CWE-434— Unrestricted Upload of File with Dangerous Type
3,951 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 66 of 80
- CVE-2025-26498HIGHCVSS 7.3EG 7.32025-08-22
Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (establish-connection-no-undo modules) allows Absolute Path Traversal.This issue affects Tableau Server: before 2025.1.3, before 2…
- CVE-2025-2671MEDIUMCVSS 6.3EG 6.32025-03-23
A vulnerability was found in Yue Lao Blind Box 月老盲盒 up to 4.0. It has been declared as critical. This vulnerability affects the function base64image of the file /app/controller/Upload.php. The manipulation of the argument data lead…
- CVE-2025-26776CRITICALCVSS 10.0EG 10.02025-02-22
Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Chaty Pro allows Upload a Web Shell to a Web Server. This issue affects Chaty Pro: from n/a through 3.3.3.
- CVE-2025-2687MEDIUMCVSS 6.3EG 6.32025-03-24
A vulnerability classified as critical has been found in PHPGurukul eLearning System 1.0. Affected is an unknown function of the file /user/index.php of the component Image Handler. The manipulation leads to unrestricted upload. It is poss…
- CVE-2025-26872CRITICALCVSS 9.9EG 9.92025-05-19
Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Eximius allows Using Malicious Files.This issue affects Eximius: from n/a through 2.2.
- CVE-2025-26892CRITICALCVSS 9.9EG 9.92025-05-19
Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Celestial Aura allows Using Malicious Files.This issue affects Celestial Aura: from n/a through 2.2.
- CVE-2025-26927CRITICALCVSS 10.0EG 10.02025-04-15
Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes AI Hub aihub allows Upload a Web Shell to a Web Server.This issue affects AI Hub: from n/a through <= 1.3.7.
- CVE-2025-2702MEDIUMCVSS 6.3EG 6.32025-03-24
A vulnerability, which was classified as critical, has been found in Softwin WMX3 3.1. This issue affects the function ImageAdd of the file /ImageAdd.ashx. The manipulation of the argument File leads to unrestricted upload. The attack may …
- CVE-2025-2705HIGHCVSS 7.3EG 7.32025-03-24
A vulnerability classified as critical has been found in Digiwin ERP 5.1. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible…
- CVE-2025-2706MEDIUMCVSS 6.3EG 6.32025-03-24
A vulnerability classified as critical was found in Digiwin ERP 5.0.1. Affected by this vulnerability is an unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx. The manipulation of the argument File leads to unrestricted uplo…
- CVE-2025-27082HIGHCVSS 7.2EG 7.22025-04-08
Arbitrary File Write vulnerabilities exist in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an Authenticated attacker to upload arbit…
- CVE-2025-27127MEDIUMCVSS 4.3EG 4.32025-07-08
A vulnerability has been identified in TIA Project-Server (All versions < V2.1.1), TIA Project-Server V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Porta…
- CVE-2025-27282CRITICALCVSS 9.9EG 9.92025-04-17
Unrestricted Upload of File with Dangerous Type vulnerability in rockgod100 Theme File Duplicator theme-file-duplicator allows Using Malicious Files.This issue affects Theme File Duplicator: from n/a through <= 1.3.
- CVE-2025-27411MEDIUMCVSS 5.4EG 5.42025-03-05
REDAXO is a PHP-based CMS. In Redaxo before 5.18.3, the mediapool/media page is vulnerable to arbitrary file upload. This vulnerability is fixed in 5.18.3.
- CVE-2025-2748MEDIUMCVSS 6.1EG 6.52025-03-24
The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178.
- CVE-2025-2749HIGHCVSS 7.2EG 9.0⚠ KEV2025-03-24
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content tha…
- CVE-2025-27683HIGHCVSS 8.8EG 8.82025-03-05
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 1.0.735 Application 20.0.1330 allows Driver Unrestricted Upload of File with Dangerous Type V-2022-006.
- CVE-2025-27692MEDIUMCVSS 4.7EG 4.72025-04-02
Dell Wyse Management Suite, versions prior to WMS 5.1, contains an Unrestricted Upload of File with Dangerous Type vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Denial…
- CVE-2025-27714MEDIUMCVSS 6.3EG 6.32025-08-21
An attacker could exploit this vulnerability by uploading arbitrary files via the a specific endpoint, leading to unauthorized remote code execution or system compromise.
- CVE-2025-2780HIGHCVSS 8.8EG 9.82025-04-04
The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it p…
- CVE-2025-28168MEDIUMCVSS 6.4EG 4.32025-05-05
The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload …
- CVE-2025-2819MEDIUMCVSS 6.6EG 6.62025-03-26
There is a risk of unauthorized file uploads in GT-SoftControl and potential file overwrites due to insufficient validation in the file selection process. This could lead to data integrity issues and unauthorized access by an authenticated…
- CVE-2025-2891HIGHCVSS 8.8EG 8.82025-04-01
The Real Estate 7 WordPress theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'template-submit-listing.php' file in all versions up to, and including, 3.5.4. This makes it possible for …
- CVE-2025-28915CRITICALCVSS 9.1EG 9.12025-03-11
Unrestricted Upload of File with Dangerous Type vulnerability in Theme Egg ThemeEgg ToolKit themeegg-toolkit allows Upload a Web Shell to a Web Server.This issue affects ThemeEgg ToolKit: from n/a through <= 1.2.9.
- CVE-2025-28951CRITICALCVSS 9.1EG 9.12025-07-04
Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.This issue affects Bulk Featured Image: from n/a through <= 1.2.4.
- CVE-2025-29009CRITICALCVSS 10.0EG 10.02025-07-16
Unrestricted Upload of File with Dangerous Type vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce medical-prescription-attachment-plugin-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affe…
- CVE-2025-29017HIGHCVSS 8.8EG 8.82025-04-10
A Remote Code Execution (RCE) vulnerability exists in Code Astro Internet Banking System 2.0.0 due to improper file upload validation in the profile_pic parameter within pages_view_client.php.
- CVE-2025-29093HIGHCVSS 8.2EG 8.22025-06-04
File Upload vulnerability in Motivian Content Mangment System v.41.0.0 allows a remote attacker to execute arbitrary code via the Content/Gallery/Images component.
- CVE-2025-29287CRITICALCVSS 9.8EG 9.82025-04-21
An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2025-29394HIGHCVSS 8.1EG 8.12025-04-09
An insecure permissions vulnerability in verydows v2.0 allows a remote attacker to execute arbitrary code by uploading a file type.
- CVE-2025-29405MEDIUMCVSS 6.3EG 5.72025-03-19
An arbitrary file upload vulnerability in the component /admin/template.php of emlog pro 2.5.0 and pro 2.5.* allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2025-29411CRITICALCVSS 9.8EG 9.82025-03-20
An arbitrary file upload vulnerability in the Client Profile Update section of Mart Developers iBanking v2.0.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2025-2952MEDIUMCVSS 6.3EG 6.32025-03-30
A vulnerability classified as critical was found in Bluestar Micro Mall 1.0. Affected by this vulnerability is an unknown functionality of the file /api/api.php?mod=upload&type=1. The manipulation of the argument File leads to unrestricted…
- CVE-2025-2973MEDIUMCVSS 6.3EG 6.32025-03-31
A vulnerability, which was classified as critical, was found in code-projects College Management System 1.0. This affects an unknown part of the file /Admin/student.php. The manipulation of the argument profile_image leads to unrestricted …
- CVE-2025-2978MEDIUMCVSS 6.3EG 6.32025-03-31
A vulnerability was found in WCMS 11. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?articleadmin/upload/?&CKEditor=container&CKEditorFuncNum=1 of the component Article Publishing…
- CVE-2025-30131CRITICALCVSS 9.8EG 9.82025-06-26
An issue was discovered on IROAD Dashcam FX2 devices. An unauthenticated file upload endpoint can be leveraged to execute arbitrary commands by uploading a CGI-based webshell. Once a file is uploaded, the attacker can execute commands with…
- CVE-2025-30169MEDIUMCVSS 6.7EG 6.72025-05-22
File upload and execute vulnerabilities in ASPECT allow PHP script injection if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: thro…
- CVE-2025-30173MEDIUMCVSS 6.7EG 6.72025-05-22
File upload vulnerabilities are present in ASPECT if session administrator credentials become compromised This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
- CVE-2025-3040MEDIUMCVSS 6.3EG 6.32025-03-31
A vulnerability was found in Project Worlds Online Time Table Generator 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/add_student.php. The manipulation of the argument pic leads…
- CVE-2025-3041MEDIUMCVSS 6.3EG 6.32025-04-01
A vulnerability classified as critical has been found in Project Worlds Online Time Table Generator 1.0. This affects an unknown part of the file /admin/updatestudent.php. The manipulation of the argument pic leads to unrestricted upload. …
- CVE-2025-3042MEDIUMCVSS 6.3EG 6.32025-04-01
A vulnerability classified as critical was found in Project Worlds Online Time Table Generator 1.0. This vulnerability affects unknown code of the file /student/updateprofile.php. The manipulation of the argument pic leads to unrestricted …
- CVE-2025-3054HIGHCVSS 8.8EG 8.82025-06-05
The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated …
- CVE-2025-30933CRITICALCVSS 10.0EG 10.02025-07-04
Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes LogisticsHub logistics-hub allows Upload a Web Shell to a Web Server.This issue affects LogisticsHub: from n/a through <= 1.1.6.
- CVE-2025-30996CRITICALCVSS 9.9EG 9.92026-01-06
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, T…
- CVE-2025-31002CRITICALCVSS 9.1EG 9.12025-04-09
Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze squeeze allows Using Malicious Files.This issue affects Squeeze: from n/a through <= 1.6.
- CVE-2025-31048CRITICALCVSS 9.9EG 9.92026-01-05
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo allows Upload a Web Shell to a Web Server.This issue affects Shopo: from n/a through 1.1.4.
- CVE-2025-31100CRITICALCVSS 9.9EG 9.92025-08-31
Unrestricted Upload of File with Dangerous Type vulnerability in Mojoomla School Management allows Upload a Web Shell to a Web Server.This issue affects School Management: from n/a through 1.93.1 (02-07-2025).
- CVE-2025-3123MEDIUMCVSS 4.7EG 4.72025-04-02
A vulnerability, which was classified as critical, has been found in WonderCMS 3.5.0. Affected by this issue is the function installUpdateModuleAction of the component Theme Installation/Plugin Installation. The manipulation leads to unres…
- CVE-2025-3125MEDIUMCVSS 6.7EG 6.72025-11-05
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to …
- CVE-2025-31324CRITICALCVSS 10.0EG 10.0⚠ KEV2025-04-24
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significa…
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →