CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,081 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 52 of 82
- CVE-2024-35527CRITICALCVSS 9.8EG 9.82024-06-25
An arbitrary file upload vulnerability in /fileupload/upload.cfm in Daemon PTY Limited FarCry Core framework before 7.2.14 allows attackers to execute arbitrary code via uploading a crafted .cfm file.
- CVE-2024-35570CRITICALCVSS 9.8EG 9.82024-05-23
An arbitrary file upload vulnerability in the component \controller\ImageUploadController.class of inxedu v2.0.6 allows attackers to execute arbitrary code via uploading a crafted jsp file.
- CVE-2024-35593MEDIUMCVSS 5.5EG 5.52024-05-24
An arbitrary file upload vulnerability in the File preview function of Raingad IM v4.1.4 allows attackers to execute arbitrary code via uploading a crafted PDF file.
- CVE-2024-35746CRITICALCVSS 10.0EG 10.02024-06-10
Unrestricted Upload of File with Dangerous Type vulnerability in Asghar Hatampoor BuddyPress Cover allows Code Injection.This issue affects BuddyPress Cover: from n/a through 2.1.4.2.
- CVE-2024-35767CRITICALCVSS 9.1EG 9.12024-06-21
Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Code Injection.This issue affects Squeeze: from n/a through 1.4.
- CVE-2024-36396HIGHCVSS 8.8EG 8.82024-06-13
Verint - CWE-434: Unrestricted Upload of File with Dangerous Type
- CVE-2024-36415CRITICALCVSS 9.1EG 9.12024-06-10
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6…
- CVE-2024-36774HIGHCVSS 7.2EG 7.22024-06-06
An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2024-36858CRITICALCVSS 9.8EG 9.82024-06-04
An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-36987MEDIUMCVSS 4.3EG 4.32024-07-01
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the admin or power Splunk roles could upload a file with an arbitra…
- CVE-2024-3705HIGHCVSS 8.8EG 8.82024-04-12
Unrestricted file upload vulnerability in OpenGnsys affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to send a POST request to the endpoint '/opengnsys/images/M_Icons.php' modifying the file extension, due to lack o…
- CVE-2024-37179HIGHCVSS 7.7EG 7.72024-10-08
SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on …
- CVE-2024-37228CRITICALCVSS 10.0EG 10.02024-06-24
Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.38.
- CVE-2024-37273CRITICALCVSS 9.8EG 9.82024-06-04
An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-3736MEDIUMCVSS 4.3EG 4.32024-04-13
A vulnerability was found in cym1102 nginxWebUI up to 3.9.9. It has been declared as problematic. Affected by this vulnerability is the function upload of the file /adminPage/main/upload. The manipulation leads to unrestricted upload. The …
- CVE-2024-37418CRITICALCVSS 9.9EG 9.92024-07-09
Unrestricted Upload of File with Dangerous Type vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.4.6.
- CVE-2024-37420CRITICALCVSS 9.9EG 9.92024-07-09
Unrestricted Upload of File with Dangerous Type vulnerability in WPZita Zita Elementor Site Library allows Upload a Web Shell to a Web Server.This issue affects Zita Elementor Site Library: from n/a through 1.6.1.
- CVE-2024-37424CRITICALCVSS 9.9EG 9.92024-07-09
Unrestricted Upload of File with Dangerous Type vulnerability in Automattic Newspack Blocks allows Upload a Web Shell to a Web Server.This issue affects Newspack Blocks: from n/a through 3.0.8.
- CVE-2024-37555CRITICALCVSS 9.1EG 9.12024-07-09
Unrestricted Upload of File with Dangerous Type vulnerability in ZealousWeb Generate PDF using Contact Form 7 generate-pdf-using-contact-form-7.This issue affects Generate PDF using Contact Form 7: from n/a through <= 4.1.2.
- CVE-2024-37762CRITICALCVSS 9.9EG 9.92024-07-01
MachForm up to version 21 is affected by an authenticated unrestricted file upload which leads to a remote code execution.
- CVE-2024-3778HIGHCVSS 7.2EG 7.22024-04-15
The file upload functionality of Ai3 QbiBot does not properly restrict types of uploaded files, allowing remote attackers with administrator privilege to upload files with dangerous type containing malicious code.
- CVE-2024-37847HIGHCVSS 8.8EG 9.82024-10-25
An arbitrary file upload vulnerability in MangoOS before 5.1.4 and Mango API before 4.5.5 allows attackers to execute arbitrary code via a crafted file.
- CVE-2024-37868HIGHCVSS 8.8EG 8.82024-10-04
File Upload vulnerability in Itsourcecode Online Discussion Forum Project v.1.0 allows a remote attacker to execute arbitrary code via the "sendreply.php" file, and the uploaded file was received using the "$- FILES" variable.
- CVE-2024-37869HIGHCVSS 8.8EG 8.82024-10-04
File Upload vulnerability in Itsourcecode Online Discussion Forum Project v.1.0 allows a remote attacker to execute arbitrary code via the "poster.php" file, and the uploaded file was received using the "$- FILES" variable
- CVE-2024-3803MEDIUMCVSS 6.3EG 6.32024-04-15
A vulnerability classified as critical was found in Vesystem Cloud Desktop up to 20240408. This vulnerability affects unknown code of the file /Public/webuploader/0.1.5/server/fileupload.php. The manipulation of the argument file leads to …
- CVE-2024-3804MEDIUMCVSS 6.3EG 6.32024-04-15
A vulnerability, which was classified as critical, has been found in Vesystem Cloud Desktop up to 20240408. This issue affects some unknown processing of the file /Public/webuploader/0.1.5/server/fileupload2.php. The manipulation of the ar…
- CVE-2024-38529CRITICALCVSS 9.0EG 9.02024-07-29
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.10, there is a Remote Code Execution Vulnerability in the Message module of the Admidio Application, where it is …
- CVE-2024-38530CRITICALCVSS 9.8EG 9.82024-08-12
The Open eClass platform (formerly known as GUnet eClass) is a complete Course Management System. An arbitrary file upload vulnerability in the "save" functionality of the H5P module enables unauthenticated users to upload arbitrary files …
- CVE-2024-3863CRITICALCVSS 9.8EG 9.82024-04-16
The executable file warning was not presented when downloading .xrm-ms files. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 125, Firefox ESR < 115…
- CVE-2024-38734CRITICALCVSS 9.1EG 9.12024-07-12
Unrestricted Upload of File with Dangerous Type vulnerability in SpreadsheetConverter Import Spreadsheets from Microsoft Excel allows Code Injection.This issue affects Import Spreadsheets from Microsoft Excel: from n/a through 10.1.4.
- CVE-2024-38736CRITICALCVSS 9.1EG 9.12024-07-12
Unrestricted Upload of File with Dangerous Type vulnerability in Realtyna Realtyna Organic IDX plugin allows Code Injection.This issue affects Realtyna Organic IDX plugin: from n/a through 4.14.13.
- CVE-2024-3912CRITICALCVSS 9.8EG 9.82024-06-14
Certain models of ASUS routers have an arbitrary firmware upload vulnerability. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands on the device.
- CVE-2024-39397CRITICALCVSS 9.0EG 9.02024-08-14
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution by an attacker. An attacker could exp…
- CVE-2024-3948MEDIUMCVSS 6.3EG 6.32024-04-18
A vulnerability was found in SourceCodester Home Clean Service System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file \admin\student.add.php of the component Photo Handler. The manipulat…
- CVE-2024-3962CRITICALCVSS 9.8EG 9.82024-04-26
The Product Addons & Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ppom_upload_file function in all versions up to, and including, 32.0.18. This makes it poss…
- CVE-2024-39717HIGHCVSS 7.2EG 9.0⚠ KEV2024-08-22
The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do no…
- CVE-2024-39752MEDIUMCVSS 6.8EG 6.82025-07-10
IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 could be vulnerable to malicious file upload by not validating the type of file uploaded to Explore Content. Attackers can make use of this weakness and upload malicious executable files int…
- CVE-2024-39865HIGHCVSS 8.8EG 8.82024-07-09
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows users to upload encrypted backup files. As part of this backup, files can be restored without correctly checking…
- CVE-2024-40071CRITICALCVSS 9.8EG 9.82025-04-16
Sourcecodester Online ID Generator System 1.0 was discovered to contain an arbitrary file upload vulnerability via id_generator/classes/SystemSettings.php?f=update_settings. This vulnerability allows attackers to execute arbitrary code via…
- CVE-2024-40125CRITICALCVSS 9.8EG 7.32024-09-19
An arbitrary file upload vulnerability in the Media Manager function of Closed-Loop Technology CLESS Server v4.5.2 allows attackers to execute arbitrary code via uploading a crafted PHP file to the upload endpoint.
- CVE-2024-40318HIGHCVSS 7.2EG 7.22024-07-25
An arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-4033HIGHCVSS 8.8EG 8.82024-05-02
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the aiovg_create_attachment_from_external_image_url function in all versions up to, and including, 3.6.4. This…
- CVE-2024-40394CRITICALCVSS 9.8EG 9.82024-07-16
Simple Library Management System Project Using PHP/MySQL v1.0 was discovered to contain an arbitrary file upload vulnerability via the component ajax.php.
- CVE-2024-40400HIGHCVSS 8.8EG 8.82024-07-19
An arbitrary file upload vulnerability in the image upload function of Automad v2.0.0 allows attackers to execute arbitrary code via a crafted file.
- CVE-2024-40425CRITICALCVSS 9.8EG 9.82024-07-16
File Upload vulnerability in Nanjin Xingyuantu Technology Co Sparkshop (Spark Mall B2C Mall v.1.1.6 and before allows a remote attacker to execute arbitrary code via the contorller/common.php component.
- CVE-2024-40513MEDIUMCVSS 4.6EG 4.62025-01-16
An issue in themesebrand Chatvia v.5.3.2 allows a remote attacker to execute arbitrary code via the User profile Upload image function.
- CVE-2024-40545HIGHCVSS 8.8EG 8.82024-07-12
An arbitrary file upload vulnerability in the component /admin/cmsWebFile/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-40546HIGHCVSS 8.8EG 8.82024-07-12
An arbitrary file upload vulnerability in the component /admin/cmsWebFile/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-40548HIGHCVSS 8.8EG 8.82024-07-12
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-40549HIGHCVSS 8.8EG 8.82024-07-12
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/savePlace of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →