Total
3305 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34100 | 2025-07-15 | N/A | ||
| An unrestricted file upload vulnerability exists in BuilderEngine 3.5.0 via the integration of the elFinder 2.0 file manager and its use of the jQuery File Upload plugin. The plugin fails to properly validate or restrict file types or locations during upload operations, allowing an attacker to upload a malicious .php file and subsequently execute arbitrary PHP code on the server under the context of the web server process. While the root vulnerability lies within the jQuery File Upload component, BuilderEngine’s improper integration and lack of access controls expose this functionality to unauthenticated users, resulting in full remote code execution. | ||||
| CVE-2020-36849 | 1 Wordpress | 1 Wordpress | 2025-07-15 | 9.8 Critical |
| The AIT CSV import/export plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-content/plugins/ait-csv-import-export/admin/upload-handler.php file in versions up to, and including, 3.0.3. This makes it possible for unauthorized attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2025-6423 | 1 Wordpress | 1 Wordpress | 2025-07-15 | 8.8 High |
| The BeeTeam368 Extensions plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_submit_upload_file() function in all versions up to, and including, 2.3.5. This makes it possible for authenticated attackers with Subscriber-level access or higher to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-7487 | 2025-07-15 | 6.3 Medium | ||
| A vulnerability, which was classified as critical, was found in JoeyBling SpringBoot_MyBatisPlus up to a6a825513bd688f717dbae3a196bc9c9622fea26. This affects the function SysFileController of the file /file/upload. The manipulation of the argument portraitFile leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | ||||
| CVE-2024-56052 | 1 Wordpress | 1 Wordpress | 2025-07-15 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a before 1.9.9.5.2. | ||||
| CVE-2025-49885 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2025-07-14 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in HaruTheme Drag and Drop Multiple File Upload (Pro) - WooCommerce allows Upload a Web Shell to a Web Server. This issue affects Drag and Drop Multiple File Upload (Pro) - WooCommerce: from n/a through 5.0.6. | ||||
| CVE-2025-49414 | 1 Wordpress | 1 Wordpress | 2025-07-14 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Gallery allows Using Malicious Files. This issue affects FW Gallery: from n/a through 8.0.0. | ||||
| CVE-2025-26776 | 1 Wordpress | 1 Wordpress | 2025-07-14 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Chaty Pro allows Upload a Web Shell to a Web Server. This issue affects Chaty Pro: from n/a through 3.3.3. | ||||
| CVE-2025-6435 | 1 Mozilla | 1 Firefox | 2025-07-14 | 8.1 High |
| If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability affects Firefox < 140 and Thunderbird < 140. | ||||
| CVE-2024-2221 | 1 Qdrant | 1 Qdrant | 2025-07-14 | N/A |
| qdrant/qdrant is vulnerable to a path traversal and arbitrary file upload vulnerability via the `/collections/{COLLECTION}/snapshots/upload` endpoint, specifically through the `snapshot` parameter. This vulnerability allows attackers to upload and overwrite any file on the filesystem, leading to potential remote code execution. This issue affects the integrity and availability of the system, enabling unauthorized access and potentially causing the server to malfunction. | ||||
| CVE-2025-6802 | 1 Marvell | 1 Qconvergeconsole | 2025-07-14 | N/A |
| Marvell QConvergeConsole getFileFromURL Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getFileFromURL method. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-24922. | ||||
| CVE-2025-7075 | 1 Blackvue | 1 Dashcam 590x | 2025-07-13 | 6.3 Medium |
| A vulnerability was found in BlackVue Dashcam 590X up to 20250624. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /upload.cgi of the component HTTP Endpoint. The manipulation leads to unrestricted upload. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-7100 | 1 Boyun | 1 Boyuncms | 2025-07-13 | 6.3 Medium |
| A vulnerability was found in BoyunCMS up to 1.4.20 and classified as critical. Affected by this issue is some unknown functionality of the file /application/user/controller/Index.php. The manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3835 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-07-13 | 9.6 Critical |
| Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior are vulnerable to Remote code execution in the Content Search module. | ||||
| CVE-2025-23968 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in WPCenter AiBud WP allows Upload a Web Shell to a Web Server.This issue affects AiBud WP: from n/a through 1.8.5. | ||||
| CVE-2025-30933 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes LogisticsHub allows Upload a Web Shell to a Web Server. This issue affects LogisticsHub: from n/a through 1.1.6. | ||||
| CVE-2025-28951 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image allows Upload a Web Shell to a Web Server. This issue affects Bulk Featured Image: from n/a through 1.2.1. | ||||
| CVE-2025-6586 | 2 Metagauss, Wordpress | 2 Download Plugin, Wordpress | 2025-07-13 | 7.2 High |
| The Download Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dpwap_plugin_locInstall function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-5322 | 3 E4j, E4jconnect, Wordpress | 3 Vikrentcar Car Rental Management System, Vikrentcar, Wordpress | 2025-07-13 | 7.2 High |
| The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the do_updatecar and createcar functions in all versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible. | ||||
| CVE-2025-46490 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in wordwebsoftware Crossword Compiler Puzzles allows Upload a Web Shell to a Web Server. This issue affects Crossword Compiler Puzzles: from n/a through 5.2. | ||||