File Upload
Monthly
Unrestricted file upload in iJason-Liu Books_Manager allows authenticated attackers with high privileges to upload arbitrary files via the book_cover parameter in the upload_bookCover.php controller. Public exploit code exists for this vulnerability, increasing the risk of exploitation. A patch is not currently available for this rolling-release product.
Unrestricted file upload in PHPGurukul News Portal 1.0's profile picture handler allows remote attackers to upload arbitrary files with high-level privileges. Public exploit code exists for this vulnerability, and no patch is currently available. An authenticated attacker could potentially upload malicious files to compromise the application or underlying system.
Unrestricted file upload in code-projects Online Examination System 1.0 via the /admin_pic.php endpoint allows authenticated remote attackers to upload arbitrary files with minimal complexity. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable code execution or system compromise depending on server configuration and file handling.
Xpro Elementor Addons WordPress plugin has an unrestricted file upload allowing attackers to upload dangerous file types through the Elementor builder integration.
g-FFL Checkout WordPress plugin has an unrestricted file upload vulnerability allowing attackers to upload web shells for remote code execution.
Farost Energia WordPress plugin allows unrestricted file upload enabling attackers to upload web shells and achieve remote code execution on the WordPress server.
Solvera Software Services Trade Inc. Teknoera is affected by unrestricted upload of file with dangerous type (CVSS 8.1).
HAMASTAR MeetingHub has an arbitrary file upload vulnerability allowing unauthenticated remote attackers to upload web shells and achieve full server compromise.
Horilla is a free and open source Human Resource Management System (HRMS). [CVSS 4.3 MEDIUM]
Horilla versions up to 1.5.0 contains a vulnerability that allows attackers to deploy phishing attacks (CVSS 8.0).
Authenticated staff users in Saleor e-commerce platform versions 3.0.0 through 3.22.26 can upload malicious HTML and SVG files containing JavaScript that execute in users' browsers when served from the same domain as the dashboard, potentially allowing token theft. An attacker with staff privileges could craft script injections to compromise other staff members' sessions and access tokens. This vulnerability affects deployments where media files are hosted on the same domain as the dashboard and patches are available in versions 3.20.108, 3.21.43, and 3.22.27.
Remote code execution in BROWAN COMMUNICATIONS PrismX MX100 AP controller allows high-privileged remote attackers to upload arbitrary files and execute web shell backdoors without user interaction. This vulnerability affects administrators with elevated credentials and enables complete compromise of the affected access point. No patch is currently available to remediate this issue.
HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. [CVSS 3.1 LOW]
Aion versions up to 2.0 contains a vulnerability that allows attackers to malicious file uploads, potentially resulting in unauthorized code execution or (CVSS 2.7).
Mpay versions up to 1.2.4 contain an unrestricted file upload vulnerability in the QR Code Image Handler component via the codeimg parameter, allowing remote attackers with high privileges to upload arbitrary files. Public exploit code exists for this vulnerability, though no patch is currently available. The attack requires administrative credentials but carries moderate risk with potential impacts to confidentiality, integrity, and availability.
Unrestricted file upload in lwj flow's SVG File Handler (FormResource.java) allows authenticated remote attackers to upload arbitrary files due to insufficient input validation on the File parameter. Public exploit code exists for this vulnerability, and the maintainers have not yet released a patch despite early notification. Affected installations using Java should restrict file upload functionality until an update is available.
Unrestricted file upload in EyouCMS versions up to 1.7.1/5.0 allows authenticated remote attackers to upload arbitrary files through manipulation of the viewfile parameter in the Member Avatar Handler component. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An authenticated attacker could leverage this to upload malicious files and potentially achieve remote code execution.
Unrestricted file upload in Teamwork Management System (TMS) versions up to 2.28.0 allows authenticated attackers to upload malicious files by manipulating the filename parameter in the FileController. Public exploit code exists for this vulnerability, and no patch is currently available, creating significant risk for organizations using affected versions.
Omnispace Agora Project (before 25.10) allows RCE through crafted PDF upload that exploits the ImageMagick MSL engine via the thumbnail function.
Agora-Project versions up to 25.10 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. [CVSS 7.2 HIGH]
Pega Customer Service Framework versions 8.7.0 versions up to 25.1.0 is affected by unrestricted upload of file with dangerous type.
Hub v2.0 property management system allows unauthenticated arbitrary file upload via /utils/uploadFile. Malicious PDF files can be uploaded and may achieve code execution.
Director versions up to 25.2.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Operation And Maintenance Security Management System versions up to 3.0.8. is affected by improper access control (CVSS 7.3).
A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. [CVSS 4.7 MEDIUM]
Corpkit WordPress theme (through 2.0) allows unauthenticated web shell upload via unrestricted file type upload.
Contentstudio WordPress plugin (through 1.3.7) allows unauthenticated web shell upload, enabling immediate server compromise.
A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to execute arbitrary code via uploading a crafted PDF file/Malware [CVSS 6.8 MEDIUM]
In Aris v10.0.23.0.3587512 and before, the file upload functionality does not enforce any rate limiting or throttling, allowing users to upload files at an unrestricted rate. [CVSS 6.5 MEDIUM]
House Rental And Property Listing Project versions up to 1.0 is affected by improper access control (CVSS 7.3).
Multiple Themify WordPress themes (Sidepane, Newsy, Folo, Edmin, Bloggie, Photobox, Wigi, Rezo, Slide) allow authenticated users to upload web shells. Low privileges sufficient, scope change to OS-level code execution. Affects 9 themes simultaneously.
Media File Renamer WordPress plugin (through 5.7.7) by Meow Apps allows administrators to upload files with dangerous types, achieving OS-level code execution with scope change. While admin access is required, the scope break makes this critical.
Themify Shopo WordPress theme (through 1.1.4) allows authenticated users to upload web shells. Despite requiring low-level authentication, the scope change to CVSS 9.9 means any subscriber account can achieve full server compromise.
QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. [CVSS 8.8 HIGH]
Online Product Reservation System versions up to 1.0 is affected by improper access control (CVSS 6.3).
Unrestricted file upload in code-projects CMS 1.0 via the image parameter in /admin/edit_posts.php allows authenticated administrators to upload arbitrary files remotely. Public exploit code exists for this vulnerability, though a patch is not yet available. The issue affects PHP-based installations and requires high-level privileges to exploit.
Unrestricted file upload in PHPGurukul Online Course Registration versions up to 3.1 allows authenticated attackers to upload arbitrary files through the student profile photo parameter in /admin/edit-student-profile.php. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with login credentials can exploit this remotely to potentially execute malicious code or compromise the application.
A vulnerability was identified in jackying H-ui.admin versions up to 3.1. is affected by improper access control (CVSS 7.3).
A vulnerability has been found in EmpireSoft EmpireCMS up to 8.0. Impacted is the function CheckSaveTranFiletype of the file e/class/connect.php. [CVSS 6.3 MEDIUM]
A vulnerability has been found in xnx3 wangmarket up to 6.4. The impacted element is the function uploadImage of the file /sits/uploadImage.do of the component XML File Handler. [CVSS 4.7 MEDIUM]
A security vulnerability has been detected in campcodes School File Management System 1.0. The affected element is an unknown function of the file /save_file.php. [CVSS 6.3 MEDIUM]
A vulnerability was determined in newbee-mall-plus 2.0.0. This impacts the function Upload of the file src/main/java/ltd/newbee/mall/controller/common/UploadController.java of the component Product Information Edit Page. This manipulation of the argument File causes unrestricted upload. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
A security flaw has been discovered in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/edit.php of the component Site Logo Handler. Performing a manipulation of the argument image results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through <= 8.7.3.
A security vulnerability has been detected in code-projects College Notes Uploading System 1.0. Impacted is an unknown function of the file /dashboard/userprofile.php. The manipulation of the argument image leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
A security flaw has been discovered in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. This vulnerability affects unknown code of the file /admin/editposts.php. Performing manipulation of the argument image results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be exploited.
A flaw has been found in ChenJinchuang Lin-CMS-TP5 up to 0.3.3. This vulnerability affects the function Upload of the file application/lib/file/LocalUploader.php of the component File Upload Handler. Executing manipulation of the argument File can lead to code injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Unrestricted file upload in jackq XCMS allows high-privilege authenticated users to upload arbitrary files via the ProductImageController component, with publicly available exploit code disclosed. Despite a CVSS score of 2.0 reflecting the high authentication requirement (PR:H), the vulnerability enables authenticated administrators to bypass intended upload restrictions and potentially achieve remote code execution by uploading malicious files. The vendor has been informed via public issue report but has not yet responded with a fix.
A flaw has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. This impacts an unknown function of the file Public/javascripts/admin/plupload-2.1.2/examples/upload.php. This manipulation causes unrestricted upload. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Remote code execution in Specto CM versions before 17032025 allows authenticated attackers to upload files with dangerous types, leading to arbitrary code inclusion on the server. The flaw, tracked as CVE-2025-2155 and reported by Turkey's USOM CERT, carries a high CVSS score of 8.8 and stems from missing validation on uploaded file types. No public exploit identified at time of analysis, and the EPSS exploitation probability remains low at 0.07%.
Unauthenticated file upload vulnerability in code-projects Student File Management System 1.0 allows authenticated remote attackers to bypass file upload restrictions via manipulation of the File parameter in /save_file.php, despite the CVSS v4.0 score of 2.1 reflecting only low confidentiality, integrity, and availability impact with no scope change. The exploit is publicly available and the low EPSS score (0.09%, 25th percentile) suggests limited real-world exploitation attempts despite public disclosure.
Arbitrary code execution in Umbraco CMS 16.3.3 is claimed via upload of a crafted PDF file that abuses insufficient file-type validation (CWE-434), potentially leading to server-side code execution. The finding is explicitly DISPUTED by Umbraco, which states that enforcing upload validation is the deploying administrator's responsibility per documentation, mirroring the earlier CVE-2023-49279. No public exploit is confirmed and EPSS is low (0.50%, 39th percentile), so despite the nominal CVSS 10.0 this reflects a contested, configuration-dependent condition rather than a proven turnkey RCE.
Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on it) lets attackers upload a crafted XML/SVG file through the Attachments module that runs attacker-controlled script when a victim views it. Tagged as XSS/RCE/File Upload with a publicly available exploit code, though EPSS remains low at 0.44% (35th percentile) and it is not on CISA KEV. The CVSS 9.6 rating reflects a scope-changing, user-interaction-dependent attack rather than direct server-side compromise.
ChestnutCMS up to version 1.5.8 allows authenticated remote attackers to upload arbitrary files by manipulating the File argument in the FilenameUtils.getExtension function of the /dev-api/common/upload endpoint. The vulnerability bypasses filename extension validation in the Filename Handler component, enabling unrestricted file uploads with low integrity and confidentiality impact. Publicly available exploit code exists; however, the low EPSS score (0.06%) and requirement for prior authentication significantly limit real-world exploitation risk compared to the CVSS base score.
Unauthenticated arbitrary file upload vulnerability in File Uploader for WooCommerce (WordPress plugin versions ≤1.0.3) enables remote code execution. Missing file type validation in the 'add-image-data' REST API endpoint allows attackers to upload malicious files to Uploadcare service and retrieve them to the web server, achieving code execution without authentication. Exploitation requires no user interaction or special privileges (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis.
Unrestricted file upload in SourceCodester Client Database Management System 1.0 via the /user_leads.php endpoint in the Leads Generation Module allows authenticated remote attackers to upload arbitrary files. The vulnerability requires valid user credentials (PR:L in CVSS v4.0) but carries low confidentiality, integrity, and availability impact per the vector. Public exploit code exists, and EPSS score of 0.06% suggests minimal real-world exploitation despite public availability, likely due to the authenticated requirement limiting attack surface.
Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8.
Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through <= 3.0.0.
Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FNT Command 13.4.0 is vulnerable to Directory Traversal. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unrestricted file upload in Computer Laboratory System 1.0 via the technical_staff_pic.php file allows high-privilege users to upload arbitrary files to the server. The vulnerability requires administrator-level access (PR:H) and affects confidentiality, integrity, and availability with low impact scope. Publicly available exploit code exists; however, the EPSS score of 0.07% (21st percentile) and high-privilege requirement significantly limit real-world exploitation risk compared to the CVSS 2.0 baseline.
Unrestricted file upload in Computer Laboratory System 1.0 via the admin_pic.php image parameter allows high-privilege authenticated users to upload arbitrary files remotely, with publicly available proof-of-concept code demonstrating exploitation. Despite the CVSS 2.0 score reflecting the high authentication barrier (PR:H), the vulnerability enables attackers with admin credentials to bypass upload restrictions and potentially establish persistence or execute malicious code on the server.
A flaw has been found in campcodes Online Student Enrollment System 1.0. This impacts an unknown function of the file /admin/register.php. Executing a manipulation of the argument photo can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used.
Unrestricted file upload in campcodes Online Student Enrollment System 1.0 allows high-privileged authenticated users to upload arbitrary files via the userphoto parameter in /admin/index.php?page=user-profile, potentially enabling remote code execution or data exfiltration. Public exploit code is available, though the vulnerability's real-world impact is limited by the requirement for administrative credentials and low CVSS/EPSS scores.
Authenticated arbitrary file upload in Infility Global WordPress plugin versions ≤2.14.42 permits remote code execution. The upload_file function accepts spoofed MIME types without verifying file extensions, while import_data lacks capability checks, allowing subscriber-level users to upload malicious files (e.g., PHP webshells) to the server. CVSS:3.1 score 8.8 (High) reflects network-accessible, low-complexity exploitation requiring only low-privilege authentication. No public exploit identified at time of analysis. EPSS 0.35% indicates low observed exploitation activity.
Unrestricted file upload in SourceCodester Real Estate Property Listing App 1.0 allows high-privileged authenticated users to upload arbitrary files via the image parameter in /admin/property.php, potentially leading to remote code execution. The vulnerability affects only administrators or high-privilege accounts due to PR:H requirements, but public exploit code exists and EPSS scoring indicates low real-world exploitation probability (0.07th percentile).
Unrestricted file upload in baowzh hfly allows authenticated remote attackers to upload arbitrary files via manipulation of the imgFile parameter in /Public/Kindeditor/php/upload_json.php. The vulnerability affects rolling-release versions up to commit 638ff9abe9078bc977c132b37acbe1900b63491c, carries low overall risk (CVSS 2.1, EPSS 0.07%), and has publicly available exploit code but requires authenticated access, significantly limiting real-world exploitability compared to unauthenticated file upload scenarios.
A critical authentication bypass and path traversal vulnerability in PipesHub AI platform allows unauthenticated remote attackers to upload files with directory traversal sequences, enabling arbitrary file writes anywhere the service account has permissions. This vulnerability affects PipesHub versions prior to 0.1.0-beta and has a publicly available proof-of-concept exploit, making it an immediate priority for organizations using this enterprise search and workflow automation platform. With a CVSS score of 9.8 and the ability to plant malicious code or overwrite critical files, this represents a severe risk to affected systems.
Arbitrary code execution in LeptonCMS 7.3.0 lets an authenticated attacker upload a crafted ZIP or PHP file that bypasses the application's missing file-type validation and runs as server-side PHP. Publicly available exploit code (three PoC write-ups) exists, though the flaw is not listed in CISA KEV and EPSS is low (0.66%, 47th percentile), indicating no evidence of widespread active exploitation yet. Exploitation requires a valid low-privilege account (PR:L), placing this in the post-authentication RCE category.
A vulnerability was found in Yottamaster DM2, DM3 and DM200 up to 1.2.23/1.9.12. Affected by this issue is some unknown functionality of the component File Upload. Performing manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
A security vulnerability has been detected in ORICO CD3510 1.9.12. This affects an unknown function of the component File Upload. The manipulation leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_running.php. Executing a manipulation of the argument product_image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.
A flaw has been found in Verysync 微力同步 up to 2.21.3. This impacts an unknown function of the file /rest/f/api/resources/f96956469e7be39d/tmp/text.txt?override=false of the component Web Administration Module. Executing manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A security flaw has been discovered in code-projects Employee Profile Management System 1.0. Impacted is an unknown function of the file /profiling/add_file_query.php. The manipulation of the argument per_file results in unrestricted upload. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Flexsense DiskBoss 7.7.14 allows unauthenticated attackers to upload arbitrary files via /Command/Search Files/Directory field, leading to a denial of service by crashing the application.
zdh_web is a data collection, processing, monitoring, scheduling, and management platform. In zdh_web thru 5.6.17, insufficient validation of file upload paths in the application allows an authenticated user to write arbitrary files to the server file system, potentially overwriting existing files and leading to privilege escalation or remote code execution.
File upload vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store arbitrary files on the filesystem.
The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the cstu_update_post() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The PostGallery plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'PostGalleryUploader' class functions in all versions up to, and including, 1.12.5. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The E-POINT CMS eagle.gsam-1169.1 file upload feature improperly handles nested archive files. An attacker can upload a nested ZIP (a ZIP containing another ZIP) where the inner archive contains an executable file (e.g. webshell.php). When the application extracts the uploaded archives, the executable may be extracted into a web-accessible directory. This can lead to remote code execution (RCE), data disclosure, account compromise, or further system compromise depending on the web server/process privileges. The issue arises from insufficient validation of archive contents and inadequate restrictions on extraction targets.
An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass.
Unrestricted file upload in iJason-Liu Books_Manager allows authenticated attackers with high privileges to upload arbitrary files via the book_cover parameter in the upload_bookCover.php controller. Public exploit code exists for this vulnerability, increasing the risk of exploitation. A patch is not currently available for this rolling-release product.
Unrestricted file upload in PHPGurukul News Portal 1.0's profile picture handler allows remote attackers to upload arbitrary files with high-level privileges. Public exploit code exists for this vulnerability, and no patch is currently available. An authenticated attacker could potentially upload malicious files to compromise the application or underlying system.
Unrestricted file upload in code-projects Online Examination System 1.0 via the /admin_pic.php endpoint allows authenticated remote attackers to upload arbitrary files with minimal complexity. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable code execution or system compromise depending on server configuration and file handling.
Xpro Elementor Addons WordPress plugin has an unrestricted file upload allowing attackers to upload dangerous file types through the Elementor builder integration.
g-FFL Checkout WordPress plugin has an unrestricted file upload vulnerability allowing attackers to upload web shells for remote code execution.
Farost Energia WordPress plugin allows unrestricted file upload enabling attackers to upload web shells and achieve remote code execution on the WordPress server.
Solvera Software Services Trade Inc. Teknoera is affected by unrestricted upload of file with dangerous type (CVSS 8.1).
HAMASTAR MeetingHub has an arbitrary file upload vulnerability allowing unauthenticated remote attackers to upload web shells and achieve full server compromise.
Horilla is a free and open source Human Resource Management System (HRMS). [CVSS 4.3 MEDIUM]
Horilla versions up to 1.5.0 contains a vulnerability that allows attackers to deploy phishing attacks (CVSS 8.0).
Authenticated staff users in Saleor e-commerce platform versions 3.0.0 through 3.22.26 can upload malicious HTML and SVG files containing JavaScript that execute in users' browsers when served from the same domain as the dashboard, potentially allowing token theft. An attacker with staff privileges could craft script injections to compromise other staff members' sessions and access tokens. This vulnerability affects deployments where media files are hosted on the same domain as the dashboard and patches are available in versions 3.20.108, 3.21.43, and 3.22.27.
Remote code execution in BROWAN COMMUNICATIONS PrismX MX100 AP controller allows high-privileged remote attackers to upload arbitrary files and execute web shell backdoors without user interaction. This vulnerability affects administrators with elevated credentials and enables complete compromise of the affected access point. No patch is currently available to remediate this issue.
HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. [CVSS 3.1 LOW]
Aion versions up to 2.0 contains a vulnerability that allows attackers to malicious file uploads, potentially resulting in unauthorized code execution or (CVSS 2.7).
Mpay versions up to 1.2.4 contain an unrestricted file upload vulnerability in the QR Code Image Handler component via the codeimg parameter, allowing remote attackers with high privileges to upload arbitrary files. Public exploit code exists for this vulnerability, though no patch is currently available. The attack requires administrative credentials but carries moderate risk with potential impacts to confidentiality, integrity, and availability.
Unrestricted file upload in lwj flow's SVG File Handler (FormResource.java) allows authenticated remote attackers to upload arbitrary files due to insufficient input validation on the File parameter. Public exploit code exists for this vulnerability, and the maintainers have not yet released a patch despite early notification. Affected installations using Java should restrict file upload functionality until an update is available.
Unrestricted file upload in EyouCMS versions up to 1.7.1/5.0 allows authenticated remote attackers to upload arbitrary files through manipulation of the viewfile parameter in the Member Avatar Handler component. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An authenticated attacker could leverage this to upload malicious files and potentially achieve remote code execution.
Unrestricted file upload in Teamwork Management System (TMS) versions up to 2.28.0 allows authenticated attackers to upload malicious files by manipulating the filename parameter in the FileController. Public exploit code exists for this vulnerability, and no patch is currently available, creating significant risk for organizations using affected versions.
Omnispace Agora Project (before 25.10) allows RCE through crafted PDF upload that exploits the ImageMagick MSL engine via the thumbnail function.
Agora-Project versions up to 25.10 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. [CVSS 7.2 HIGH]
Pega Customer Service Framework versions 8.7.0 versions up to 25.1.0 is affected by unrestricted upload of file with dangerous type.
Hub v2.0 property management system allows unauthenticated arbitrary file upload via /utils/uploadFile. Malicious PDF files can be uploaded and may achieve code execution.
Director versions up to 25.2.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Operation And Maintenance Security Management System versions up to 3.0.8. is affected by improper access control (CVSS 7.3).
A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. [CVSS 4.7 MEDIUM]
Corpkit WordPress theme (through 2.0) allows unauthenticated web shell upload via unrestricted file type upload.
Contentstudio WordPress plugin (through 1.3.7) allows unauthenticated web shell upload, enabling immediate server compromise.
A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to execute arbitrary code via uploading a crafted PDF file/Malware [CVSS 6.8 MEDIUM]
In Aris v10.0.23.0.3587512 and before, the file upload functionality does not enforce any rate limiting or throttling, allowing users to upload files at an unrestricted rate. [CVSS 6.5 MEDIUM]
House Rental And Property Listing Project versions up to 1.0 is affected by improper access control (CVSS 7.3).
Multiple Themify WordPress themes (Sidepane, Newsy, Folo, Edmin, Bloggie, Photobox, Wigi, Rezo, Slide) allow authenticated users to upload web shells. Low privileges sufficient, scope change to OS-level code execution. Affects 9 themes simultaneously.
Media File Renamer WordPress plugin (through 5.7.7) by Meow Apps allows administrators to upload files with dangerous types, achieving OS-level code execution with scope change. While admin access is required, the scope break makes this critical.
Themify Shopo WordPress theme (through 1.1.4) allows authenticated users to upload web shells. Despite requiring low-level authentication, the scope change to CVSS 9.9 means any subscriber account can achieve full server compromise.
QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. [CVSS 8.8 HIGH]
Online Product Reservation System versions up to 1.0 is affected by improper access control (CVSS 6.3).
Unrestricted file upload in code-projects CMS 1.0 via the image parameter in /admin/edit_posts.php allows authenticated administrators to upload arbitrary files remotely. Public exploit code exists for this vulnerability, though a patch is not yet available. The issue affects PHP-based installations and requires high-level privileges to exploit.
Unrestricted file upload in PHPGurukul Online Course Registration versions up to 3.1 allows authenticated attackers to upload arbitrary files through the student profile photo parameter in /admin/edit-student-profile.php. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with login credentials can exploit this remotely to potentially execute malicious code or compromise the application.
A vulnerability was identified in jackying H-ui.admin versions up to 3.1. is affected by improper access control (CVSS 7.3).
A vulnerability has been found in EmpireSoft EmpireCMS up to 8.0. Impacted is the function CheckSaveTranFiletype of the file e/class/connect.php. [CVSS 6.3 MEDIUM]
A vulnerability has been found in xnx3 wangmarket up to 6.4. The impacted element is the function uploadImage of the file /sits/uploadImage.do of the component XML File Handler. [CVSS 4.7 MEDIUM]
A security vulnerability has been detected in campcodes School File Management System 1.0. The affected element is an unknown function of the file /save_file.php. [CVSS 6.3 MEDIUM]
A vulnerability was determined in newbee-mall-plus 2.0.0. This impacts the function Upload of the file src/main/java/ltd/newbee/mall/controller/common/UploadController.java of the component Product Information Edit Page. This manipulation of the argument File causes unrestricted upload. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
A security flaw has been discovered in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/edit.php of the component Site Logo Handler. Performing a manipulation of the argument image results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through <= 8.7.3.
A security vulnerability has been detected in code-projects College Notes Uploading System 1.0. Impacted is an unknown function of the file /dashboard/userprofile.php. The manipulation of the argument image leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
A security flaw has been discovered in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. This vulnerability affects unknown code of the file /admin/editposts.php. Performing manipulation of the argument image results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be exploited.
A flaw has been found in ChenJinchuang Lin-CMS-TP5 up to 0.3.3. This vulnerability affects the function Upload of the file application/lib/file/LocalUploader.php of the component File Upload Handler. Executing manipulation of the argument File can lead to code injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Unrestricted file upload in jackq XCMS allows high-privilege authenticated users to upload arbitrary files via the ProductImageController component, with publicly available exploit code disclosed. Despite a CVSS score of 2.0 reflecting the high authentication requirement (PR:H), the vulnerability enables authenticated administrators to bypass intended upload restrictions and potentially achieve remote code execution by uploading malicious files. The vendor has been informed via public issue report but has not yet responded with a fix.
A flaw has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. This impacts an unknown function of the file Public/javascripts/admin/plupload-2.1.2/examples/upload.php. This manipulation causes unrestricted upload. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Remote code execution in Specto CM versions before 17032025 allows authenticated attackers to upload files with dangerous types, leading to arbitrary code inclusion on the server. The flaw, tracked as CVE-2025-2155 and reported by Turkey's USOM CERT, carries a high CVSS score of 8.8 and stems from missing validation on uploaded file types. No public exploit identified at time of analysis, and the EPSS exploitation probability remains low at 0.07%.
Unauthenticated file upload vulnerability in code-projects Student File Management System 1.0 allows authenticated remote attackers to bypass file upload restrictions via manipulation of the File parameter in /save_file.php, despite the CVSS v4.0 score of 2.1 reflecting only low confidentiality, integrity, and availability impact with no scope change. The exploit is publicly available and the low EPSS score (0.09%, 25th percentile) suggests limited real-world exploitation attempts despite public disclosure.
Arbitrary code execution in Umbraco CMS 16.3.3 is claimed via upload of a crafted PDF file that abuses insufficient file-type validation (CWE-434), potentially leading to server-side code execution. The finding is explicitly DISPUTED by Umbraco, which states that enforcing upload validation is the deploying administrator's responsibility per documentation, mirroring the earlier CVE-2023-49279. No public exploit is confirmed and EPSS is low (0.50%, 39th percentile), so despite the nominal CVSS 10.0 this reflects a contested, configuration-dependent condition rather than a proven turnkey RCE.
Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on it) lets attackers upload a crafted XML/SVG file through the Attachments module that runs attacker-controlled script when a victim views it. Tagged as XSS/RCE/File Upload with a publicly available exploit code, though EPSS remains low at 0.44% (35th percentile) and it is not on CISA KEV. The CVSS 9.6 rating reflects a scope-changing, user-interaction-dependent attack rather than direct server-side compromise.
ChestnutCMS up to version 1.5.8 allows authenticated remote attackers to upload arbitrary files by manipulating the File argument in the FilenameUtils.getExtension function of the /dev-api/common/upload endpoint. The vulnerability bypasses filename extension validation in the Filename Handler component, enabling unrestricted file uploads with low integrity and confidentiality impact. Publicly available exploit code exists; however, the low EPSS score (0.06%) and requirement for prior authentication significantly limit real-world exploitation risk compared to the CVSS base score.
Unauthenticated arbitrary file upload vulnerability in File Uploader for WooCommerce (WordPress plugin versions ≤1.0.3) enables remote code execution. Missing file type validation in the 'add-image-data' REST API endpoint allows attackers to upload malicious files to Uploadcare service and retrieve them to the web server, achieving code execution without authentication. Exploitation requires no user interaction or special privileges (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis.
Unrestricted file upload in SourceCodester Client Database Management System 1.0 via the /user_leads.php endpoint in the Leads Generation Module allows authenticated remote attackers to upload arbitrary files. The vulnerability requires valid user credentials (PR:L in CVSS v4.0) but carries low confidentiality, integrity, and availability impact per the vector. Public exploit code exists, and EPSS score of 0.06% suggests minimal real-world exploitation despite public availability, likely due to the authenticated requirement limiting attack surface.
Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8.
Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through <= 3.0.0.
Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FNT Command 13.4.0 is vulnerable to Directory Traversal. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unrestricted file upload in Computer Laboratory System 1.0 via the technical_staff_pic.php file allows high-privilege users to upload arbitrary files to the server. The vulnerability requires administrator-level access (PR:H) and affects confidentiality, integrity, and availability with low impact scope. Publicly available exploit code exists; however, the EPSS score of 0.07% (21st percentile) and high-privilege requirement significantly limit real-world exploitation risk compared to the CVSS 2.0 baseline.
Unrestricted file upload in Computer Laboratory System 1.0 via the admin_pic.php image parameter allows high-privilege authenticated users to upload arbitrary files remotely, with publicly available proof-of-concept code demonstrating exploitation. Despite the CVSS 2.0 score reflecting the high authentication barrier (PR:H), the vulnerability enables attackers with admin credentials to bypass upload restrictions and potentially establish persistence or execute malicious code on the server.
A flaw has been found in campcodes Online Student Enrollment System 1.0. This impacts an unknown function of the file /admin/register.php. Executing a manipulation of the argument photo can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used.
Unrestricted file upload in campcodes Online Student Enrollment System 1.0 allows high-privileged authenticated users to upload arbitrary files via the userphoto parameter in /admin/index.php?page=user-profile, potentially enabling remote code execution or data exfiltration. Public exploit code is available, though the vulnerability's real-world impact is limited by the requirement for administrative credentials and low CVSS/EPSS scores.
