Export limit exceeded: 10499 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (3983 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-39352 | 1 Catchplugins | 1 Catch Themes Demo Import | 2025-02-14 | 7.2 High |
| The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution. | ||||
| CVE-2024-25802 | 1 Skinsoft | 1 S-museum | 2025-02-14 | 9.8 Critical |
| SKINsoft S-Museum 7.02.3 allows Unrestricted File Upload via the Add Media function. Unlike in CVE-2024-25801, the attack payload is the file content. | ||||
| CVE-2024-27964 | 1 Gesundheit-bewegt | 1 Zippy | 2025-02-14 | 8.8 High |
| Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.9. | ||||
| CVE-2023-0670 | 1 Ulearn Project | 1 Ulearn | 2025-02-13 | 7.2 High |
| Ulearn version a5a7ca20de859051ea0470542844980a66dfc05d allows an attacker with administrator permissions to obtain remote code execution on the server through the image upload functionality. This occurs because the application does not validate that the uploaded image is actually an image. | ||||
| CVE-2025-22132 | 1 Wegia | 1 Wegia | 2025-02-13 | 8.3 High |
| WeGIA is a web manager for charitable institutions. A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. By uploading a file containing malicious JavaScript code, an attacker can execute arbitrary scripts in the context of a victim's browser. This can lead to information theft, session hijacking, and other forms of client-side exploitation. This vulnerability is fixed in 3.2.7. | ||||
| CVE-2024-23946 | 1 Apache | 1 Ofbiz | 2025-02-13 | 5.3 Medium |
| Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue. | ||||
| CVE-2023-5360 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2025-02-13 | 9.8 Critical |
| The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. | ||||
| CVE-2023-31428 | 1 Broadcom | 1 Brocade Fabric Operating System | 2025-02-13 | 5.5 Medium |
| Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability in the command line that could allow a local user to dump files under user's home directory using grep. | ||||
| CVE-2023-27602 | 1 Apache | 1 Linkis | 2025-02-13 | 9.8 Critical |
| In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2. For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties `wds.linkis.workspace.filesystem.owner.check=true` `wds.linkis.workspace.filesystem.path.check=true` | ||||
| CVE-2023-0265 | 1 Uvdesk | 1 Community-skeleton | 2025-02-13 | 8.8 High |
| Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers. | ||||
| CVE-2023-39147 | 1 Webkul | 1 Uvdesk | 2025-02-13 | 7.8 High |
| An arbitrary file upload vulnerability in Uvdesk 1.1.3 allows attackers to execute arbitrary code via uploading a crafted image file. | ||||
| CVE-2022-32114 | 1 Strapi | 1 Strapi | 2025-02-13 | 8.8 High |
| An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can choose to allow only image, video, and audio files (i.e., not PDF) if desired. | ||||
| CVE-2023-26857 | 1 Dynamic Transaction Queuing System Project | 1 Dynamic Transaction Queuing System | 2025-02-13 | 7.2 High |
| An arbitrary file upload vulnerability in /admin/ajax.php?action=save_uploads of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2024-37273 | 2 Homebrew, Jan | 2 Jan, Jan | 2025-02-13 | 9.8 Critical |
| An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2024-36858 | 1 Homebrew | 1 Jan | 2025-02-13 | 9.8 Critical |
| An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2024-36774 | 1 Monstra | 1 Monstra | 2025-02-13 | 7.2 High |
| An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a crafted PHP file. | ||||
| CVE-2024-34913 | 2 Rubinchu, Technocking | 2 R-pan-scaffolding, R-pan-scaffolding | 2025-02-13 | 5.4 Medium |
| An arbitrary file upload vulnerability in r-pan-scaffolding v5.0 and below allows attackers to execute arbitrary code via uploading a crafted PDF file. | ||||
| CVE-2024-34909 | 1 Kykms | 1 Kykms | 2025-02-13 | 9.8 Critical |
| An arbitrary file upload vulnerability in KYKMS v1.0.1 and below allows attackers to execute arbitrary code via uploading a crafted PDF file. | ||||
| CVE-2024-34906 | 1 Dootask | 1 Dootask | 2025-02-13 | 6.3 Medium |
| An arbitrary file upload vulnerability in dootask v0.30.13 allows attackers to execute arbitrary code via uploading a crafted PDF file. | ||||
| CVE-2022-45171 | 1 Liveboxcloud | 1 Vdesk | 2025-02-13 | 8.8 High |
| An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Unrestricted Upload of a File with a Dangerous Type can occur under the vShare web site section. A remote user, authenticated to the product, can arbitrarily upload potentially dangerous files without restrictions. | ||||