CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,081 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 50 of 82
- CVE-2024-28147HIGHCVSS 7.4EG 7.42024-06-20
An authenticated user can upload arbitrary files in the upload function for collection preview images. An attacker may upload an HTML file that includes malicious JavaScript code which will be executed if a user visits the direct URL of…
- CVE-2024-28166LOWCVSS 3.7EG 3.72024-08-13
SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact…
- CVE-2024-28269HIGHCVSS 7.2EG 7.22024-04-30
ReCrystallize Server 5.10.0.0 allows administrators to upload files to the server. The file upload is not restricted, leading to the ability to upload of malicious files. This could result in a Remote Code Execution.
- CVE-2024-28418MEDIUMCVSS 6.5EG 6.52024-03-14
Webedition CMS 9.2.2.0 has a File upload vulnerability via /webEdition/we_cmd.php
- CVE-2024-28423CRITICALCVSS 9.8EG 9.82024-03-14
Airflow-Diagrams v2.1.0 was discovered to contain an arbitrary file upload vulnerability in the unsafe_load function at cli.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted YML file.
- CVE-2024-28425HIGHCVSS 7.5EG 7.52024-03-14
greykite v1.0.0 was discovered to contain an arbitrary file upload vulnerability in the load_obj function at /templates/pickle_utils.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-28441CRITICALCVSS 9.8EG 9.82024-03-22
File Upload vulnerability in magicflue v.7.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the messageid parameter of the mail/mailupdate.jsp endpoint.
- CVE-2024-2849MEDIUMCVSS 6.3EG 6.32024-03-23
A vulnerability classified as critical was found in SourceCodester Simple File Manager 1.0. This vulnerability affects unknown code. The manipulation of the argument photo leads to unrestricted upload. The attack can be initiated remotely.…
- CVE-2024-28520MEDIUMCVSS 6.5EG 6.52024-04-04
File Upload vulnerability in Byzoro Networks Smart multi-service security gateway intelligent management platform version S210, allows an attacker to obtain sensitive information via the uploadfile.php component.
- CVE-2024-28713CRITICALCVSS 9.8EG 9.82024-03-28
An issue in Mblog Blog system v.3.5.0 allows an attacker to execute arbitrary code via a crafted file to the theme management feature.
- CVE-2024-28890MEDIUMCVSS 5.3EG 5.32024-04-23
Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site t…
- CVE-2024-2890CRITICALCVSS 9.1EG 9.12024-03-28
Unrestricted Upload of File with Dangerous Type vulnerability in Tumult Inc. Tumult Hype Animations.This issue affects Tumult Hype Animations: from n/a through 1.9.12.
- CVE-2024-29100CRITICALCVSS 9.1EG 9.12024-03-28
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.1.4.
- CVE-2024-29135CRITICALCVSS 9.9EG 9.92024-03-19
Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic.This issue affects Tourfic: from n/a through <= 2.11.15.
- CVE-2024-29272MEDIUMCVSS 6.5EG 9.02024-03-22
Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php.
- CVE-2024-2930HIGHCVSS 7.3EG 7.32024-03-27
A vulnerability was found in SourceCodester Music Gallery Site 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file classes/Master.php?f=save_music. The manipulation leads to unrestr…
- CVE-2024-29368MEDIUMCVSS 6.5EG 6.52024-04-22
An arbitrary file upload vulnerability in the file handling module of moziloCMS v2.0 allows attackers to bypass extension restrictions via file renaming, potentially leading to unauthorized file execution or storage of malicious content.
- CVE-2024-29387HIGHCVSS 8.8EG 8.82024-04-04
projeqtor up to 11.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /view/print.php.
- CVE-2024-29514HIGHCVSS 8.8EG 8.82024-04-02
File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2024-29515HIGHCVSS 8.8EG 8.82024-03-25
File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file to the save.php and config.php component.
- CVE-2024-29661CRITICALCVSS 9.8EG 9.82024-04-22
A File Upload vulnerability in DedeCMS v5.7 allows a local attacker to execute arbitrary code via a crafted payload.
- CVE-2024-29848HIGHCVSS 7.2EG 7.22024-05-31
An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM.
- CVE-2024-29859CRITICALCVSS 9.8EG 9.82024-03-21
In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.
- CVE-2024-29891HIGHCVSS 8.7EG 8.72024-03-27
ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible v…
- CVE-2024-29974CRITICALCVSS 9.8EG 9.82024-06-04
** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an…
- CVE-2024-3022HIGHCVSS 7.2EG 7.22024-04-04
The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient filename validation in the 'bookingpress_process_upload' function in all versions up to, and including 1.0.87. This allows an authenticated a…
- CVE-2024-30231CRITICALCVSS 9.1EG 9.12024-03-26
Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Product Import Export for WooCommerce.This issue affects Product Import Export for WooCommerce: from n/a through 2.4.1.
- CVE-2024-30500CRITICALCVSS 9.9EG 9.92024-03-29
Unrestricted Upload of File with Dangerous Type vulnerability in CubeWP CubeWP – All-in-One Dynamic Content Framework.This issue affects CubeWP – All-in-One Dynamic Content Framework: from n/a through 1.1.12.
- CVE-2024-30510CRITICALCVSS 10.0EG 10.02024-03-29
Unrestricted Upload of File with Dangerous Type vulnerability in Salon Booking System Salon booking system.This issue affects Salon booking system: from n/a through 9.5.
- CVE-2024-30533HIGHCVSS 7.5EG 7.52024-03-31
Unrestricted Upload of File with Dangerous Type vulnerability in Techeshta Layouts for Elementor.This issue affects Layouts for Elementor: from n/a before 1.8.
- CVE-2024-31012CRITICALCVSS 9.8EG 9.82024-04-03
An issue was discovered in SEMCMS v.4.8, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the upload.php file.
- CVE-2024-31114CRITICALCVSS 9.1EG 9.12024-03-31
Unrestricted Upload of File with Dangerous Type vulnerability in biplob018 Shortcode Addons.This issue affects Shortcode Addons: from n/a through 3.2.5.
- CVE-2024-31115CRITICALCVSS 10.0EG 10.02024-03-31
Unrestricted Upload of File with Dangerous Type vulnerability in QuanticaLabs Chauffeur Taxi Booking System for WordPress.This issue affects Chauffeur Taxi Booking System for WordPress: from n/a through 7.2.
- CVE-2024-3112MEDIUMCVSS 4.8EG 4.82024-07-12
The Quotes and Tips by BestWebSoft WordPress plugin before 1.45 does not properly validate image files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (f…
- CVE-2024-31161HIGHCVSS 7.2EG 7.22024-06-14
The upload functionality of ASUS Download Master does not properly filter user input. Remote attackers with administrative privilege can exploit this vulnerability to upload any file to any location. They may even upload malicious web page…
- CVE-2024-3117MEDIUMCVSS 4.7EG 4.72024-03-31
A vulnerability classified as critical was found in YouDianCMS up to 9.5.12. This vulnerability affects unknown code of the file App\Lib\Action\Admin\ChannelAction.class.php. The manipulation of the argument file leads to unrestricted uplo…
- CVE-2024-31210HIGHCVSS 7.6EG 7.62024-04-04
WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP…
- CVE-2024-31214CRITICALCVSS 9.6EG 9.62024-04-10
Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory …
- CVE-2024-3123HIGHCVSS 7.2EG 7.22024-07-01
CHANGING Mobile One Time Password's uploading function in a hidden page does not filter file type properly. Remote attackers with administrator privilege can exploit this vulnerability to upload and run malicious file to execute system co…
- CVE-2024-31280CRITICALCVSS 9.9EG 9.92024-04-07
Unrestricted Upload of File with Dangerous Type vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.1.5.
- CVE-2024-31286CRITICALCVSS 9.9EG 9.92024-04-07
Unrestricted Upload of File with Dangerous Type vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a before 8.6.03.005.
- CVE-2024-3129MEDIUMCVSS 6.3EG 6.32024-04-01
A vulnerability was found in SourceCodester Image Accordion Gallery App 1.0. It has been classified as critical. This affects an unknown part of the file /endpoint/add-image.php. The manipulation of the argument image_name leads to unrestr…
- CVE-2024-31292HIGHCVSS 7.2EG 7.22024-04-07
Unrestricted Upload of File with Dangerous Type vulnerability in Moove Agency Import XML and RSS Feeds.This issue affects Import XML and RSS Feeds: from n/a through 2.1.5.
- CVE-2024-31345CRITICALCVSS 9.1EG 9.12024-04-07
Unrestricted Upload of File with Dangerous Type vulnerability in Sukhchain Singh Auto Poster.This issue affects Auto Poster: from n/a through 1.2.
- CVE-2024-31351CRITICALCVSS 10.0EG 10.02024-05-17
Unrestricted Upload of File with Dangerous Type vulnerability in Copymatic Copymatic – AI Content Writer & Generator.This issue affects Copymatic – AI Content Writer & Generator: from n/a through 1.6.
- CVE-2024-31377CRITICALCVSS 10.0EG 10.02024-05-14
Unrestricted Upload of File with Dangerous Type vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.7.01.001.
- CVE-2024-31411HIGHCVSS 8.8EG 8.82024-07-17
Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes. Such a dangerous type might be an executable file that may lead to a remote code execution (RCE). The unrestricted upload is only possible for authenticat…
- CVE-2024-31453MEDIUMCVSS 6.5EG 6.52024-04-09
PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.2.0, the absence of restrictions on the endpoint, which allows users to create a path for uploading a file in a file distribution, allows an attacker to a…
- CVE-2024-31454MEDIUMCVSS 6.5EG 6.52024-04-09
PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.2.0, the absence of restrictions on the endpoint, which is designed for uploading files, allows an attacker who received the id of a file distribution to …
- CVE-2024-31610MEDIUMCVSS 6.3EG 6.32024-04-25
File Upload vulnerability in the function for employees to upload avatars in Code-Projects Simple School Management System v1.0 allows attackers to run arbitrary code via upload of crafted file.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →