CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,072 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 24 of 82
- CVE-2021-43829HIGHCVSS 7.4EG 7.42021-12-14
PatrOwl is a free and open-source solution for orchestrating Security Operations. In versions prior to 1.7.7 PatrowlManager unrestrictly handle upload files in the findings import feature. This vulnerability is capable of uploading dangero…
- CVE-2021-43934CRITICALCVSS 9.8EG 9.82022-04-28
Elcomplus SmartPTT is vulnerable as the backup and restore system does not adequately validate upload requests, enabling a malicious user to potentially upload arbitrary files.
- CVE-2021-43936CRITICALCVSS 10.0EG 9.82021-12-06
The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's environment or lead to arbitrary code execution.
- CVE-2021-43970HIGHCVSS 8.8EG 8.82022-03-10
An arbitrary file upload vulnerability exists in albumimages.jsp in Quicklert for Digium 10.0.0 (1043) via a .mp3;.jsp filename for a file that begins with audio data bytes. It allows an authenticated (low privileged) attacker to execute r…
- CVE-2021-43973HIGHCVSS 8.8EG 8.82022-01-11
An unrestricted file upload vulnerability in /UploadPsIcon.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to upload an arbitrary file via the file parameter in the HTTP POST body. A successful request returns the abs…
- CVE-2021-44031CRITICALCVSS 9.8EG 9.82021-12-22
An issue was discovered in Quest KACE Desktop Authority before 11.2. /dacomponentui/profiles/profileitems/outlooksettings/Insertimage.aspx contains a vulnerability that could allow pre-authentication remote code execution. An attacker coul…
- CVE-2021-44093CRITICALCVSS 9.8EG 9.82021-11-28
A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell
- CVE-2021-44094HIGHCVSS 7.8EG 7.82021-11-28
ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file
- CVE-2021-44123HIGHCVSS 8.8EG 8.82022-01-26
SPIP 4.0.0 is affected by a remote command execution vulnerability. To exploit the vulnerability, an attacker must craft a malicious picture with a double extension, upload it and then click on it to execute it.
- CVE-2021-44159CRITICALCVSS 9.8EG 9.82021-12-20
4MOSAn GCB Doctor’s file upload function has improper user privilege control. A remote attacker can upload arbitrary files including webshell files without authentication and execute arbitrary code in order to perform arbitrary system op…
- CVE-2021-44164CRITICALCVSS 9.8EG 9.82021-12-20
Chain Sea ai chatbot system’s file upload function has insufficient filtering for special characters in URLs, which allows a remote attacker to by-pass file type validation, upload malicious script and execute arbitrary code without auth…
- CVE-2021-44255HIGHCVSS 7.2EG 7.22022-01-31
Authenticated remote code execution in MotionEye <= 0.42.1 and MotioneEyeOS <= 20200606 allows a remote attacker to upload a configuration backup file containing a malicious python pickle file which will execute arbitrary code on the serve…
- CVE-2021-4436CRITICALCVSS 9.8EG 9.82024-02-05
The 3DPrint Lite WordPress plugin before 1.9.1.5 does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. How…
- CVE-2021-44426HIGHCVSS 8.8EG 8.82022-09-12
An issue was discovered in AnyDesk before 6.2.6 and 6.3.x before 6.3.5. An upload of an arbitrary file to a victim's local ~/Downloads/ directory is possible if the victim is using the AnyDesk Windows client to connect to a remote machine,…
- CVE-2021-4443CRITICALCVSS 9.8EG 9.82024-10-16
The WordPress Mega Menu plugin for WordPress is vulnerable to Arbitrary File Creation in versions up to, and including, 2.0.6 via the compiler_save AJAX action. This makes it possible for unauthenticated attackers to create arbitrary PHP f…
- CVE-2021-4449CRITICALCVSS 9.8EG 9.82024-10-16
The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible for unauthenticated attackers to uploa…
- CVE-2021-4455CRITICALCVSS 9.8EG 9.82025-04-19
The Wordpress Plugin Smart Product Review plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to…
- CVE-2021-4457CRITICALCVSS 9.1EG 9.12025-06-25
The ZoomSounds plugin before 6.05 contains a PHP file allowing unauthenticated users to upload an arbitrary file anywhere on the web server.
- CVE-2021-4462CRITICALCVSS 9.8EG 9.82025-11-10
Employee Records System version 1.0 contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload arbitrary files via the uploadID.php endpoint; uploaded files can be executed because the applic…
- CVE-2021-44651HIGHCVSS 8.8EG 8.82022-01-12
Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote code execution through the updatePersonalizeSettings component due to an improper security patch for CVE-2021-40175.
- CVE-2021-44664HIGHCVSS 8.8EG 8.82022-02-24
An Authenticated Remote Code Exection (RCE) vulnerability exists in Xerte through 3.9 in website_code/php/import/fileupload.php by uploading a maliciously crafted PHP file though the project interface disguised as a language file to bypass…
- CVE-2021-44673HIGHCVSS 8.8EG 8.82022-03-10
A Remote Code Execution (RCE) vulnerability exists in Croogo 3.0.2via admin/file-manager/attachments, which lets a malicoius user upload a web shell script.
- CVE-2021-44967HIGHCVSS 8.8EG 8.82022-02-24
A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins int…
- CVE-2021-45040CRITICALCVSS 9.8EG 9.82022-03-17
The Spatie media-library-pro library through 1.17.10 and 2.x through 2.1.6 for Laravel allows remote attackers to upload executable files via the uploads route.
- CVE-2021-45411CRITICALCVSS 9.8EG 9.82022-01-12
In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution.
- CVE-2021-45790CRITICALCVSS 9.8EG 9.82022-09-29
An arbitrary file upload vulnerability was found in Metersphere v1.15.4. Unauthenticated users can upload any file to arbitrary directory, where attackers can write a cron job to execute commands.
- CVE-2021-45808HIGHCVSS 8.8EG 8.82022-01-19
jpress v4.2.0 allows users to register an account by default. With the account, user can upload arbitrary files to the server.
- CVE-2021-45834CRITICALCVSS 9.8EG 9.82022-03-18
An attacker can upload or transfer files of dangerous types to the OpenDocMan 1.4.4 portal via add.php using MIME-bypass, which may be automatically processed within the product's environment or lead to arbitrary code execution.
- CVE-2021-45835CRITICALCVSS 9.8EG 9.82022-03-18
The Online Admission System 1.0 allows an unauthenticated attacker to upload or transfer files of dangerous types to the application through documents.php, which may be used to execute malicious code or lead to code execution.
- CVE-2021-45865CRITICALCVSS 9.8EG 9.82022-03-29
A File Upload vulnerability exists in Sourcecodester Student Attendance Manageent System 1.0 via the file upload functionality.
- CVE-2021-45982HIGHCVSS 8.8EG 8.82022-06-02
NetScout nGeniusONE 6.3.2 allows Arbitrary File Upload by a privileged user.
- CVE-2021-46013CRITICALCVSS 9.8EG 9.82022-01-18
An unrestricted file upload vulnerability exists in Sourcecodester Free school management software 1.0. An attacker can leverage this vulnerability to enable remote code execution on the affected web server. Once a php webshell containing …
- CVE-2021-46033CRITICALCVSS 9.8EG 9.82022-01-25
In ForestBlog, as of 2021-12-28, File upload can bypass verification.
- CVE-2021-46036CRITICALCVSS 9.8EG 9.82022-02-18
An arbitrary file upload vulnerability in the component /ms/file/uploadTemplate.do of MCMS v5.2.4 allows attackers to execute arbitrary code.
- CVE-2021-46076HIGHCVSS 8.8EG 8.82022-01-06
Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload. An attacker can upload a malicious php file in multiple endpoints it leading to Code Execution.
- CVE-2021-46078MEDIUMCVSS 4.8EG 4.82022-01-06
An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to a Stored Cross-Site Scripting vulnerability.
- CVE-2021-46079HIGHCVSS 7.2EG 7.22022-01-06
An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to Html Injection.
- CVE-2021-46097HIGHCVSS 8.8EG 8.82022-01-27
Dolphinphp v1.5.0 contains a remote code execution vulnerability in /application/common.php#action_log
- CVE-2021-46113HIGHCVSS 8.8EG 8.82022-01-25
In MartDevelopers KEA-Hotel-ERP open source as of 12-31-2021, a remote code execution vulnerability can be exploited by uploading PHP files using the file upload vulnerability in this service.
- CVE-2021-46115HIGHCVSS 7.2EG 7.22022-01-26
jpress 4.2.0 is vulnerable to RCE via io.jpress.web.admin._TemplateController#doUploadFile. The admin panel provides a function through which attackers can upload templates and inject some malicious code.
- CVE-2021-46116HIGHCVSS 7.2EG 7.22022-01-26
jpress 4.2.0 is vulnerable to remote code execution via io.jpress.web.admin._TemplateController#doInstall. The admin panel provides a function through which attackers can install templates and inject some malicious code.
- CVE-2021-46360HIGHCVSS 8.8EG 8.82022-02-09
Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.
- CVE-2021-46367HIGHCVSS 7.2EG 7.22022-04-08
RiteCMS version 3.1.0 and below suffers from a remote code execution vulnerability in the admin panel. An authenticated attacker can upload a PHP file and bypass the .htacess configuration to deny execution of .php files in media and files…
- CVE-2021-46386CRITICALCVSS 9.8EG 9.82022-01-26
File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitrary code via a crafted jspx webshell to net.mingsoft.basic.action.web.FileAction#upload.
- CVE-2021-46428CRITICALCVSS 9.8EG 9.82022-01-27
A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Simple Chatbot Application 1.0 ( and previous versions via the bot_avatar parameter in SystemSettings.php.
- CVE-2021-47753CRITICALCVSS 9.8EG 9.82026-01-15
phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and exec…
- CVE-2021-47757HIGHCVSS 8.8EG 8.82026-01-15
Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability in the backup restoration functionality. Authenticated attackers can upload a modified backup zip file with a malicious PHP shell to exe…
- CVE-2021-47758HIGHCVSS 8.8EG 8.82026-01-15
Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious PHP plugins through the module upload functionality. Authenticated attackers can generate and …
- CVE-2021-47783MEDIUMCVSS 5.4EG 5.42026-01-16
Phpwcms 1.9.30 contains a file upload vulnerability that allows authenticated attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG payloads through the multiple file upload feature to potential…
- CVE-2021-47788HIGHCVSS 8.8EG 8.82026-01-16
WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating langu…
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →