Total
3127 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-25274 | 1 Xxyopen | 1 Novel-plus | 2025-04-02 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2024-22824 | 1 Auntvt | 1 Timo | 2025-04-02 | 9.8 Critical |
| An issue in Timo v.2.0.3 allows a remote attacker to execute arbitrary code via the filetype restrictions in the UploadController.java component. | ||||
| CVE-2022-47042 | 1 Mingsoft | 1 Mcms | 2025-04-02 | 8.8 High |
| MCMS v5.2.10 and below was discovered to contain an arbitrary file write vulnerability via the component ms/template/writeFileContent.do. | ||||
| CVE-2025-2005 | 2025-04-02 | 9.8 Critical | ||
| The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2022-40037 | 1 Javaweb Blog Project | 1 Javaweb Blog | 2025-04-02 | 9.8 Critical |
| An issue discovered in Rawchen blog-ssm v1.0 allows remote attacker to escalate privileges and execute arbitrary commands via the component /upFile. | ||||
| CVE-2022-3478 | 1 Gitlab | 1 Gitlab | 2025-04-02 | 4.3 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible to trigger a DoS attack by uploading a malicious nuget package. | ||||
| CVE-2024-32254 | 1 Phpgurukul | 1 Tourism Management System | 2025-04-02 | 8.8 High |
| Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via tms/admin/create-package.php. When creating a new package, there is no checks for what types of files are uploaded from the image. | ||||
| CVE-2024-32256 | 1 Phpgurukul | 1 Tourism Management System | 2025-04-02 | 8.1 High |
| Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via /tms/admin/change-image.php. When updating a current package, there are no checks for what types of files are uploaded from the image. | ||||
| CVE-2024-57169 | 1 Soplanning | 1 Soplanning | 2025-04-02 | 9.8 Critical |
| A file upload bypass vulnerability exists in SOPlanning 1.53.00, specifically in /process/upload.php. This vulnerability allows remote attackers to bypass upload restrictions and potentially achieve remote code execution by uploading malicious files. | ||||
| CVE-2024-8958 | 1 Composio | 1 Composio | 2025-04-01 | 9.8 Critical |
| In composiohq/composio version 0.4.3, there is an unrestricted file write and read vulnerability in the filetools actions. Due to improper validation of file paths, an attacker can read and write files anywhere on the server, potentially leading to privilege escalation or remote code execution. | ||||
| CVE-2025-2978 | 2025-04-01 | 6.3 Medium | ||
| A vulnerability was found in WCMS 11. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?articleadmin/upload/?&CKEditor=container&CKEditorFuncNum=1 of the component Article Publishing Page. The manipulation of the argument Upload leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-2249 | 2025-04-01 | 8.8 High | ||
| The SoJ SoundSlides plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the soj_soundslides_options_subpanel() function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-31577 | 2025-04-01 | 6.6 Medium | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in appointify Appointify allows Upload a Web Shell to a Web Server. This issue affects Appointify: from n/a through 1.0.8. | ||||
| CVE-2025-3041 | 2025-04-01 | 6.3 Medium | ||
| A vulnerability classified as critical has been found in Project Worlds Online Time Table Generator 1.0. This affects an unknown part of the file /admin/updatestudent.php. The manipulation of the argument pic leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-2008 | 2025-04-01 | 8.8 High | ||
| The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-2891 | 2025-04-01 | 8.8 High | ||
| The Real Estate 7 WordPress theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'template-submit-listing.php' file in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with Seller-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible if front-end listing submission has been enabled. | ||||
| CVE-2025-3042 | 2025-04-01 | 6.3 Medium | ||
| A vulnerability classified as critical was found in Project Worlds Online Time Table Generator 1.0. This vulnerability affects unknown code of the file /student/updateprofile.php. The manipulation of the argument pic leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3040 | 2025-04-01 | 6.3 Medium | ||
| A vulnerability was found in Project Worlds Online Time Table Generator 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/add_student.php. The manipulation of the argument pic leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-2606 | 1 Mayurik | 1 Best Church Management Software | 2025-04-01 | 6.3 Medium |
| A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/soulwinning_crud.php. The manipulation of the argument photo/photo1 leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-2607 | 1 Phplaozhang | 1 Lzcms-laozhangbokexitong | 2025-04-01 | 6.3 Medium |
| A vulnerability was found in phplaozhang LzCMS-LaoZhangBoKeXiTong up to 1.1.4. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/upload/upimage.html of the component HTTP POST Request Handler. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||