CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,081 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 49 of 82
- CVE-2024-24550HIGHCVSS 8.1EG 8.12024-06-24
A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from…
- CVE-2024-24551HIGHCVSS 8.8EG 8.82024-06-24
A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload…
- CVE-2024-24714HIGHCVSS 7.2EG 7.22024-02-26
Unrestricted Upload of File with Dangerous Type vulnerability in bPlugins LLC Icons Font Loader.This issue affects Icons Font Loader: from n/a through 1.1.4.
- CVE-2024-24809HIGHCVSS 8.5EG 9.02024-04-10
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user…
- CVE-2024-25019MEDIUMCVSS 5.5EG 5.52024-12-03
IBM Cognos Controller 11.0.0 and 11.0.1 could be vulnerable to malicious file upload by not validating the type of file uploaded to Journal entry attachments. Attackers can make use of this weakness and upload malicious executable files …
- CVE-2024-25020MEDIUMCVSS 5.5EG 5.52024-12-03
IBM Cognos Controller 11.0.0 and 11.0.1 is vulnerable to malicious file upload by allowing unrestricted filetype attachments in the Journal entry page. Attackers can make use of this weakness and upload malicious executable f…
- CVE-2024-25034HIGHCVSS 8.0EG 8.02025-01-24
IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the type of file in the File Manager T1 process. Attackers can make use of this weakness and upload malicious executable files into the syste…
- CVE-2024-25182CRITICALCVSS 9.8EG 9.82025-12-29
givanz VvvebJs 1.7.2 suffers from a File Upload vulnerability via save.php.
- CVE-2024-25274CRITICALCVSS 9.8EG 9.82024-02-20
An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-2529MEDIUMCVSS 6.3EG 6.32024-03-16
A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/rooms.php. The manipulation leads to unrestricted upload…
- CVE-2024-2531MEDIUMCVSS 6.3EG 6.32024-03-16
A vulnerability classified as critical has been found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected is an unknown function of the file /admin/update-rooms.php. The manipulation leads to unrestricted upload. It is…
- CVE-2024-25410MEDIUMCVSS 6.5EG 6.52024-02-26
flusity-CMS 2.33 is vulnerable to Unrestricted Upload of File with Dangerous Type in update_setting.php.
- CVE-2024-25414CRITICALCVSS 9.8EG 9.82024-02-16
An arbitrary file upload vulnerability in /admin/upgrade of CSZ CMS v1.3.0 allows attackers to execute arbitrary code via uploading a crafted Zip file.
- CVE-2024-2561MEDIUMCVSS 6.3EG 6.32024-03-17
A vulnerability, which was classified as critical, has been found in 74CMS 3.28.0. Affected by this issue is the function sendCompanyLogo of the file /controller/company/Index.php#sendCompanyLogo of the component Company Logo Handler. The …
- CVE-2024-25623HIGHCVSS 8.5EG 8.52024-02-19
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-…
- CVE-2024-25627LOWCVSS 3.5EG 3.52024-02-16
Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io…
- CVE-2024-25636HIGHCVSS 7.1EG 7.12024-02-19
Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Conten…
- CVE-2024-2565MEDIUMCVSS 6.3EG 6.32024-03-17
A vulnerability was found in PandaXGO PandaX up to 20240310. It has been classified as critical. Affected is an unknown function of the file /apps/system/router/upload.go of the component File Extension Handler. The manipulation of the arg…
- CVE-2024-25674CRITICALCVSS 9.8EG 9.82024-02-09
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.
- CVE-2024-25801MEDIUMCVSS 6.1EG 6.12024-02-22
SKINsoft S-Museum 7.02.3 allows XSS via the filename of an uploaded file. Unlike in CVE-2024-25802, the attack payload is in the name (not the content) of a file.
- CVE-2024-25802CRITICALCVSS 9.8EG 9.82024-02-22
SKINsoft S-Museum 7.02.3 allows Unrestricted File Upload via the Add Media function. Unlike in CVE-2024-25801, the attack payload is the file content.
- CVE-2024-25832HIGHCVSS 8.8EG 8.82024-02-29
F-logic DataCube3 v1.0 is vulnerable to unrestricted file upload, which could allow an authenticated malicious actor to upload a file of dangerous type by manipulating the filename extension.
- CVE-2024-25846CRITICALCVSS 9.1EG 9.12024-02-27
In the module "Product Catalog (CSV, Excel) Import" (simpleimportproduct) <= 6.7.0 from MyPrestaModules for PrestaShop, a guest can upload files with extensions .php.
- CVE-2024-25869HIGHCVSS 8.8EG 8.82024-02-28
An Unrestricted File Upload vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary code via upload of a crafted php file in the settings.php component.
- CVE-2024-25909CRITICALCVSS 9.9EG 9.92024-02-26
Unrestricted Upload of File with Dangerous Type vulnerability in JoomUnited WP Media folder.This issue affects WP Media folder: from n/a through 5.7.2.
- CVE-2024-25913CRITICALCVSS 10.0EG 10.02024-02-26
Unrestricted Upload of File with Dangerous Type vulnerability in Skymoonlabs MoveTo.This issue affects MoveTo: from n/a through 6.2.
- CVE-2024-25925CRITICALCVSS 10.0EG 10.02024-02-26
Unrestricted Upload of File with Dangerous Type vulnerability in SYSBASICS WooCommerce Easy Checkout Field Editor, Fees & Discounts.This issue affects WooCommerce Easy Checkout Field Editor, Fees & Discounts: from n/a through 3.5.12.
- CVE-2024-2599CRITICALCVSS 9.9EG 9.92024-03-18
File upload restriction evasion vulnerability in AMSS++ version 4.31. This vulnerability could allow an authenticated user to potentially obtain RCE through webshell, compromising the entire infrastructure.
- CVE-2024-25994MEDIUMCVSS 5.3EG 5.32024-03-12
An unauthenticated remote attacker can upload a arbitrary script file due to improper input validation. The upload destination is fixed and is write only.
- CVE-2024-2604MEDIUMCVSS 6.3EG 6.32024-03-18
A vulnerability was found in SourceCodester File Manager App 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /endpoint/update-file.php. The manipulation of the argument file leads to unrestricted …
- CVE-2024-2636CRITICALCVSS 9.0EG 9.02024-03-19
An Unrestricted Upload of File vulnerability has been found on Cegid Meta4 HR, that allows an attacker to upload malicios files to the server via '/config/espanol/update_password.jsp' file. Modifying the 'M4_NEW_PASSWORD' parameter, an at…
- CVE-2024-26503CRITICALCVSS 9.1EG 9.12024-03-14
Unrestricted File Upload vulnerability in Greek Universities Network Open eClass v.3.15 and earlier allows attackers to run arbitrary code via upload of crafted file to certbadge.php endpoint.
- CVE-2024-2667CRITICALCVSS 9.8EG 9.82024-05-02
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and…
- CVE-2024-2690MEDIUMCVSS 6.3EG 6.32024-03-20
A vulnerability was found in SourceCodester Online Discussion Forum Site 1.0. It has been classified as critical. Affected is an unknown function of the file /uupdate.php. The manipulation of the argument ima leads to unrestricted upload. …
- CVE-2024-27115CRITICALCVSS 9.8EG 9.82024-09-11
A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying …
- CVE-2024-27283HIGHCVSS 7.2EG 7.22024-02-22
A vulnerability was discovered in Veritas eDiscovery Platform before 10.2.5. The application administrator can upload potentially malicious files to arbitrary locations on the server on which the application is installed.
- CVE-2024-27311MEDIUMCVSS 5.5EG 5.52024-07-17
Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to directory traversal vulnerability which allows the user to upload new files to the server folder.
- CVE-2024-27480CRITICALCVSS 9.8EG 9.82025-12-29
givanz VvvebJs 1.7.2 is vulnerable to Insecure File Upload.
- CVE-2024-2754MEDIUMCVSS 4.7EG 4.72024-03-21
A vulnerability classified as critical has been found in SourceCodester Complete E-Commerce Site 1.0. Affected is an unknown function of the file /admin/users_photo.php. The manipulation of the argument photo leads to unrestricted upload. …
- CVE-2024-27733HIGHCVSS 7.7EG 7.72024-03-07
File Upload vulnerability in Byzro Network Smart s42 Management Platform v.S42 allows a local attacker to execute arbitrary code via the useratte/userattestation.php component.
- CVE-2024-27747CRITICALCVSS 9.8EG 9.82024-03-01
File Upload vulnerability in Petrol Pump Mangement Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email Image parameter in the profile.php component.
- CVE-2024-27903CRITICALCVSS 9.8EG 7.22024-07-08
OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.
- CVE-2024-27923HIGHCVSS 8.8EG 8.82024-03-21
Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code ex…
- CVE-2024-27943HIGHCVSS 7.2EG 7.22024-05-14
A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow a privileged user to upload generic files to the root installation directory of the system. By replacing specific files, an attacke…
- CVE-2024-27944HIGHCVSS 7.2EG 7.22024-05-14
A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow a privileged user to upload firmware files to the root installation directory of the system. By replacing specific files, an attack…
- CVE-2024-27945HIGHCVSS 7.2EG 7.22024-05-14
A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The bulk import feature of the affected systems allow a privileged user to upload files to the root installation directory of the system. By replacing specifi…
- CVE-2024-27951CRITICALCVSS 9.1EG 9.12024-04-03
Unrestricted Upload of File with Dangerous Type vulnerability in Themeisle Multiple Page Generator Plugin – MPG allows Upload a Web Shell to a Web Server.This issue affects Multiple Page Generator Plugin – MPG: from n/a through 3.4.0.
- CVE-2024-27957CRITICALCVSS 10.0EG 10.02024-03-17
Unrestricted Upload of File with Dangerous Type vulnerability in Pie Register.This issue affects Pie Register: from n/a through 3.8.3.1.
- CVE-2024-27964HIGHCVSS 8.8EG 8.82024-03-21
Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.9.
- CVE-2024-28105HIGHCVSS 7.2EG 7.22024-03-25
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The category image upload function in phpmyfaq is vulnerable to manipulation of the `Content-type` and `lang` parameters, allowing attac…
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →