CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,080 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 47 of 82
- CVE-2024-1262MEDIUMCVSS 6.3EG 6.32024-02-06
A vulnerability, which was classified as critical, has been found in Juanpao JPShop up to 1.5.02. This issue affects the function actionUpdate of the file /api/controllers/merchant/design/MaterialController.php of the component API. The ma…
- CVE-2024-1263MEDIUMCVSS 6.3EG 6.32024-02-06
A vulnerability, which was classified as critical, was found in Juanpao JPShop up to 1.5.02. Affected is the function actionUpdate of the file /api/controllers/merchant/shop/PosterController.php of the component API. The manipulation of th…
- CVE-2024-1264MEDIUMCVSS 6.3EG 6.32024-02-07
A vulnerability has been found in Juanpao JPShop up to 1.5.02 and classified as critical. Affected by this vulnerability is the function actionUpdate of the file /api/controllers/common/UploadsController.php. The manipulation of the argume…
- CVE-2024-1268MEDIUMCVSS 6.3EG 6.32024-02-07
A vulnerability, which was classified as critical, was found in CodeAstro Restaurant POS System 1.0. This affects an unknown part of the file update_product.php. The manipulation leads to unrestricted upload. It is possible to initiate the…
- CVE-2024-12700HIGHCVSS 8.8EG 8.82024-12-19
There is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web server.
- CVE-2024-12853HIGHCVSS 8.8EG 8.82025-01-08
The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 2.11.10. This makes it possible for authenticat…
- CVE-2024-12854HIGHCVSS 8.8EG 8.82025-01-08
The Garden Gnome Package plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the functionality that automatically extracts 'ggpkg' files that have been uploaded in all versions up to, and inc…
- CVE-2024-12951MEDIUMCVSS 6.3EG 6.32024-12-26
A vulnerability classified as critical has been found in 1000 Projects Portfolio Management System MCA 1.0. Affected is an unknown function of the file /add_personal_details.php. The manipulation of the argument profile leads to unrestrict…
- CVE-2024-12953MEDIUMCVSS 6.3EG 6.32024-12-26
A vulnerability, which was classified as critical, has been found in 1000 Projects Portfolio Management System MCA 1.0. Affected by this issue is some unknown functionality of the file /update_pd_process.php. The manipulation of the argume…
- CVE-2024-12954MEDIUMCVSS 6.3EG 6.32024-12-26
A vulnerability, which was classified as critical, was found in 1000 Projects Portfolio Management System MCA 1.0. This affects an unknown part of the file /update_ach.php. The manipulation of the argument ach_certy leads to unrestricted u…
- CVE-2024-12956MEDIUMCVSS 6.3EG 6.32024-12-26
A vulnerability was found in 1000 Projects Portfolio Management System MCA 1.0 and classified as critical. This issue affects some unknown processing of the file /add_achievement_details.php. The manipulation of the argument ach_certy lead…
- CVE-2024-13011CRITICALCVSS 9.8EG 9.82025-02-10
The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up to, and including, 4.7. This makes it possible for unau…
- CVE-2024-13022MEDIUMCVSS 6.3EG 6.32024-12-29
A vulnerability, which was classified as critical, was found in taisan tarzan-cms 1.0.0. This affects the function UploadResponse of the file src/main/java/com/tarzan/cms/modules/admin/controller/common/UploadController.java of the compone…
- CVE-2024-13091CRITICALCVSS 9.8EG 9.82025-01-22
The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcld_wpcfb_file_upload' function in all versions up to, and including, 13.5.4. This makes it possible …
- CVE-2024-1311HIGHCVSS 8.8EG 8.82024-03-13
The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeImages function in all versions up to, and including, 2.4.40. This makes it possible for authenticated …
- CVE-2024-13133MEDIUMCVSS 6.3EG 6.32025-01-05
A vulnerability, which was classified as critical, has been found in ZeroWdd studentmanager 1.0. This issue affects the function addStudent/editStudent of the file src/main/Java/com/wdd/studentmanager/controller/StudentController. java. Th…
- CVE-2024-13134MEDIUMCVSS 6.3EG 6.32025-01-05
A vulnerability, which was classified as critical, was found in ZeroWdd studentmanager 1.0. Affected is the function addTeacher/editTeacher of the file src/main/Java/com/wdd/studentmanager/controller/TeacherController. java. The manipulati…
- CVE-2024-13138MEDIUMCVSS 4.7EG 4.72025-01-05
A vulnerability was found in wangl1989 mysiteforme 1.0. It has been declared as critical. This vulnerability affects the function upload of the file src/main/java/com/mysiteform/admin/service/ipl/LocalUploadServiceImpl. The manipulation of…
- CVE-2024-13144MEDIUMCVSS 6.3EG 6.32025-01-06
A vulnerability classified as critical has been found in zhenfeng13 My-Blog 1.0. Affected is the function uploadFileByEditomd of the file src/main/java/com/site/blog/my/core/controller/admin/BlogController.java. The manipulation of the arg…
- CVE-2024-13145MEDIUMCVSS 6.3EG 6.32025-01-06
A vulnerability classified as critical was found in zhenfeng13 My-Blog 1.0. Affected by this vulnerability is the function upload of the file src/main/java/com/site/blog/my/core/controller/admin/uploadController. java. The manipulation of …
- CVE-2024-13171HIGHCVSS 7.8EG 7.82025-01-14
Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is requ…
- CVE-2024-13191MEDIUMCVSS 6.3EG 6.32025-01-08
A vulnerability, which was classified as critical, has been found in ZeroWdd myblog 1.0. This issue affects the function upload of the file src/main/java/com/wdd/myblog/controller/admin/uploadController.java. The manipulation of the argume…
- CVE-2024-13201MEDIUMCVSS 4.7EG 4.72025-01-09
A vulnerability has been found in wander-chu SpringBoot-Blog 1.0 and classified as critical. This vulnerability affects the function upload of the file src/main/java/com/my/blog/website/controller/admin/AttachtController.java of the compon…
- CVE-2024-13210MEDIUMCVSS 4.7EG 4.72025-01-09
A vulnerability was found in donglight bookstore电商书城系统说明 1.0. It has been declared as critical. Affected by this vulnerability is the function uploadPicture of the file src/main/java/org/zdd/bookstore/web/controller/admin/A…
- CVE-2024-13212MEDIUMCVSS 6.3EG 6.32025-01-09
A vulnerability classified as critical has been found in SingMR HouseRent 1.0. This affects the function singleUpload/upload of the file src/main/java/com/house/wym/controller/AddHouseController.java. The manipulation of the argument file …
- CVE-2024-1332MEDIUMCVSS 6.4EG 6.42024-05-24
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This…
- CVE-2024-13333HIGHCVSS 7.5EG 7.52025-01-17
The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fma_local_file_system' function in versions 5.2.12 to 5.2.13. This makes it possible for authenticated attac…
- CVE-2024-13342HIGHCVSS 8.1EG 8.12025-08-29
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_files_to_order' function in all versions up to, and including, 7.2.4. This makes it possible for unaut…
- CVE-2024-13355MEDIUMCVSS 5.4EG 5.42025-01-16
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including,…
- CVE-2024-13359HIGHCVSS 8.1EG 8.12025-03-08
The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the add_product_input_fields_to_order_item_meta() function in all versions up to, and includi…
- CVE-2024-13365CRITICALCVSS 9.8EG 9.82025-02-12
The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function in a…
- CVE-2024-13418HIGHCVSS 8.8EG 8.82025-05-02
Multiple plugins and/or themes for WordPress are vulnerable to Arbitrary File Uploads due to a missing capability check on the ajaxUploadFonts() function in various versions. This makes it possible for authenticated attackers, with Subscri…
- CVE-2024-13448CRITICALCVSS 9.8EG 9.82025-01-28
The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and including, 2.32.3. This makes it possible for un…
- CVE-2024-13544MEDIUMCVSS 4.8EG 4.82025-02-11
The Zarinpal Paid Download WordPress plugin through 2.3 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in …
- CVE-2024-13708HIGHCVSS 7.2EG 7.22025-04-04
The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in versions 4.0.1 to 7.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenti…
- CVE-2024-13714HIGHCVSS 8.8EG 8.82025-02-12
The All-Images.ai – IA Image Bank and Custom Image creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_get_image_by_url' function in all versions up to, and including, 1.0.4.…
- CVE-2024-13723HIGHCVSS 7.2EG 7.22025-02-04
The "NagVis" component within Checkmk is vulnerable to remote code execution. An authenticated attacker with administrative level privileges is able to upload a malicious PHP file and modify specific settings to execute the contents of the…
- CVE-2024-13744HIGHCVSS 8.1EG 8.12025-04-04
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the validate_product_input_fields_on_add_to_cart function in versions 4.0.1 to 7.2.4. This makes it possible fo…
- CVE-2024-13869HIGHCVSS 7.2EG 7.22025-02-22
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all versions up to, and including, 0.9.112. Th…
- CVE-2024-13882HIGHCVSS 8.8EG 8.82025-03-08
The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aiomatic_generate_featured_image' fun…
- CVE-2024-13908HIGHCVSS 7.2EG 7.22025-03-08
The SMTP by BestWebSoft plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated a…
- CVE-2024-13981CRITICALCVSS 10.0EG 10.02025-08-27
LiveBOS, an object-oriented business architecture middleware suite developed by Apex Software Co., Ltd., contains an arbitrary file upload vulnerability in its UploadFile.do;.js.jsp endpoint. This flaw affects the LiveBOS Server component …
- CVE-2024-13986HIGHCVSS 8.8EG 8.82025-08-28
Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths …
- CVE-2024-14037CRITICALCVSS 9.8EG 9.82026-07-02
Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading malicious files through the PtFjk.mob servlet endpoint. Attackers can submit a multipart P…
- CVE-2024-1468HIGHCVSS 8.8EG 8.82024-02-29
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. Thi…
- CVE-2024-1527CRITICALCVSS 9.8EG 9.82024-03-12
Unrestricted file upload vulnerability in CMS Made Simple, affecting version 2.2.14. This vulnerability allows an authenticated user to bypass the security measures of the upload functionality and potentially create a remote execution of c…
- CVE-2024-1531HIGHCVSS 8.2EG 8.22024-03-27
A vulnerability exists in the stb-language file handling that affects the RTU500 series product versions listed below. A malicious actor could print random memory content in the RTU500 system log, if an authorized user uploads a specially …
- CVE-2024-1532MEDIUMCVSS 6.8EG 6.82024-03-27
A vulnerability exists in the stb-language file handling that affects the RTU500 series product versions listed below. A malicious actor could enforce diagnostic texts being displayed as empty strings, if an authorized user uploads a speci…
- CVE-2024-1567HIGHCVSS 8.2EG 8.22024-05-02
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to limited file uploads due to missing file type validation in the 'file_validity' function in all versions up to, and including, 1.3.94. This makes it possible fo…
- CVE-2024-1644CRITICALCVSS 9.9EG 9.92024-02-20
Suite CRM version 7.14.2 allows including local php files. This is possible because the application is vulnerable to LFI.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →