireless Plus Mobile Storage, and LaCie FUEL devices with firmware before 3.4.1.105 allows. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Lac9000436U Firmware +4
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unrestricted file upload vulnerability in the Panel component in Bastian Allgeier Kirby before 2.1.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file that lacks an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

PHP File Upload Kirby
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Atutor
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

XSS File Upload Opensuse +1
NVD
EPSS 1% CVSS 6.8
MEDIUM PATCH This Month

The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 allows remote authenticated users to cause a denial of service (disk consumption) via a. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service File Upload Mediawiki
NVD
EPSS 6% CVSS 6.5
MEDIUM POC PATCH This Month

Unrestricted file upload vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 allows remote authenticated users to execute arbitrary JSP code via vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

File Upload Mango Automation
NVD Exploit-DB
EPSS 0% CVSS 6.8
MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) before. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF File Upload Red Hat +2
NVD
EPSS 2% CVSS 9.0
CRITICAL Act Now

Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Glpi
NVD
EPSS 12% CVSS 7.5
HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in h5ai before 0.25.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 12.4%.

RCE File Upload H5Ai
NVD Exploit-DB
EPSS 80% 5.2 CVSS 6.5
MEDIUM POC THREAT This Month

Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 79.5%.

RCE PHP File Upload +1
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in the "Create download task via file upload" feature in Synology Download Station before 3.5-2962 allows remote attackers to inject arbitrary web script or. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Synology File Upload +1
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF File Upload Drupal
NVD
EPSS 8% CVSS 7.5
HIGH POC This Week

Unrestricted file upload vulnerability in upload.php in the Powerplay Gallery plugin 3.3 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE WordPress PHP +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Unrestricted file upload vulnerability in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Documentum Administrator +4
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Unrestricted file upload vulnerability in the Frontend User Upload (feupload) extension 0.5.0 and earlier for TYPO3 allows remote attackers to execute arbitrary code by uploading a file with an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

RCE File Upload Frontend User Upload
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Unrestricted file upload vulnerability in the Job Fair (jobfair) extension before 1.0.1 for TYPO3, when using Apache with mod_mime, allows remote attackers to execute arbitrary code by uploading a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

RCE File Upload Apache +1
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Cross-site request forgery (CSRF) vulnerability in the Webform Multiple File Upload module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

CSRF File Upload Webform Multiple File Upload
NVD
EPSS 77% 5.1 CVSS 6.5
MEDIUM POC THREAT This Month

Unrestricted file upload vulnerability in ChangePhoto.jsp in SysAid Help Desk before 15.2 allows remote administrators to execute arbitrary code by uploading a file with a .jsp extension, then. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 76.9%.

RCE File Upload Sysaid
NVD Exploit-DB
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not consider the moodle/user:manageownfiles capability before approving a. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity.

PHP Privilege Escalation File Upload +1
NVD
EPSS 75% 5.3 CVSS 7.5
HIGH POC PATCH THREAT Act Now

Unrestricted file upload vulnerability in admin/scripts/FileUploader/php.php in the ReFlex Gallery plugin before 3.1.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 75.2%.

WordPress PHP File Upload +1
NVD Exploit-DB
EPSS 44% 4.8 CVSS 10.0
CRITICAL POC THREAT Emergency

Unrestricted file upload vulnerability in go_audiostore.php in the audiostore (Voice Files) upload functionality in GoAutoDial GoAdmin CE 3.x before 3.3-1421902800 allows remote attackers to execute. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 43.9%.

RCE PHP File Upload +1
NVD Exploit-DB
EPSS 35% 4.1 CVSS 7.5
HIGH POC PATCH THREAT Act Now

Unrestricted file upload vulnerability in sam-ajax-admin.php in the Simple Ads Manager plugin before 2.5.96 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 35.3%.

RCE WordPress PHP +2
NVD Exploit-DB
EPSS 1% CVSS 9.0
CRITICAL Act Now

Unrestricted file upload vulnerability in the Custom Prompts upload implementation in Cisco Unified MeetingPlace 8.6(1.9) allows remote authenticated users to execute arbitrary code by using the. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco RCE File Upload +1
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Unrestricted file upload vulnerability in admin/uploadImage.html in SearchBlox before 8.2 allows remote attackers to execute arbitrary code by uploading a file with an executable extension and the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Searchblox
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Unrestricted file upload vulnerability in app/lib/mlf.pl in C-BOARD Moyuku before 1.03b3 allows remote attackers to execute arbitrary code by uploading a file with a \0 character in its name. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload C Board Moyuku
NVD
EPSS 3% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Metsys
NVD
EPSS 2% CVSS 6.5
MEDIUM POC This Month

Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordpress allows remote authenticated users to execute arbitrary code by uploading a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE WordPress PHP +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unrestricted file upload vulnerability in the Avatar Uploader module before 6.x-1.3 for Drupal allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

PHP File Upload Avatar Uploader
NVD
EPSS 83% 5.8 CVSS 9.0
CRITICAL POC THREAT Emergency

Unrestricted file upload vulnerability in D-Link DCS-931L with firmware 1.04 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 82.9%.

RCE D-Link File Upload +1
NVD Exploit-DB
EPSS 4% CVSS 6.5
MEDIUM POC PATCH This Month

Unrestricted file upload vulnerability in asys/site/files.php in Adminsystems CMS before 4.0.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE PHP File Upload +1
NVD GitHub
EPSS 79% 5.4 CVSS 7.5
HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in file_to_index.php in Maarch LetterBox 2.8 and earlier and GEC/GED 1.4 and earlier allows remote attackers to execute arbitrary PHP code by uploading a file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 79.2%.

PHP File Upload Gec Ged +1
NVD Exploit-DB
EPSS 81% 5.4 CVSS 7.5
HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in admin/upload-file.php in the Holding Pattern theme (aka holding_pattern) 0.6 and earlier for WordPress allows remote attackers to execute arbitrary PHP code. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 81.2%.

WordPress PHP File Upload +1
NVD Exploit-DB
EPSS 2% CVSS 7.5
HIGH This Week

Unrestricted file upload vulnerability in Mrs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Bu2 Bbs
NVD
EPSS 2% CVSS 6.8
MEDIUM POC This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to hijack the authentication of administrators for requests that conduct (1). Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF File Upload PHP +3
NVD GitHub Exploit-DB
EPSS 9% CVSS 7.5
HIGH POC This Week

Unrestricted file upload vulnerability in ferretCMS 1.0.4-alpha allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Ferretcms
NVD GitHub Exploit-DB
EPSS 1% CVSS 6.5
MEDIUM This Month

Unrestricted file upload vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to execute arbitrary code by uploading and then accessing an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Watch4Net +1
NVD
EPSS 4% CVSS 6.5
MEDIUM POC This Month

Unrestricted file upload vulnerability in admin/files/add in AdaptCMS 3.0.3 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +2
NVD Exploit-DB
EPSS 83% 5.3 CVSS 6.5
MEDIUM POC PATCH THREAT This Month

Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 82.9%.

RCE WordPress PHP +2
NVD Exploit-DB
EPSS 77% 5.1 CVSS 6.4
MEDIUM POC THREAT This Month

Directory traversal vulnerability in pdmwService.exe in SolidWorks Workgroup PDM 2014 allows remote attackers to write to arbitrary files via a .. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 77.3%.

Path Traversal File Upload Product Data Management
NVD Exploit-DB
Prev Page 44 of 45 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy