CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,080 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 42 of 82
- CVE-2023-46264CRITICALCVSS 9.8EG 7.22023-12-19
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.
- CVE-2023-46428HIGHCVSS 8.8EG 8.82023-11-01
An arbitrary file upload vulnerability in HadSky v7.12.10 allows attackers to execute arbitrary code via a crafted file.
- CVE-2023-46474HIGHCVSS 7.2EG 7.22024-01-11
File Upload vulnerability PMB v.7.4.8 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted PHP file uploaded to the start_import.php file.
- CVE-2023-4666CRITICALCVSS 9.8EG 9.82023-10-16
The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE
- CVE-2023-46694HIGHCVSS 8.1EG 8.12024-05-28
Vtenext 21.02 allows an authenticated attacker to upload arbitrary files, potentially enabling them to execute remote commands. This flaw exists due to the application's failure to enforce proper authentication controls when accessing the …
- CVE-2023-46808CRITICALCVSS 9.9EG 9.92024-03-31
An file upload vulnerability in Ivanti ITSM before 2023.4, allows an authenticated remote user to perform file writes to the server. Successful exploitation may lead to execution of commands in the context of non-root user.
- CVE-2023-46815HIGHCVSS 8.8EG 8.82023-10-27
An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using a crafted request, custom PHP code can be injected via the Notes module …
- CVE-2023-47129CRITICALCVSS 9.8EG 8.32023-11-10
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using …
- CVE-2023-4739CRITICALCVSS 9.8EG 6.32023-09-03
A vulnerability, which was classified as critical, has been found in Byzoro Smart S85F Management Platform up to 20230820. Affected by this issue is some unknown functionality of the file /sysmanage/updateos.php. The manipulation of the ar…
- CVE-2023-47621HIGHCVSS 8.8EG 8.82023-11-13
Guest Entries is a php library which allows users to create, update & delete entries from the front-end of a site. In affected versions the file uploads feature did not prevent the upload of PHP files. This may lead to code execution on th…
- CVE-2023-47706HIGHCVSS 8.8EG 6.62023-12-20
IBM Security Guardium Key Lifecycle Manager 4.3 could allow an authenticated user to upload files of a dangerous file type. IBM X-Force ID: 271341.
- CVE-2023-47711LOWCVSS 2.7EG 2.72024-05-14
IBM Security Guardium 11.3, 11.4, 11.5, and 12.0 could allow an authenticated user to upload files that would cause a denial of service. IBM X-Force ID: 271526.
- CVE-2023-47784HIGHCVSS 8.8EG 8.42023-12-20
Unrestricted Upload of File with Dangerous Type vulnerability in ThemePunch OHG Slider Revolution.This issue affects Slider Revolution: from n/a through 6.6.15.
- CVE-2023-47842CRITICALCVSS 9.1EG 9.12024-03-26
Unrestricted Upload of File with Dangerous Type vulnerability in Zachary Segal CataBlog.This issue affects CataBlog: from n/a through 1.7.0.
- CVE-2023-47846CRITICALCVSS 9.1EG 9.12024-03-26
Unrestricted Upload of File with Dangerous Type vulnerability in Terry Lin WP Githuber MD.This issue affects WP Githuber MD: from n/a through 1.16.2.
- CVE-2023-47873CRITICALCVSS 9.1EG 9.12024-03-26
Unrestricted Upload of File with Dangerous Type vulnerability in WEN Solutions WP Child Theme Generator.This issue affects WP Child Theme Generator: from n/a through 1.0.9.
- CVE-2023-48031CRITICALCVSS 9.8EG 9.82023-11-17
OpenSupports v4.11.0 is vulnerable to Unrestricted Upload of File with Dangerous Type. In the comment function, an attacker can bypass security restrictions and upload a .bat file by manipulating the file's magic bytes to masquerade as an …
- CVE-2023-4817HIGHCVSS 8.8EG 7.22023-10-03
This vulnerability allows an authenticated attacker to upload malicious files by bypassing the restrictions of the upload functionality, compromising the entire device.
- CVE-2023-48217HIGHCVSS 8.8EG 8.82023-11-14
Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-…
- CVE-2023-48275HIGHCVSS 8.0EG 8.02024-03-26
Unrestricted Upload of File with Dangerous Type vulnerability in Trustindex.Io Widgets for Google Reviews.This issue affects Widgets for Google Reviews: from n/a through 11.0.2.
- CVE-2023-48371CRITICALCVSS 9.8EG 9.82023-12-15
ITPison OMICARD EDM’s file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload and run arbitrary executable files to perform arbitrary syste…
- CVE-2023-48376CRITICALCVSS 9.8EG 9.82023-12-15
SmartStar Software CWS is a web-based integration platform, its file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload arbitrary files to pe…
- CVE-2023-48394HIGHCVSS 8.8EG 8.82023-12-15
Kaifa Technology WebITR is an online attendance system, its file uploading function does not restrict upload of file with dangerous type. A remote attacker with regular user privilege can exploit this vulnerability to upload arbitrary file…
- CVE-2023-48777CRITICALCVSS 9.9EG 9.92024-03-26
Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.This issue affects Elementor Website Builder: from 3.3.0 through 3.18.1.
- CVE-2023-48930CRITICALCVSS 9.8EG 9.82023-12-06
xinhu xinhuoa 2.2.1 contains a File upload vulnerability.
- CVE-2023-48965HIGHCVSS 8.8EG 8.82023-12-04
An issue in the component /admin/api.plugs/script of ThinkAdmin v6.1.53 allows attackers to getshell via providing a crafted URL to download a malicious PHP file.
- CVE-2023-48966HIGHCVSS 8.8EG 8.82023-12-04
An arbitrary file upload vulnerability in the component /admin/api.upload/file of ThinkAdmin v6.1.53 allows attackers to execute arbitrary code via a crafted Zip file.
- CVE-2023-49052HIGHCVSS 8.8EG 8.82023-11-30
File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component.
- CVE-2023-49257HIGHCVSS 8.8EG 8.82024-01-12
An authenticated user is able to upload an arbitrary CGI-compatible file using the certificate upload utility and execute it with the root user privileges.
- CVE-2023-49715MEDIUMCVSS 4.3EG 4.32024-01-10
A unrestricted php file upload vulnerability exists in the import.json.php temporary copy functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary code execution when chained with an…
- CVE-2023-49814HIGHCVSS 7.2EG 9.12023-12-20
Unrestricted Upload of File with Dangerous Type vulnerability in Symbiostock symbiostock.This issue affects Symbiostock: from n/a through 6.0.0.
- CVE-2023-49815CRITICALCVSS 10.0EG 10.02024-03-27
Unrestricted Upload of File with Dangerous Type vulnerability in WappPress Team WappPress.This issue affects WappPress: from n/a through 5.0.3.
- CVE-2023-4988CRITICALCVSS 9.8EG 6.32023-09-15
A vulnerability, which was classified as problematic, was found in Bettershop LaikeTui. This affects an unknown part of the file index.php?module=system&action=uploadImg. The manipulation of the argument imgFile leads to unrestricted uploa…
- CVE-2023-50038HIGHCVSS 8.8EG 8.82023-12-28
There is an arbitrary file upload vulnerability in the background of textpattern cms v4.8.8, which leads to the loss of server permissions.
- CVE-2023-50104CRITICALCVSS 9.8EG 9.82023-12-29
ZZCMS 2023 has a file upload vulnerability in 3/E_bak5.1/upload/index.php, allowing attackers to exploit this loophole to gain server privileges and execute arbitrary code.
- CVE-2023-5034CRITICALCVSS 9.8EG 6.32023-09-18
A vulnerability classified as problematic was found in SourceCodester My Food Recipe 1.0. This vulnerability affects unknown code of the file index.php of the component Image Upload Handler. The manipulation leads to unrestricted upload. T…
- CVE-2023-50386HIGHCVSS 8.8EG 9.02024-02-09
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 throu…
- CVE-2023-50564HIGHCVSS 8.8EG 8.82023-12-14
An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading a crafted ZIP file.
- CVE-2023-50692HIGHCVSS 8.8EG 8.82023-12-28
File Upload vulnerability in JIZHICMS v.2.5, allows remote attacker to execute arbitrary code via a crafted file uploaded and downloaded to the download_url parameter in the app/admin/exts/ directory.
- CVE-2023-50717MEDIUMCVSS 5.7EG 5.72024-05-14
NocoDB is software for building databases as spreadsheets. Starting in verson 0.202.6 and prior to version 0.202.10, an attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts ca…
- CVE-2023-50729HIGHCVSS 8.4EG 8.42024-01-15
Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file upload vulnerability in File feature allows attackers to execute arbitrary code on the server. This vulnerability is more prevalent b…
- CVE-2023-50760HIGHCVSS 8.8EG 8.82024-01-04
Online Notice Board System v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'f' parameter of user/update_profile_pic.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the a…
- CVE-2023-50897CRITICALCVSS 9.1EG 9.12026-01-05
Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7.
- CVE-2023-50922HIGHCVSS 7.2EG 7.22024-01-03
An issue was discovered on GL.iNet devices through 4.5.0. Attackers who are able to steal the AdminToken cookie can execute arbitrary code by uploading a crontab-formatted file to a specific directory and waiting for its execution. This af…
- CVE-2023-50982CRITICALCVSS 9.0EG 9.02024-01-08
Stud.IP 5.x through 5.3.3 allows XSS with resultant upload of executable files, because upload_action and edit_action in Admin_SmileysController do not check the file extension. This leads to remote code execution with the privileges of th…
- CVE-2023-51034CRITICALCVSS 9.8EG 9.82023-12-22
TOTOlink EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary command execution via the cstecgi.cgi UploadFirmwareFile interface.
- CVE-2023-51409CRITICALCVSS 10.0EG 10.02024-04-12
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98.
- CVE-2023-51410HIGHCVSS 8.8EG 9.92023-12-29
Unrestricted Upload of File with Dangerous Type vulnerability in WPVibes WP Mail Log.This issue affects WP Mail Log: from n/a through 1.1.2.
- CVE-2023-51411CRITICALCVSS 9.8EG 10.02023-12-29
Unrestricted Upload of File with Dangerous Type vulnerability in Shabti Kaplan Frontend Admin by DynamiApps.This issue affects Frontend Admin by DynamiApps: from n/a through 3.18.3.
- CVE-2023-51412CRITICALCVSS 9.8EG 9.02023-12-29
Unrestricted Upload of File with Dangerous Type vulnerability in Piotnet Piotnet Forms.This issue affects Piotnet Forms: from n/a through 1.0.25.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →