CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,081 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 48 of 82
- CVE-2024-1659CRITICALCVSS 9.8EG 9.82024-06-12
Arbitrary File Upload vulnerability in MegaBIP software allows attacker to upload any file to the server (including a PHP code file) without an authentication. This issue affects MegaBIP software versions through 5.10.
- CVE-2024-1818MEDIUMCVSS 4.7EG 4.72024-02-23
A vulnerability was found in CodeAstro Membership Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /uploads/ of the component Logo Handler. The manipulation leads to unrestr…
- CVE-2024-1819MEDIUMCVSS 4.7EG 4.72024-02-23
A vulnerability was found in CodeAstro Membership Management System 1.0. It has been classified as critical. This affects an unknown part of the component Add Members Tab. The manipulation of the argument Member Photo leads to unrestricted…
- CVE-2024-1875MEDIUMCVSS 6.3EG 6.32024-02-26
A vulnerability was found in SourceCodester Complaint Management System 1.0 and classified as critical. This issue affects some unknown processing of the file users/register-complaint.php of the component Lodge Complaint Section. The manip…
- CVE-2024-1918MEDIUMCVSS 4.7EG 4.72024-02-27
A vulnerability has been found in Byzoro Smart S42 Management Platform up to 20240219 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /useratte/userattestation.php. The manipulation of the…
- CVE-2024-1921MEDIUMCVSS 4.7EG 4.72024-02-27
A vulnerability, which was classified as critical, was found in osuuu LightPicture up to 1.2.2. Affected is an unknown function of the file /app/controller/Setup.php. The manipulation leads to unrestricted upload. It is possible to launch …
- CVE-2024-1925MEDIUMCVSS 5.0EG 5.02024-02-27
A vulnerability was found in Ctcms 2.1.2. It has been declared as critical. This vulnerability affects unknown code of the file ctcms/apps/controllers/admin/Upsys.php. The manipulation leads to unrestricted upload. The attack can be initia…
- CVE-2024-1932MEDIUMCVSS 4.8EG 6.12024-02-28
Unrestricted Upload of File with Dangerous Type in freescout-helpdesk/freescout
- CVE-2024-1986HIGHCVSS 8.8EG 8.82024-03-07
The Booster Elite for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wc_add_new_product() function in all versions up to, and including, 7.1.7. This makes it possible for…
- CVE-2024-20272HIGHCVSS 7.3EG 7.32024-01-17
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system. This v…
- CVE-2024-20296MEDIUMCVSS 4.7EG 4.72024-07-17
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit this vulnerability, an attacker would n…
- CVE-2024-2058MEDIUMCVSS 4.7EG 4.72024-03-01
A vulnerability was found in SourceCodester Petrol Pump Management Software 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/product.php. The manipulation of the argum…
- CVE-2024-2059MEDIUMCVSS 4.7EG 4.72024-03-01
A vulnerability was found in SourceCodester Petrol Pump Management Software 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/app/service_crud.php. The manipulation of the argument …
- CVE-2024-2125HIGHCVSS 8.8EG 8.82024-04-09
The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the gallery_add function.…
- CVE-2024-2148MEDIUMCVSS 6.3EG 6.32024-03-03
A vulnerability classified as critical has been found in SourceCodester Online Mobile Management Store 1.0. This affects an unknown part of the file /classes/Users.php. The manipulation of the argument img leads to unrestricted upload. It …
- CVE-2024-22060MEDIUMCVSS 4.9EG 8.72024-05-31
An unrestricted file upload vulnerability in web component of Ivanti Neurons for ITSM allows a remote, authenticated, high privileged user to write arbitrary files into sensitive directories of ITSM server.
- CVE-2024-22135HIGHCVSS 8.0EG 8.02024-01-24
Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Order Export & Order Import for WooCommerce.This issue affects Order Export & Order Import for WooCommerce: from n/a through 2.4.3.
- CVE-2024-22152HIGHCVSS 8.0EG 8.02024-01-24
Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Product Import Export for WooCommerce.This issue affects Product Import Export for WooCommerce: from n/a through 2.3.7.
- CVE-2024-2221CRITICALCVSS 9.8EG 9.82024-04-10
qdrant/qdrant is vulnerable to a path traversal and arbitrary file upload vulnerability via the `/collections/{COLLECTION}/snapshots/upload` endpoint, specifically through the `snapshot` parameter. This vulnerability allows attackers to up…
- CVE-2024-22263HIGHCVSS 8.8EG 8.82024-06-19
Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload pa…
- CVE-2024-22332MEDIUMCVSS 6.5EG 6.52024-02-09
The IBM Integration Bus for z/OS 10.1 through 10.1.0.2 AdminAPI is vulnerable to a denial of service due to file system exhaustion. IBM X-Force ID: 279972.
- CVE-2024-22393CRITICALCVSS 9.1EG 9.12024-02-22
Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Pixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user can cause…
- CVE-2024-22426HIGHCVSS 7.2EG 7.22024-02-16
Dell RecoverPoint for Virtual Machines 5.3.x, 6.0.SP1 contains an OS Command injection vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary operating system commands, …
- CVE-2024-22515HIGHCVSS 8.8EG 8.82024-02-06
Unrestricted File Upload vulnerability in iSpyConnect.com Agent DVR 5.1.6.0 allows attackers to upload arbitrary files via the upload audio component.
- CVE-2024-22550MEDIUMCVSS 6.1EG 6.12024-01-26
An arbitrary file upload vulnerability in the component /alsdemo/ss/mediam.cgi of ShopSite v14.0 allows attackers to execute arbitrary code via uploading a crafted SVG file.
- CVE-2024-22567HIGHCVSS 8.8EG 8.82024-02-05
File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do.
- CVE-2024-22641HIGHCVSS 7.5EG 7.52024-05-28
TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted SVG file.
- CVE-2024-2268MEDIUMCVSS 4.7EG 4.72024-03-07
A vulnerability was found in keerti1924 Online-Book-Store-Website 1.0. It has been classified as critical. Affected is an unknown function of the file /product_update.php?update=1. The manipulation of the argument update_image leads to unr…
- CVE-2024-22824CRITICALCVSS 9.8EG 9.82024-02-20
An issue in Timo v.2.0.3 allows a remote attacker to execute arbitrary code via the filetype restrictions in the UploadController.java component.
- CVE-2024-22895HIGHCVSS 8.8EG 8.82024-01-22
DedeCMS 5.7.112 has a File Upload vulnerability via uploads/dede/module_upload.php.
- CVE-2024-23180HIGHCVSS 8.8EG 8.82024-01-23
Improper input validation vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.1…
- CVE-2024-2334MEDIUMCVSS 6.4EG 6.42024-04-09
The Template Kit – Import plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template upload functionality in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping. Th…
- CVE-2024-23534HIGHCVSS 8.8EG 8.82024-04-19
An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- CVE-2024-23630CRITICALCVSS 9.0EG 9.02024-01-26
An arbitrary firmware upload vulnerability exists in the Motorola MR2600. An attacker can exploit this vulnerability to achieve code execution on the device. Authentication is required, however can be bypassed.
- CVE-2024-23759CRITICALCVSS 9.8EG 9.82024-02-12
Deserialization of Untrusted Data in Gambio through 4.9.2.0 allows attackers to run arbitrary code via "search" parameter of the Parcelshopfinder/AddAddressBookEntry" function.
- CVE-2024-23762HIGHCVSS 7.8EG 7.82024-02-12
Unrestricted File Upload vulnerability in Content Manager feature in Gambio 4.9.2.0 allows attackers to execute arbitrary code via upload of crafted PHP file.
- CVE-2024-2381HIGHCVSS 8.8EG 8.82024-06-19
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possi…
- CVE-2024-23811HIGHCVSS 8.8EG 8.82024-02-13
A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application allows users to upload arbitrary files via TFTP. This could allow an attacker to upload malicious firmware images or other files, that cou…
- CVE-2024-2394MEDIUMCVSS 4.7EG 4.72024-03-12
A vulnerability was found in SourceCodester Employee Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /Admin/add-admin.php. The manipulation of the argument avatar leads…
- CVE-2024-23946MEDIUMCVSS 5.3EG 5.32024-02-29
Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.
- CVE-2024-24000CRITICALCVSS 9.8EG 9.82024-02-06
jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type, and the biz parameter can be spliced into the upload path, resulting in arbitrary file uploads with co…
- CVE-2024-24024CRITICALCVSS 9.8EG 9.82024-02-08
An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker can pass in specially crafted filePath and fieName parameters to perform arbitr…
- CVE-2024-24025CRITICALCVSS 9.8EG 9.82024-02-08
An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.
- CVE-2024-24026CRITICALCVSS 9.8EG 9.82024-02-08
An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to perform arbitrary Fi…
- CVE-2024-2406MEDIUMCVSS 5.4EG 5.42024-03-12
A vulnerability, which was classified as critical, was found in Gacjie Server up to 1.0. This affects the function index of the file /app/admin/controller/Upload.php. The manipulation of the argument file leads to unrestricted upload. It i…
- CVE-2024-24146MEDIUMCVSS 6.5EG 6.52024-02-29
A memory leak issue discovered in parseSWF_DEFINEBUTTON in libming v0.4.8 allows attackers to cause s denial of service via a crafted SWF file.
- CVE-2024-24202CRITICALCVSS 9.8EG 9.82024-02-08
An arbitrary file upload vulnerability in /upgrade/control.php of ZenTao Community Edition v18.10, ZenTao Biz v8.10, and ZenTao Max v4.10 allows attackers to execute arbitrary code via uploading a crafted .txt file.
- CVE-2024-24350HIGHCVSS 8.8EG 8.82024-02-08
File Upload vulnerability in Software Publico e-Sic Livre v.2.0 and before allows a remote attacker to execute arbitrary code via the extension filtering component.
- CVE-2024-24393CRITICALCVSS 9.8EG 9.82024-02-08
File Upload vulnerability index.php in Pichome v.1.1.01 allows a remote attacker to execute arbitrary code via crafted POST request.
- CVE-2024-24399HIGHCVSS 7.2EG 7.22024-01-25
An arbitrary file upload vulnerability in LEPTON v7.0.0 allows authenticated attackers to execute arbitrary PHP code by uploading this code to the backend/languages/index.php languages area.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →