Export limit exceeded: 359063 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (4119 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-58298 | 1 Bmc | 1 Compuware Istrobe Web | 2026-04-15 | N/A |
| Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web shell and execute arbitrary commands by sending POST requests to the uploaded JSP endpoint. | ||||
| CVE-2021-47904 | 1 Phreesoft | 1 Phreebookserp | 2026-04-15 | 8.8 High |
| PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server. | ||||
| CVE-2021-47899 | 1 Mfscripts | 1 Yetishare | 2026-04-15 | 4 Medium |
| YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files like /etc/passwd by using file:/// protocol. | ||||
| CVE-2025-22213 | 2026-04-15 | N/A | ||
| Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions. | ||||
| CVE-2025-9561 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2020-36973 | 1 Michalc | 1 Pdw File Browser | 2026-04-15 | 6.5 Medium |
| PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. Attackers can upload a .txt webshell, rename it to .php, and move it to accessible directories using double-encoded path traversal techniques. | ||||
| CVE-2024-2334 | 2 Envato, Wordpress | 2 Template Kit - Import, Wordpress | 2026-04-15 | 6.4 Medium |
| The Template Kit – Import plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template upload functionality in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-52302 | 2026-04-15 | N/A | ||
| common-user-management is a robust Spring Boot application featuring user management services designed to control user access dynamically. There is a critical security vulnerability in the application endpoint /api/v1/customer/profile-picture. This endpoint allows file uploads without proper validation or restrictions, enabling attackers to upload malicious files that can lead to Remote Code Execution (RCE). | ||||
| CVE-2025-62065 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Rometheme RTMKit rometheme-for-elementor.This issue affects RTMKit: from n/a through <= 1.6.5. | ||||
| CVE-2025-60235 | 3 Plugify, Woocommerce, Wordpress | 3 Helpdesk Support Ticket System For Woocommerce, Woocommerce, Wordpress | 2026-04-15 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Plugify Support Ticket System for WooCommerce (Premium) support-ticket-system-for-woocommerce allows Using Malicious Files.This issue affects Support Ticket System for WooCommerce (Premium): from n/a through <= 2.0.7. | ||||
| CVE-2025-22470 | 1 Sato | 4 Cl4nx-j Plus, Cl4nx Plus, Cl6nx-j Plus and 1 more | 2026-04-15 | N/A |
| CL4/6NX Plus and CL4/6NX-J Plus (Japan model) with the firmware versions prior to 1.15.5-r1 allow crafted dangerous files to be uploaded. An arbitrary Lua script may be executed on the system with the root privilege. | ||||
| CVE-2024-6127 | 1 Bcsecurity | 1 Empire | 2026-04-15 | 9.8 Critical |
| BC Security Empire before 5.9.3 is vulnerable to a path traversal issue that can lead to remote code execution. A remote, unauthenticated attacker can exploit this vulnerability over HTTP by acting as a normal agent, completing all cryptographic handshakes, and then triggering an upload of payload data containing a malicious path. | ||||
| CVE-2024-6313 | 2 Nikolaystrikhar, Wordpress | 2 Gutenberg Forms, Wordpress | 2026-04-15 | 9.8 Critical |
| The Gutenberg Forms plugin for WordPress is vulnerable to arbitrary file uploads due to the users can specify the allowed file types in the 'upload' function in versions up to, and including, 2.2.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-6314 | 1 Rogermacrae | 1 Iq-testimonials | 2026-04-15 | 9.8 Critical |
| The IQ Testimonials plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'process_image_upload' function in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can only be exploited if the 'gd' php extension is not loaded on the server. | ||||
| CVE-2024-41577 | 1 Productinfoquick | 1 Productinfoquick | 2026-04-15 | 9.8 Critical |
| An arbitrary file upload vulnerability in the Ueditor component of productinfoquick v1.0 allows attackers to execute arbitrary code via uploading a crafted PNG file. | ||||
| CVE-2023-7309 | 2026-04-15 | N/A | ||
| A path traversal vulnerability exists in the Dahua Smart Park Integrated Management Platform (also referred to as the Dahua Smart Campus Integrated Management Platform), affecting the SOAP-based GIS bitmap upload interface. The flaw allows unauthenticated remote attackers to upload arbitrary files to the server via crafted SOAP requests, including executable JSP payloads. Successful exploitation may lead to remote code execution (RCE) and full compromise of the affected system. The vulnerability is presumed to affect builds released prior to September 2023 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-02-15 UTC. | ||||
| CVE-2024-37424 | 2026-04-15 | 9.9 Critical | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Automattic Newspack Blocks allows Upload a Web Shell to a Web Server.This issue affects Newspack Blocks: from n/a through 3.0.8. | ||||
| CVE-2024-2636 | 2026-04-15 | 9 Critical | ||
| An Unrestricted Upload of File vulnerability has been found on Cegid Meta4 HR, that allows an attacker to upload malicios files to the server via '/config/espanol/update_password.jsp' file. Modifying the 'M4_NEW_PASSWORD' parameter, an attacker could store a malicious JSP file inside the file directory, to be executed the the file is loaded in the application. | ||||
| CVE-2025-62050 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogmatic blogmatic.This issue affects Blogmatic: from n/a through <= 1.0.3. | ||||
| CVE-2025-62047 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Case-Themes Case Addons case-addons.This issue affects Case Addons: from n/a through < 1.3.0. | ||||