CWE-434— Unrestricted Upload of File with Dangerous Type
3,921 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 33 of 79
- CVE-2022-44760MEDIUMCVSS 4.6EG 4.62025-04-24
Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications.
- CVE-2022-45009HIGHCVSS 7.2EG 7.22022-12-07
Online Leave Management System v1.0 was discovered to contain an arbitrary file upload vulnerability at /leave_system/classes/SystemSettings.php?f=update_settings. This vulnerability allows attackers to execute arbitrary code via a crafted…
- CVE-2022-45039HIGHCVSS 7.2EG 7.22022-11-25
An arbitrary file upload vulnerability in the Server Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2022-4506HIGHCVSS 8.8EG 8.82022-12-15
Unrestricted Upload of File with Dangerous Type in GitHub repository openemr/openemr prior to 7.0.0.2.
- CVE-2022-45171HIGHCVSS 8.8EG 8.82024-05-28
An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Unrestricted Upload of a File with a Dangerous Type can occur under the vShare web site section. A remote user, authenticated to the product, can arbitrarily upload po…
- CVE-2022-45275HIGHCVSS 7.2EG 7.22022-12-12
An arbitrary file upload vulnerability in /queuing/admin/ajax.php?action=save_settings of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2022-45338HIGHCVSS 7.8EG 7.82022-12-15
An arbitrary file upload vulnerability in the profile picture upload function of Exact Synergy Enterprise 267 before 267SP13 and Exact Synergy Enterprise 500 before 500SP6 allows attackers to execute arbitrary code via a crafted SVG file.
- CVE-2022-45359CRITICALCVSS 9.8EG 9.82022-12-06
Unauth. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress.
- CVE-2022-45377MEDIUMCVSS 6.5EG 6.52023-12-21
Unrestricted Upload of File with Dangerous Type vulnerability in Glen Don L. Mongaya Drag and Drop Multiple File Upload for WooCommerce.This issue affects Drag and Drop Multiple File Upload for WooCommerce: from n/a through 1.0.8.
- CVE-2022-45415HIGHCVSS 7.8EG 7.82022-12-22
When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran…
- CVE-2022-45427HIGHCVSS 7.2EG 7.22022-12-27
Some Dahua software products have a vulnerability of unrestricted upload of file. After obtaining the permissions of administrators, by sending a specific crafted packet to the vulnerable interface, an attacker can upload arbitrary files.
- CVE-2022-45476CRITICALCVSS 9.8EG 8.82022-11-25
Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.
- CVE-2022-45527CRITICALCVSS 9.8EG 9.82023-02-08
File upload vulnerability in Future-Depth Institutional Management Website (IMS) 1.0, allows unauthorized attackers to directly upload malicious files to the courseimg directory.
- CVE-2022-45548HIGHCVSS 8.8EG 8.82022-12-06
AyaCMS v3.1.2 has an Arbitrary File Upload vulnerability.
- CVE-2022-45759HIGHCVSS 8.8EG 8.82022-12-12
SENS v1.0 has a file upload vulnerability.
- CVE-2022-45771HIGHCVSS 8.8EG 8.82022-12-05
An issue in the /api/audits component of Pwndoc v0.5.3 allows attackers to escalate privileges and execute arbitrary code via uploading a crafted audit file.
- CVE-2022-45802CRITICALCVSS 9.8EG 9.82023-05-01
Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versio…
- CVE-2022-45896CRITICALCVSS 9.8EG 9.82022-12-25
Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads to remote code execution.
- CVE-2022-45912HIGHCVSS 7.2EG 7.22022-12-05
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. Remote code execution can occur through ClientUploader by an authenticated admin user. An authenticated admin user can upload files through the ClientUploader utility, a…
- CVE-2022-45966CRITICALCVSS 9.8EG 9.82022-12-22
here is an arbitrary file upload vulnerability in the file management function module of Classcms3.5.
- CVE-2022-45968HIGHCVSS 8.8EG 8.82022-12-12
Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one).
- CVE-2022-46020CRITICALCVSS 9.8EG 9.82022-12-20
WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
- CVE-2022-46102CRITICALCVSS 9.8EG 9.82022-12-22
AyaCMS 3.1.2 is vulnerable to Arbitrary file upload via /aya/module/admin/fst_down.inc.php
- CVE-2022-46135HIGHCVSS 7.2EG 9.82022-12-16
In AeroCms v0.0.1, there is an arbitrary file upload vulnerability at /admin/posts.php?source=edit_post , through which we can upload webshell and control the web server.
- CVE-2022-46493CRITICALCVSS 9.8EG 9.82022-12-22
Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img.
- CVE-2022-46604HIGHCVSS 8.8EG 8.82023-02-02
An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file, leading to arbitrary code execution.
- CVE-2022-46610HIGHCVSS 8.8EG 8.82023-01-10
72crm v9 was discovered to contain an arbitrary file upload vulnerability via the avatar upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2022-4665HIGHCVSS 8.8EG 8.82022-12-23
Unrestricted Upload of File with Dangerous Type in GitHub repository ampache/ampache prior to 5.5.6.
- CVE-2022-46660HIGHCVSS 7.5EG 6.52023-01-18
An unauthorized user could alter or write files with full control over the path and content of the file.
- CVE-2022-46828MEDIUMCVSS 5.2EG 7.82022-12-08
In JetBrains IntelliJ IDEA before 2022.3 a DYLIB injection on macOS was possible.
- CVE-2022-46839CRITICALCVSS 10.0EG 10.02024-01-05
Unrestricted Upload of File with Dangerous Type vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1.
- CVE-2022-46899HIGHCVSS 7.5EG 7.52023-07-25
An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is Arbitrary File Upload. The BaseController class, that each of the service controllers derives from, allows for the upload of arbitrary files. If the…
- CVE-2022-47042HIGHCVSS 8.8EG 8.82023-01-26
MCMS v5.2.10 and below was discovered to contain an arbitrary file write vulnerability via the component ms/template/writeFileContent.do.
- CVE-2022-47186HIGHCVSS 7.5EG 7.52023-09-28
There is an unrestricted upload of file vulnerability in Generex CS141 below 2.06 version. An attacker could upload and/or delete any type of file, without any format restriction and without any authentication, in the "upload" directory.
- CVE-2022-47190CRITICALCVSS 10.0EG 9.82023-03-31
Generex UPS CS141 below 2.06 version, could allow a remote attacker to upload a firmware file containing a webshell that could allow him to execute arbitrary code as root.
- CVE-2022-47191MEDIUMCVSS 4.3EG 8.82023-03-31
Generex UPS CS141 below 2.06 version, could allow a remote attacker to upload a firmware file containing a file with modified permissions, allowing him to escalate privileges.
- CVE-2022-4732HIGHCVSS 7.2EG 7.22022-12-27
Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2.
- CVE-2022-47615CRITICALCVSS 9.3EG 9.82023-01-26
Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.
- CVE-2022-4774CRITICALCVSS 9.8EG 9.82023-05-15
The Bit Form WordPress plugin before 1.9 does not validate the file types uploaded via it's file upload form field, allowing unauthenticated users to upload arbitrary files types such as PHP or HTML files to the server, leading to Remote C…
- CVE-2022-47766HIGHCVSS 8.8EG 8.82023-01-19
PopojiCMS v2.0.1 backend plugin function has a file upload vulnerability.
- CVE-2022-47769CRITICALCVSS 9.8EG 9.82023-02-01
An arbitrary file write vulnerability in Serenissima Informatica Fast Checkin v1.0 allows unauthenticated attackers to upload malicious files in the web root of the application to gain access to the server via the web shell.
- CVE-2022-47854CRITICALCVSS 9.8EG 9.82023-01-31
i-librarian 4.10 is vulnerable to Arbitrary file upload in ajaxsupplement.php.
- CVE-2022-47878HIGHCVSS 8.8EG 8.82023-05-02
Incorrect input validation for the default-storage-path in the settings page in Jedox 2020.2.5 allows remote, authenticated users to specify the location as Webroot directory. Consecutive file uploads can lead to the execution of arbitrary…
- CVE-2022-47893CRITICALCVSS 10.0EG 10.02023-10-03
There is a remote code execution vulnerability that affects all versions of NetMan 204. A remote attacker could upload a firmware file containing a webshell, that could allow him to execute arbitrary code as root.
- CVE-2022-48006CRITICALCVSS 9.8EG 9.82023-01-30
An arbitrary file upload vulnerability in taocms v3.0.2 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploited via manipulation of the upext variable at /include/Model/Upload.php.
- CVE-2022-48008CRITICALCVSS 9.8EG 9.82023-01-27
An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2022-48079CRITICALCVSS 9.8EG 9.82023-02-02
Monnai aaPanel host system v1.5 contains an access control issue which allows attackers to escalate privileges and execute arbitrary code via uploading a crafted PHP file to the virtual host directory of the system.
- CVE-2022-48194HIGHCVSS 8.8EG 8.82022-12-30
TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate.
- CVE-2022-4949HIGHCVSS 8.8EG 8.82023-06-07
The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload' function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers with Co…
- CVE-2022-50893CRITICALCVSS 9.8EG 9.82026-01-13
VIAVIWEB Wallpaper Admin 1.0 contains an unauthenticated remote code execution vulnerability in the image upload functionality. Attackers can upload a malicious PHP file through the add_gallery_image.php endpoint to execute arbitrary code …
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →