Skip to main content

Product Directory Enterprise Compliance Pulse AI Analyst Compare Docs

Login Start Free

Loading...

Cloud security intelligence for modern infrastructure.

Stay informed

📬 Product updates & blog posts🛡️ CVE & vendor advisory alerts

Frequency:

Sent from noreply@echelongraph.io · Unsubscribe anytime

Product

Overview
Enterprise
Agents
AI Analyst
Pricing
Compare
vs. Competitors

Resources

CVE Pulse
Compliance Directory
Newsletter
Documentation
Readiness Calculator
Blog

Security Tools

Surface Scanner
AI Security Index
AI Threat Map
Shadow AI Radar
KEV-Exposure Radar
Exposed Data-Stores
Leaked Credentials
Shadow Engine Map

Company

Design Partners
Changelog
Contact
Responsible Disclosure

Legal

Privacy
Terms
Security
DPA

© 2026 EchelonGraph, Inc. All rights reserved.

SOC 2 Type IIISO 27001GDPRHIPAA Ready

Home›CVE Pulse›CWE-434

CWE-434— Unrestricted Upload of File with Dangerous Type

3,976 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →

CVEs classified under CWE-434page 71 of 80

CVE-2025-5322HIGHCVSS 7.2EG 7.2
2025-07-03
The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the do_updatecar and createcar functions in all versions up to, and including, 1.4.3. This make…
CVE-2025-53251CRITICALCVSS 9.9EG 9.9
2025-08-21
Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP pin-wp allows Upload a Web Shell to a Web Server.This issue affects Pin WP: from n/a through < 7.2.
CVE-2025-53260CRITICALCVSS 9.1EG 9.1
2025-06-27
Unrestricted Upload of File with Dangerous Type vulnerability in getredhawkstudio File Manager Plugin For Wordpress file-manager-plugin-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects File Manager Plugin For Word…
CVE-2025-53283CRITICALCVSS 10.0EG 10.0
2025-11-06
Unrestricted Upload of File with Dangerous Type vulnerability in borisolhor Drop Uploader for CF7 - Drag&Drop File Uploader Addon drop-uploader-for-contact-form-7-dragdrop-file-uploader-addon allows Upload a Web Shell to a Web Server.This …
CVE-2025-53891MEDIUMCVSS 4.3EG 4.3
2025-07-15
The timelineofficial/Time-Line- repository contains the source code for the TIME LINE website. A vulnerability was found in the TIME LINE website where uploaded files (instruction/message media) are not strictly validated for type and size…
CVE-2025-5395HIGHCVSS 8.8EG 8.8
2025-06-11
The WordPress Automatic Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'core.php' file in all versions up to, and including, 3.115.0. This makes it possible for authentic…
CVE-2025-53970CRITICALCVSS 9.8EG 9.8
2025-08-28
SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to upload arbitrary files and execute OS commands with SYSTEM privileges.
CVE-2025-5406MEDIUMCVSS 6.3EG 6.3
2025-06-01
A vulnerability, which was classified as critical, was found in chaitak-gorai Blogbook up to 92f5cf90f8a7e6566b576fe0952e14e1c6736513. Affected is an unknown function of the file /admin/posts.php?source=add_post. The manipulation of the ar…
CVE-2025-54071CRITICALCVSS 9.4EG 0.0
2025-07-21
RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. In versions 4.0.0-beta.3 and below, an authenticated arbitrary file write vulnerability exists in the /api/saves…
CVE-2025-54082HIGHCVSS 8.1EG 0.0
2025-07-21
marshmallow-packages/nova-tiptap is a rich text editor for Laravel Nova based on tiptap. Prior to 5.7.0, a vulnerability was discovered in the marshmallow-packages/nova-tiptap Laravel Nova package that allows unauthenticated users to uploa…
CVE-2025-54439HIGHCVSS 8.8EG 8.8
2025-07-23
Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.
CVE-2025-54440CRITICALCVSS 9.8EG 9.8
2025-07-23
Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.
CVE-2025-54441HIGHCVSS 8.8EG 8.8
2025-07-23
Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.
CVE-2025-54442CRITICALCVSS 9.8EG 9.8
2025-07-23
Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.
CVE-2025-54444CRITICALCVSS 9.8EG 9.8
2025-07-23
Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.
CVE-2025-54447HIGHCVSS 8.1EG 8.1
2025-07-23
Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.
CVE-2025-54448CRITICALCVSS 9.8EG 9.8
2025-07-23
Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.
CVE-2025-54449CRITICALCVSS 9.8EG 9.8
2025-07-23
Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.
CVE-2025-54460HIGHCVSS 7.1EG 7.1
2025-08-21
The vulnerability, if exploited, could allow an authenticated miscreant (with privileges to create or access publication targets of type Text File or HDFS) to upload and persist files that could potentially be executed.
CVE-2025-54473CRITICALCVSS 9.2EG 0.0
2025-08-15
An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. The issue allows code execution via the unzip feature.
CVE-2025-54677CRITICALCVSS 9.1EG 9.1
2025-08-20
Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Using Malicious Files.This issue affects Online Booking & Scheduling Calen…
CVE-2025-54693CRITICALCVSS 9.0EG 9.0
2025-08-14
Unrestricted Upload of File with Dangerous Type vulnerability in epiphyt Form Block form-block allows Upload a Web Shell to a Web Server.This issue affects Form Block: from n/a through <= 1.5.5.
CVE-2025-54757MEDIUMCVSS 6.5EG 6.5
2025-07-31
Multiple versions of PowerCMS allow unrestricted upload of dangerous files. If a product administrator accesses a malicious file uploaded by a product user, an arbitrary script may be executed on the browser.
CVE-2025-54762CRITICALCVSS 9.8EG 9.8
2025-08-28
SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to upload arbitrary files and execute OS commands with SYSTEM privileges.
CVE-2025-54769HIGHCVSS 8.8EG 8.8
2025-07-29
An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve r…
CVE-2025-54944CRITICALCVSS 9.8EG 9.8
2025-08-30
An unrestricted upload of file with dangerous type vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to write malicious code in a specific file, which may lead to arbitrary code execution.
CVE-2025-54962MEDIUMCVSS 6.4EG 6.4
2025-08-04
/edit-user in webserver in OpenPLC Runtime 3 through 9cd8f1b allows authenticated users to upload arbitrary files (such as .html or .svg), and these are then publicly accessible under the /static URI.
CVE-2025-55061HIGHCVSS 8.8EG 8.8
2025-12-29
CWE-434 Unrestricted Upload of File with Dangerous Type
CVE-2025-55135MEDIUMCVSS 6.4EG 6.4
2025-08-07
In Agora Foundation Agora fall23-Alpha1 before 690ce56, there is XSS via a profile picture to server/controller/userController.js. Formats other than PNG, JPEG, and WEBP are permitted by server/routes/userRoutes.js; this includes SVG.
CVE-2025-55251LOWCVSS 3.1EG 3.1
2026-01-19
HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.
CVE-2025-55383HIGHCVSS 8.6EG 8.6
2025-08-21
Moss before v0.15 has a file upload vulnerability. The "upload" function configuration allows attackers to upload files of any extension to any location on the target server.
CVE-2025-55454HIGHCVSS 8.8EG 8.8
2025-08-22
An authenticated arbitrary file upload vulnerability in the component /msg/sendfiles of DooTask v1.0.51 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2025-55455LOWCVSS 3.5EG 3.5
2025-08-22
DooTask v1.0.51 was dicovered to contain an authenticated arbitrary download vulnerability via the component /msg/sendtext.
CVE-2025-55743HIGHCVSS 8.8EG 0.0
2025-08-21
UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, the image upload at the user creation feature performs only client side file type validation. A user can capture the request…
CVE-2025-55746CRITICALCVSS 9.3EG 9.3
2025-08-20
Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrar…
CVE-2025-55810MEDIUMCVSS 6.8EG 6.8
2025-11-13
A vulnerability was found in Alaga Home Security WiFi Camera 3K (model S-CW2503C-H) with hardware version V03 and firmware version 1.4.2, which allows physical attackers to execute commands as root via script file with a specific name on a…
CVE-2025-55835CRITICALCVSS 9.8EG 9.8
2025-09-12
File Upload vulnerability in SueamCMS v.0.1.2 allows a remote attacker to execute arbitrary code via the lack of filtering.
CVE-2025-55912HIGHCVSS 7.3EG 7.3
2025-09-18
An issue in ClipBucket 5.5.0 and prior versions allows an unauthenticated attacker can exploit the plupload endpoint in photo_uploader.php to upload arbitrary files without any authentication, due to missing access controls in the upload h…
CVE-2025-56218CRITICALCVSS 9.8EG 9.8
2025-10-17
An arbitrary file upload vulnerability in SigningHub v8.6.8 allows attackers to execute arbitrary code via uploading a crafted PDF file.
CVE-2025-56263HIGHCVSS 8.8EG 8.8
2025-09-16
by-night sms V1.0 has an Arbitrary File Upload vulnerability. The /api/sms/upload/headImg endpoint allows uploading arbitrary files. Users can upload files of any size and type.
CVE-2025-56265HIGHCVSS 8.8EG 8.8
2025-09-08
An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1.95.3, v1.100.1, and v1.101.1 allows attackers to execute arbitrary code via uploading a crafted HTML file.
CVE-2025-56295HIGHCVSS 7.3EG 7.3
2025-09-16
code-projects Computer Laboratory System 1.0 has a file upload vulnerability. Staff can upload malicious files by uploading PHP backdoor files when modifying personal avatar information and use web shell connection tools to obtain server p…
CVE-2025-56515HIGHCVSS 8.8EG 8.8
2025-10-01
File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tag…
CVE-2025-56704HIGHCVSS 8.8EG 8.8
2025-12-09
LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP…
CVE-2025-57148CRITICALCVSS 9.1EG 9.1
2025-09-03
phpgurukul Online Shopping Portal 2.0 is vulnerable to Arbitrary File Upload in /admin/insert-product.php, due to the lack of extension validation.
CVE-2025-57176MEDIUMCVSS 6.5EG 4.3
2025-09-15
On Ceragon Networks / Siklu Communication EtherHaul and MultiHaul Series microwave antennas before 2026-03-10, the rfpiped service on TCP port 555 allows unauthenticated file uploads to any writable location on the device. File upload pack…
CVE-2025-5728MEDIUMCVSS 6.3EG 6.3
2025-06-06
A vulnerability classified as critical was found in SourceCodester Open Source Clinic Management System 1.0. This vulnerability affects unknown code of the file /manage_website.php. The manipulation of the argument website_image leads to u…
CVE-2025-5746CRITICALCVSS 9.8EG 9.8
2025-07-02
The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled…
CVE-2025-57460CRITICALCVSS 9.8EG 9.8
2025-12-29
File upload vulnerability in machsol machpanel 8.0.32 allows attacker to gain a webshell.
CVE-2025-57642HIGHCVSS 7.2EG 7.2
2025-09-10
A Shell Upload vulnerability in Tourism Management System 2.0 allows an attacker to upload and execute arbitrary PHP shell scripts on the server, leading to remote code execution and unauthorized access to the system. This can result in th…

← PreviousPage 71 of 80Next →

Map vulnerabilities like CWE-434 to your infrastructure

EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.

Start Free Scan →