CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,075 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 33 of 82
- CVE-2022-44049CRITICALCVSS 9.8EG 9.82022-11-07
The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-grammars package. The affected versi…
- CVE-2022-44050CRITICALCVSS 9.8EG 9.82022-11-07
The d8s-networking for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-json package. The affected versi…
- CVE-2022-44051CRITICALCVSS 9.8EG 9.82022-11-07
The d8s-stats for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-math package. The affected version of…
- CVE-2022-44052CRITICALCVSS 9.8EG 9.82022-11-07
The d8s-dates for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-timezones package. The affected versi…
- CVE-2022-44053CRITICALCVSS 9.8EG 9.82022-11-07
The d8s-networking for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-user-agents package. The affecte…
- CVE-2022-44054CRITICALCVSS 9.8EG 9.82022-11-07
The d8s-xml for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-utility package. The affected version o…
- CVE-2022-44276CRITICALCVSS 9.8EG 9.82023-06-28
In Responsive Filemanager < 9.12.0, an attacker can bypass upload restrictions resulting in RCE.
- CVE-2022-44289HIGHCVSS 8.8EG 8.82022-12-06
Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.
- CVE-2022-44354CRITICALCVSS 9.8EG 9.82022-11-29
SolarView Compact 4.0 and 5.0 is vulnerable to Unrestricted File Upload via a crafted php file.
- CVE-2022-44384HIGHCVSS 8.8EG 8.82022-11-17
An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2022-44400CRITICALCVSS 9.8EG 9.82022-11-28
Purchase Order Management System v1.0 contains a file upload vulnerability via /purchase_order/admin/?page=system_info.
- CVE-2022-44401CRITICALCVSS 9.8EG 9.82022-11-28
Online Tours & Travels Management System v1.0 contains an arbitrary file upload vulnerability via /tour/admin/file.php.
- CVE-2022-44760MEDIUMCVSS 4.6EG 4.62025-04-24
Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications.
- CVE-2022-45009HIGHCVSS 7.2EG 7.22022-12-07
Online Leave Management System v1.0 was discovered to contain an arbitrary file upload vulnerability at /leave_system/classes/SystemSettings.php?f=update_settings. This vulnerability allows attackers to execute arbitrary code via a crafted…
- CVE-2022-45039HIGHCVSS 7.2EG 7.22022-11-25
An arbitrary file upload vulnerability in the Server Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2022-4506HIGHCVSS 8.8EG 8.82022-12-15
Unrestricted Upload of File with Dangerous Type in GitHub repository openemr/openemr prior to 7.0.0.2.
- CVE-2022-45171HIGHCVSS 8.8EG 8.82024-05-28
An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Unrestricted Upload of a File with a Dangerous Type can occur under the vShare web site section. A remote user, authenticated to the product, can arbitrarily upload po…
- CVE-2022-45275HIGHCVSS 7.2EG 7.22022-12-12
An arbitrary file upload vulnerability in /queuing/admin/ajax.php?action=save_settings of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2022-45338HIGHCVSS 7.8EG 7.82022-12-15
An arbitrary file upload vulnerability in the profile picture upload function of Exact Synergy Enterprise 267 before 267SP13 and Exact Synergy Enterprise 500 before 500SP6 allows attackers to execute arbitrary code via a crafted SVG file.
- CVE-2022-45359CRITICALCVSS 9.8EG 9.82022-12-06
Unauth. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress.
- CVE-2022-45377MEDIUMCVSS 6.5EG 6.52023-12-21
Unrestricted Upload of File with Dangerous Type vulnerability in Glen Don L. Mongaya Drag and Drop Multiple File Upload for WooCommerce.This issue affects Drag and Drop Multiple File Upload for WooCommerce: from n/a through 1.0.8.
- CVE-2022-45415HIGHCVSS 7.8EG 7.82022-12-22
When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran…
- CVE-2022-45427HIGHCVSS 7.2EG 7.22022-12-27
Some Dahua software products have a vulnerability of unrestricted upload of file. After obtaining the permissions of administrators, by sending a specific crafted packet to the vulnerable interface, an attacker can upload arbitrary files.
- CVE-2022-45476CRITICALCVSS 9.8EG 8.82022-11-25
Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.
- CVE-2022-45527CRITICALCVSS 9.8EG 9.82023-02-08
File upload vulnerability in Future-Depth Institutional Management Website (IMS) 1.0, allows unauthorized attackers to directly upload malicious files to the courseimg directory.
- CVE-2022-45548HIGHCVSS 8.8EG 8.82022-12-06
AyaCMS v3.1.2 has an Arbitrary File Upload vulnerability.
- CVE-2022-45759HIGHCVSS 8.8EG 8.82022-12-12
SENS v1.0 has a file upload vulnerability.
- CVE-2022-45771HIGHCVSS 8.8EG 8.82022-12-05
An issue in the /api/audits component of Pwndoc v0.5.3 allows attackers to escalate privileges and execute arbitrary code via uploading a crafted audit file.
- CVE-2022-45802CRITICALCVSS 9.8EG 9.82023-05-01
Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versio…
- CVE-2022-45896CRITICALCVSS 9.8EG 9.82022-12-25
Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads to remote code execution.
- CVE-2022-45912HIGHCVSS 7.2EG 7.22022-12-05
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. Remote code execution can occur through ClientUploader by an authenticated admin user. An authenticated admin user can upload files through the ClientUploader utility, a…
- CVE-2022-45966CRITICALCVSS 9.8EG 9.82022-12-22
here is an arbitrary file upload vulnerability in the file management function module of Classcms3.5.
- CVE-2022-45968HIGHCVSS 8.8EG 8.82022-12-12
Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one).
- CVE-2022-46020CRITICALCVSS 9.8EG 9.82022-12-20
WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
- CVE-2022-46102CRITICALCVSS 9.8EG 9.82022-12-22
AyaCMS 3.1.2 is vulnerable to Arbitrary file upload via /aya/module/admin/fst_down.inc.php
- CVE-2022-46135HIGHCVSS 7.2EG 9.82022-12-16
In AeroCms v0.0.1, there is an arbitrary file upload vulnerability at /admin/posts.php?source=edit_post , through which we can upload webshell and control the web server.
- CVE-2022-46493CRITICALCVSS 9.8EG 9.82022-12-22
Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img.
- CVE-2022-46604HIGHCVSS 8.8EG 8.82023-02-02
An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file, leading to arbitrary code execution.
- CVE-2022-46610HIGHCVSS 8.8EG 8.82023-01-10
72crm v9 was discovered to contain an arbitrary file upload vulnerability via the avatar upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2022-4665HIGHCVSS 8.8EG 8.82022-12-23
Unrestricted Upload of File with Dangerous Type in GitHub repository ampache/ampache prior to 5.5.6.
- CVE-2022-46660HIGHCVSS 7.5EG 6.52023-01-18
An unauthorized user could alter or write files with full control over the path and content of the file.
- CVE-2022-46828MEDIUMCVSS 5.2EG 7.82022-12-08
In JetBrains IntelliJ IDEA before 2022.3 a DYLIB injection on macOS was possible.
- CVE-2022-46839CRITICALCVSS 10.0EG 10.02024-01-05
Unrestricted Upload of File with Dangerous Type vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1.
- CVE-2022-46899HIGHCVSS 7.5EG 7.52023-07-25
An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is Arbitrary File Upload. The BaseController class, that each of the service controllers derives from, allows for the upload of arbitrary files. If the…
- CVE-2022-47042HIGHCVSS 8.8EG 8.82023-01-26
MCMS v5.2.10 and below was discovered to contain an arbitrary file write vulnerability via the component ms/template/writeFileContent.do.
- CVE-2022-47186HIGHCVSS 7.5EG 7.52023-09-28
There is an unrestricted upload of file vulnerability in Generex CS141 below 2.06 version. An attacker could upload and/or delete any type of file, without any format restriction and without any authentication, in the "upload" directory.
- CVE-2022-47190CRITICALCVSS 10.0EG 9.82023-03-31
Generex UPS CS141 below 2.06 version, could allow a remote attacker to upload a firmware file containing a webshell that could allow him to execute arbitrary code as root.
- CVE-2022-47191MEDIUMCVSS 4.3EG 8.82023-03-31
Generex UPS CS141 below 2.06 version, could allow a remote attacker to upload a firmware file containing a file with modified permissions, allowing him to escalate privileges.
- CVE-2022-4732HIGHCVSS 7.2EG 7.22022-12-27
Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2.
- CVE-2022-47615CRITICALCVSS 9.3EG 9.82023-01-26
Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →