CWE-434: Unrestricted File Upload

This vulnerability allows authenticated WordPress administrators to perform server-side request forgery (SSRF) attacks via the Uncanny Automator plugi...

The Form Maker by 10Web WordPress plugin allows unauthenticated attackers to upload malicious SVG files containing JavaScript code due to weak file ex...

This vulnerability in the AI Engine WordPress plugin allows authenticated attackers with Editor-level access or higher to upload arbitrary files, incl...

CVE-2022-50916 is a file upload vulnerability in e107 CMS version 3.2.1 that allows authenticated administrators to overwrite server files through Med...

This vulnerability allows authenticated attackers to upload arbitrary files to mobility conductors running AOS-10 or AOS-8 operating systems. Successf...

CVE-2026-22241 is an arbitrary file upload vulnerability in Open eClass (formerly GUnet eClass) that allows authenticated administrators to upload mal...

CVE-2023-53889 is a remote code execution vulnerability in Perch CMS 3.2 that allows authenticated administrators to upload malicious PHP files throug...

Blackcat CMS 1.4 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the jqu...

Webutler v3.2 contains an arbitrary file upload vulnerability that allows authenticated administrators to upload PHP files containing system commands....

xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated administrators to upload and execute arbitrary PHP code throug...

Serendipity 2.5.0 contains a remote code execution vulnerability where authenticated administrators can upload malicious PHP files through the media u...

The ProjectList WordPress plugin allows authenticated attackers with Editor-level access or higher to upload arbitrary files due to missing file type ...

This vulnerability allows authenticated attackers with Editor-level WordPress access to upload arbitrary files due to missing file type validation in ...

This vulnerability allows attackers to upload malicious files to Pyxis Signage systems, bypassing access controls. Attackers could execute arbitrary c...

This vulnerability allows authenticated attackers with administrative credentials to upload arbitrary files to the Mozart FM Transmitter web managemen...

This vulnerability allows authenticated administrators in CMS Made Simple Foundation File Manager v2.2.22 to upload arbitrary PHP files via the /uploa...

CVE-2025-12867 is an arbitrary file upload vulnerability in EIP Plus software developed by Hundred Plus. It allows authenticated remote attackers with...

The Alex Reservations WordPress plugin up to version 2.2.3 allows authenticated administrators to upload arbitrary files via a vulnerable REST API end...

The Mail Mint WordPress plugin allows authenticated administrators to upload arbitrary files due to missing file type validation. This vulnerability c...

The AIO Forms WordPress plugin allows authenticated administrators to upload arbitrary files due to missing file type validation in import functionali...

QDocs Smart School Management System 7.1 contains a logic flaw that allows authenticated users with roles like 'accountant' or 'admin' to bypass file ...

The Demo Import Kit WordPress plugin allows authenticated attackers with Administrator privileges to upload arbitrary files due to missing file type v...

An authenticated attacker can upload arbitrary files to the web management interface of AOS-10 GW and AOS-8 Controller/Mobility Conductor systems, pot...

CVE-2025-11675 is an arbitrary file upload vulnerability in Ragic's Enterprise Cloud Database that allows authenticated attackers with sufficient priv...

The WP-DownloadManager WordPress plugin allows authenticated administrators to upload arbitrary files due to missing file type validation. This vulner...

This vulnerability allows attackers to upload malicious PHP shell scripts to Tourism Management System 2.0 servers, enabling remote code execution and...

This vulnerability allows authenticated attackers with Administrator-level access or higher to upload arbitrary files to WordPress sites using the Res...

This vulnerability allows authenticated attackers with Administrator-level access to upload arbitrary files, including malicious .phar files, to WordP...

The Multi Step Form WordPress plugin allows authenticated administrators to upload arbitrary files due to missing file type validation in the import f...

The Make Connector WordPress plugin allows authenticated attackers with Administrator privileges to upload arbitrary files due to improper file type v...

The VikRentCar WordPress plugin up to version 1.4.3 allows authenticated administrators to upload arbitrary files due to missing file type validation....

The WPvivid Backup & Migration WordPress plugin allows authenticated administrators to upload arbitrary files due to missing file type validation. Thi...

The Beaver Builder Plugin (Starter Version) for WordPress has a vulnerability allowing authenticated administrators to upload arbitrary files due to m...

This vulnerability in Versa Director SD-WAN orchestration platform allows authenticated attackers to upload malicious files despite UI restrictions, p...

The Ultra Addons for Contact Form 7 WordPress plugin has a vulnerability that allows authenticated administrators to upload arbitrary files due to mis...

The CSV Me WordPress plugin allows authenticated attackers with Administrator privileges to upload arbitrary files due to insufficient file type valid...

The File Manager Pro – Filester WordPress plugin allows authenticated attackers with Administrator-level access to upload arbitrary files due to mis...

This vulnerability allows remote attackers to execute arbitrary commands on Airleader Master and Easy systems by uploading malicious JSP files through...

CVE-2024-13723 is a remote code execution vulnerability in the NagVis component of Checkmk. Authenticated attackers with administrative privileges can...

An arbitrary file upload vulnerability in Redaxo CMS v5.17.1 allows attackers to upload malicious files through the MediaPool module. This can lead to...

The Crafthemes Demo Import WordPress plugin allows authenticated attackers with Administrator privileges to upload arbitrary files due to missing file...

This vulnerability allows unauthenticated attackers to upload malicious SVG files containing JavaScript that executes when viewed. All WordPress sites...

This vulnerability allows attackers to upload malicious files to DedeBIZ CMS through the admin interface, potentially leading to remote code execution...

A file upload vulnerability in Laravel CMS v1.4.7 and earlier allows remote attackers to upload malicious PHP files (like shell.php) and execute arbit...

This vulnerability allows remote attackers to execute arbitrary code on SourceCodester Purchase Order Management System v1.0 via the /admin?page=user ...

This vulnerability allows attackers to upload arbitrary files to the moziloCMS admin interface, potentially leading to remote code execution. It affec...

The Funnelforms Free WordPress plugin allows authenticated administrators to upload arbitrary files due to missing file type validation. This vulnerab...

PublicCMS versions up to V4.0.202302.e contain an unrestricted file upload vulnerability in the template metadata management endpoint. This allows aut...

This vulnerability allows authenticated administrators in Versa Director to upload malicious files disguised as PNG images through the favicon customi...

Kashipara Hotel Management System v1.0 contains an unrestricted file upload vulnerability in the /admin/add_room_controller.php endpoint that allows r...