Total
3334 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-39019 | 1 M-files | 1 Hubshare | 2025-05-02 | 6.3 Medium |
| Broken access controls on PDFtron WebviewerUI in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to upload malicious files to the application server. | ||||
| CVE-2025-0520 | 1 Showdoc | 1 Showdoc | 2025-05-02 | N/A |
| An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.This issue affects ShowDoc: before 2.8.7. | ||||
| CVE-2022-27562 | 2025-05-02 | 4.6 Medium | ||
| Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications. | ||||
| CVE-2022-42449 | 2025-05-02 | 4.6 Medium | ||
| Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications | ||||
| CVE-2024-11390 | 1 Elastic | 1 Kibana | 2025-05-02 | 5.4 Medium |
| Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices. | ||||
| CVE-2022-3537 | 1 Addify | 1 Role Based Pricing For Woocommerce | 2025-05-01 | 8.8 High |
| The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP | ||||
| CVE-2022-39036 | 1 Flowring | 1 Agentflow | 2025-05-01 | 9.8 Critical |
| The file upload function of Agentflow BPM has insufficient filtering for special characters in URLs. An unauthenticated remote attacker can exploit this vulnerability to upload arbitrary file and execute arbitrary code to manipulate system or disrupt service. | ||||
| CVE-2022-44054 | 1 Democritus | 1 D8s-xml | 2025-05-01 | 9.8 Critical |
| The d8s-xml for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-utility package. The affected version of d8s-htm is 0.1.0. | ||||
| CVE-2022-43277 | 1 Canteen Management System Project | 1 Canteen Management System | 2025-05-01 | 7.2 High |
| Canteen Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via ip/youthappam/php_action/editFile.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2022-40797 | 1 Roxyfileman | 1 Roxy Fileman | 2025-05-01 | 9.8 Critical |
| Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDEN_UPLOADS value in conf.json only blocks .php, .php4, and .php5 files. (Visiting any .phar file invokes the PHP interpreter in some realistic web-server configurations.) | ||||
| CVE-2024-29514 | 1 Lepton-cms | 1 Leptoncms | 2025-05-01 | 8.8 High |
| File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file. | ||||
| CVE-2024-29515 | 1 Lepton-cms | 1 Leptoncms | 2025-05-01 | 8.8 High |
| File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file to the save.php and config.php component. | ||||
| CVE-2024-33120 | 2 Roothub, Roothub Project | 2 Roothub, Roothub | 2025-05-01 | 9.8 Critical |
| Roothub v2.5 was discovered to contain an arbitrary file upload vulnerability via the customPath parameter in the upload() function. This vulnerability allows attackers to execute arbitrary code via a crafted JSP file. | ||||
| CVE-2022-43146 | 1 Canteen Management System Project | 1 Canteen Management System | 2025-05-01 | 7.2 High |
| An arbitrary file upload vulnerability in the image upload function of Canteen Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2022-43074 | 1 Ayacms Project | 1 Ayacms | 2025-05-01 | 9.8 Critical |
| AyaCMS v3.1.2 was discovered to contain an arbitrary file upload vulnerability via the component /admin/fst_upload.inc.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2024-39865 | 1 Siemens | 1 Sinema Remote Connect Server | 2025-05-01 | 8.8 High |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows users to upload encrypted backup files. As part of this backup, files can be restored without correctly checking the path of the restored file. This could allow an attacker with access to the backup encryption key to upload malicious files, that could potentially lead to remote code execution. | ||||
| CVE-2024-28418 | 1 Webedition | 1 Webedition Cms | 2025-04-30 | 6.5 Medium |
| Webedition CMS 9.2.2.0 has a File upload vulnerability via /webEdition/we_cmd.php | ||||
| CVE-2018-15573 | 1 Reprisesoftware | 1 Reprise License Manager | 2025-04-30 | 8.8 High |
| An issue was discovered in Reprise License Manager (RLM) through 12.2BL2. Attackers can use the web interface to read and write data to any file on disk (as long as rlm.exe has access to it) via /goform/edit_lf_process with file content in the lfdata parameter and a pathname in the lf parameter. By default, the web interface is on port 5054, and does not require authentication. NOTE: the vendor has stated "We do not consider this a vulnerability. | ||||
| CVE-2025-3969 | 1 Code-projects | 1 News Publishing Site Dashboard | 2025-04-30 | 6.3 Medium |
| A vulnerability was found in codeprojects News Publishing Site Dashboard 1.0. It has been rated as critical. This issue affects some unknown processing of the file /edit-category.php of the component Edit Category Page. The manipulation of the argument category_image leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3830 | 1 Kuangstudy | 1 Kuangsimplebbs | 2025-04-30 | 6.3 Medium |
| A vulnerability was found in kuangstudy KuangSimpleBBS 1.0. It has been declared as critical. Affected by this vulnerability is the function fileUpload of the file src/main/java/com/kuang/controller/QuestionController.java. The manipulation of the argument editormd-image-file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||