Authenticated arbitrary file upload in Infility Global WordPress plugin versions ≤2.14.42 permits remote code execution. The upload_file function accepts spoofed MIME types without verifying file extensions, while import_data lacks capability checks, allowing subscriber-level users to upload malicious files (e.g., PHP webshells) to the server. CVSS:3.1 score 8.8 (High) reflects network-accessible, low-complexity exploitation requiring only low-privilege authentication. No public exploit identified at time of analysis. EPSS 0.35% indicates low observed exploitation activity.
Unrestricted file upload in SourceCodester Real Estate Property Listing App 1.0 allows high-privileged authenticated users to upload arbitrary files via the image parameter in /admin/property.php, potentially leading to remote code execution. The vulnerability affects only administrators or high-privilege accounts due to PR:H requirements, but public exploit code exists and EPSS scoring indicates low real-world exploitation probability (0.07th percentile).
Unrestricted file upload in baowzh hfly allows authenticated remote attackers to upload arbitrary files via manipulation of the imgFile parameter in /Public/Kindeditor/php/upload_json.php. The vulnerability affects rolling-release versions up to commit 638ff9abe9078bc977c132b37acbe1900b63491c, carries low overall risk (CVSS 2.1, EPSS 0.07%), and has publicly available exploit code but requires authenticated access, significantly limiting real-world exploitability compared to unauthenticated file upload scenarios.
A critical authentication bypass and path traversal vulnerability in PipesHub AI platform allows unauthenticated remote attackers to upload files with directory traversal sequences, enabling arbitrary file writes anywhere the service account has permissions. This vulnerability affects PipesHub versions prior to 0.1.0-beta and has a publicly available proof-of-concept exploit, making it an immediate priority for organizations using this enterprise search and workflow automation platform. With a CVSS score of 9.8 and the ability to plant malicious code or overwrite critical files, this represents a severe risk to affected systems.
Arbitrary code execution in LeptonCMS 7.3.0 lets an authenticated attacker upload a crafted ZIP or PHP file that bypasses the application's missing file-type validation and runs as server-side PHP. Publicly available exploit code (three PoC write-ups) exists, though the flaw is not listed in CISA KEV and EPSS is low (0.66%, 47th percentile), indicating no evidence of widespread active exploitation yet. Exploitation requires a valid low-privilege account (PR:L), placing this in the post-authentication RCE category.
A vulnerability was found in Yottamaster DM2, DM3 and DM200 up to 1.2.23/1.9.12. Affected by this issue is some unknown functionality of the component File Upload. Performing manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
A security vulnerability has been detected in ORICO CD3510 1.9.12. This affects an unknown function of the component File Upload. The manipulation leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_running.php. Executing a manipulation of the argument product_image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.
A flaw has been found in Verysync 微力同步 up to 2.21.3. This impacts an unknown function of the file /rest/f/api/resources/f96956469e7be39d/tmp/text.txt?override=false of the component Web Administration Module. Executing manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A security flaw has been discovered in code-projects Employee Profile Management System 1.0. Impacted is an unknown function of the file /profiling/add_file_query.php. The manipulation of the argument per_file results in unrestricted upload. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Flexsense DiskBoss 7.7.14 allows unauthenticated attackers to upload arbitrary files via /Command/Search Files/Directory field, leading to a denial of service by crashing the application.
zdh_web is a data collection, processing, monitoring, scheduling, and management platform. In zdh_web thru 5.6.17, insufficient validation of file upload paths in the application allows an authenticated user to write arbitrary files to the server file system, potentially overwriting existing files and leading to privilege escalation or remote code execution.
File upload vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store arbitrary files on the filesystem.
The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the cstu_update_post() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The PostGallery plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'PostGalleryUploader' class functions in all versions up to, and including, 1.12.5. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The E-POINT CMS eagle.gsam-1169.1 file upload feature improperly handles nested archive files. An attacker can upload a nested ZIP (a ZIP containing another ZIP) where the inner archive contains an executable file (e.g. webshell.php). When the application extracts the uploaded archives, the executable may be extracted into a web-accessible directory. This can lead to remote code execution (RCE), data disclosure, account compromise, or further system compromise depending on the web server/process privileges. The issue arises from insufficient validation of archive contents and inadequate restrictions on extraction targets.
An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass.