Total
3759 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-15426 | 2026-01-02 | 7.3 High | ||
| A vulnerability was identified in jackying H-ui.admin up to 3.1. This affects an unknown function in the library /lib/webuploader/0.1.5/server/preview.php. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-67164 | 1 Pagekit | 1 Pagekit | 2026-01-02 | 9.9 Critical |
| An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file. | ||||
| CVE-2025-67289 | 1 Frappe | 2 Erpnext, Frappe | 2026-01-02 | 9.6 Critical |
| An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file. | ||||
| CVE-2025-68398 | 1 Weblate | 1 Weblate | 2026-01-02 | 9.1 Critical |
| Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue. | ||||
| CVE-2025-15226 | 1 Sun.net | 1 Wmpro | 2025-12-31 | 9.8 Critical |
| WMPro developed by Sunnet has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||||
| CVE-2025-55061 | 2025-12-31 | 8.8 High | ||
| CWE-434 Unrestricted Upload of File with Dangerous Type | ||||
| CVE-2025-15228 | 1 Welltend | 1 Bpmflowwebkit | 2025-12-31 | 9.8 Critical |
| BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||||
| CVE-2025-57460 | 1 Machsol | 1 Machpanel | 2025-12-31 | 9.8 Critical |
| File upload vulnerability in machsol machpanel 8.0.32 allows attacker to gain a webshell. | ||||
| CVE-2025-14849 | 1 Advantech | 2 Webaccess/scada, Webaccess\/scada | 2025-12-31 | 8.8 High |
| Advantech WebAccess/SCADA is vulnerable to unrestricted file upload, which may allow an attacker to remotely execute arbitrary code. | ||||
| CVE-2019-16790 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 6.5 Medium |
| In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted. | ||||
| CVE-2022-45476 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 9.8 Critical |
| Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload. | ||||
| CVE-2023-53921 | 1 Sitemagic | 1 Sitemagic Cms | 2025-12-31 | 9.8 Critical |
| SitemagicCMS 4.4.3 contains a remote code execution vulnerability that allows attackers to upload malicious PHP files to the files/images directory. Attackers can upload a .phar file with system command execution payload to compromise the web application and execute arbitrary system commands. | ||||
| CVE-2025-63678 | 2 Cms Made Simple, Cmsmadesimple | 2 Cms Made Simple, File Manager | 2025-12-31 | 3.8 Low |
| An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file. | ||||
| CVE-2023-53942 | 1 Leefish | 1 File Thingie | 2025-12-31 | 8.8 High |
| File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with a command parameter. | ||||
| CVE-2025-9415 | 2 Greencms, Njtech | 2 Greencms, Greencms | 2025-12-31 | 6.3 Medium |
| A vulnerability was identified in GreenCMS up to 2.3.0603. This affects an unknown part of the file /index.php?m=admin&c=media&a=fileconnect. The manipulation of the argument upload[] leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-6266 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2025-12-31 | 6.3 Medium |
| A vulnerability was detected in Teledyne FLIR AX8 up to 1.46. Affected by this vulnerability is an unknown functionality of the file /upload.php. Performing manipulation of the argument File results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading to version 1.49.16 addresses this issue. Upgrading the affected component is recommended. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities." | ||||
| CVE-2025-15009 | 2 1000mz, Liweiyi | 2 Chestnutcms, Chestnutcms | 2025-12-31 | 6.3 Medium |
| A flaw has been found in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function FilenameUtils.getExtension of the file /dev-api/common/upload of the component Filename Handler. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used. | ||||
| CVE-2025-63994 | 1 Psolom | 1 Richfilemanager | 2025-12-31 | 9.8 Critical |
| An arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager v2.7.6 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2025-15050 | 2 Code-projects, Fabian | 2 Student Management System, Student File Management System | 2025-12-30 | 6.3 Medium |
| A security vulnerability has been detected in code-projects Student File Management System 1.0. This affects an unknown part of the file /save_file.php. Such manipulation of the argument File leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2024-58313 | 1 Xbtitfm | 1 Xbtitfm | 2025-12-30 | 7.2 High |
| xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands. | ||||