CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,081 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 54 of 82
- CVE-2024-45263HIGHCVSS 8.8EG 8.82024-10-24
An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The upload interface allows the uploading of arbitrary files to the device. Once the device executes the files, it can lead to…
- CVE-2024-45398HIGHCVSS 8.3EG 8.32024-09-17
Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to u…
- CVE-2024-4560CRITICALCVSS 9.8EG 9.82024-05-14
The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the chatbot_chatgpt_upload_file_to_assistant function in all versions up to, and including, 1.9.9. This…
- CVE-2024-45644MEDIUMCVSS 4.7EG 4.72025-03-19
IBM Security ReaQta 3.12 allows a privileged user to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
- CVE-2024-45960MEDIUMCVSS 4.8EG 4.82024-10-02
Zenario 9.7.61188 allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting (XSS) attack.
- CVE-2024-45962MEDIUMCVSS 4.7EG 4.82024-10-02
October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute …
- CVE-2024-45965MEDIUMCVSS 6.4EG 4.82024-10-02
Contao before 5.5.6 allows XSS via an SVG document. This affects (in contao/core-bundle in Composer) 4.x before 4.13.54, 5.0.x through 5.3.x before 5.3.30, and 5.4.x and 5.5..x before 5.5.6.
- CVE-2024-46088CRITICALCVSS 9.8EG 9.82024-10-11
An arbitrary file upload vulnerability in the ProductAction.entphone interface of Zhejiang University Entersoft Customer Resource Management System v2002 to v2024 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-46101CRITICALCVSS 9.8EG 9.82024-09-20
GDidees CMS <= v3.9.1 has a file upload vulnerability.
- CVE-2024-46210HIGHCVSS 7.2EG 7.22025-01-10
An arbitrary file upload vulnerability in the MediaPool module of Redaxo CMS v5.17.1 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-46373HIGHCVSS 8.8EG 8.82024-09-18
Dedecms V5.7.115 contains an arbitrary code execution via file upload vulnerability in the backend.
- CVE-2024-46377CRITICALCVSS 9.8EG 9.82024-09-18
Best House Rental Management System 1.0 contains an arbitrary file upload vulnerability in the save_settings() function of the file rental/admin_class.php.
- CVE-2024-46441HIGHCVSS 8.8EG 8.82024-09-27
An arbitrary file upload vulnerability in YPay 1.2.0 allows attackers to execute arbitrary code via a ZIP archive to themePutFile in app/common/util/Upload.php (called from app/admin/controller/ypay/Home.php). The file extension of an unco…
- CVE-2024-46479CRITICALCVSS 9.9EG 9.92025-01-13
Venki Supravizio BPM through 18.0.1 was discovered to contain an arbitrary file upload vulnerability. An authenticated attacker may upload a malicious file, leading to remote code execution.
- CVE-2024-46482HIGHCVSS 8.2EG 8.22024-10-22
An arbitrary file upload vulnerability in the Ticket Generation function of Ladybird Web Solution Faveo-Helpdesk v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .html or .svg file.
- CVE-2024-46625HIGHCVSS 8.8EG 8.82024-12-03
An authenticated arbitrary file upload vulnerability in the /documentCache/upload endpoint of InfoDom Performa 365 v4.0.1 allows attackers to execute arbitrary code via uploading a crafted SVG file.
- CVE-2024-4681MEDIUMCVSS 4.7EG 4.72024-05-14
A vulnerability, which was classified as critical, was found in Campcodes Legal Case Management System 1.0. Affected is an unknown function of the file /admin/general-setting of the component Setting Handler. The manipulation of the argume…
- CVE-2024-47151MEDIUMCVSS 6.3EG 6.32024-12-26
Some Honor products are affected by file writing vulnerability, successful exploitation could cause code execution
- CVE-2024-47169HIGHCVSS 8.8EG 8.82024-09-26
Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to upload arbitrary files to attacker-chosen locations on the server, including JavaS…
- CVE-2024-47259LOWCVSS 3.5EG 3.52025-03-04
Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Ax…
- CVE-2024-47319HIGHCVSS 8.0EG 8.02024-10-05
Unrestricted Upload of File with Dangerous Type vulnerability in Bit Apps Bit Form bit-form.This issue affects Bit Form: from n/a through <= 2.13.10.
- CVE-2024-47423HIGHCVSS 7.8EG 7.82024-10-09
Adobe Framemaker versions 2020.6, 2022.4 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by uploading …
- CVE-2024-47528MEDIUMCVSS 4.8EG 4.82024-10-01
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Stored Cross-Site Scripting (XSS) can be achieved by uploading a new Background for a Custom Map. Users with "admin" role can set background for a custom map, this…
- CVE-2024-47649CRITICALCVSS 9.1EG 9.12024-10-16
Unrestricted Upload of File with Dangerous Type vulnerability in THATplugin Iconize iconize.This issue affects Iconize: from n/a through <= 1.2.4.
- CVE-2024-47655HIGHCVSS 8.8EG 8.82024-10-04
This vulnerability exists in the Shilpi Client Dashboard due to improper validation of files being uploaded other than the specified extension. An authenticated remote attacker could exploit this vulnerability by uploading malicious file, …
- CVE-2024-47823CRITICALCVSS 9.8EG 9.82024-10-08
Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a r…
- CVE-2024-47946HIGHCVSS 7.2EG 7.22024-12-10
If the attacker has access to a valid Poweruser session, remote code execution is possible because specially crafted valid PNG files with injected PHP content can be uploaded as desktop backgrounds or lock screens. After the upload, the PH…
- CVE-2024-48027CRITICALCVSS 9.9EG 9.92024-10-16
Unrestricted Upload of File with Dangerous Type vulnerability in xaraartech External featured image from bing external-featured-image-from-bing allows Upload a Web Shell to a Web Server.This issue affects External featured image from bing:…
- CVE-2024-48034CRITICALCVSS 9.9EG 9.92024-10-16
Unrestricted Upload of File with Dangerous Type vulnerability in fliperrr Creates 3D Flipbook, PDF Flipbook create-flipbook-from-pdf allows Upload a Web Shell to a Web Server.This issue affects Creates 3D Flipbook, PDF Flipbook: from n/a t…
- CVE-2024-48035CRITICALCVSS 9.9EG 9.92024-10-16
Unrestricted Upload of File with Dangerous Type vulnerability in takayukii ACF Images Search And Insert acf-images-search-and-insert allows Upload a Web Shell to a Web Server.This issue affects ACF Images Search And Insert: from n/a throug…
- CVE-2024-4809MEDIUMCVSS 6.3EG 6.32024-05-14
A vulnerability has been found in SourceCodester Open Source Clinic Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file setting.php. The manipulation of the argument logo…
- CVE-2024-48093HIGHCVSS 8.0EG 8.02024-10-30
Unrestricted File Upload in the Discussions tab in Operately v.0.1.0 allows a privileged user to achieve Remote Code Execution via uploading and executing malicious files without validating file extensions or content types.
- CVE-2024-48180CRITICALCVSS 9.8EG 9.82024-10-16
ClassCMS <=4.8 is vulnerable to file inclusion in the nowView method in/class/cms/cms.php, which can include a file uploaded to the/class/template directory to execute PHP code.
- CVE-2024-4820MEDIUMCVSS 6.3EG 6.32024-05-14
A vulnerability was found in SourceCodester Online Computer and Laptop Store 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /classes/SystemSettings.php?f=update_settings. The m…
- CVE-2024-48202CRITICALCVSS 9.8EG 9.82024-10-30
icecms <=3.4.7 has a File Upload vulnerability in FileUtils.java,uploadFile.
- CVE-2024-4825CRITICALCVSS 9.8EG 9.82024-05-14
A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructu…
- CVE-2024-48454HIGHCVSS 7.2EG 7.22024-10-24
An issue in SourceCodester Purchase Order Management System v1.0 allows a remote attacker to execute arbitrary code via the /admin?page=user component
- CVE-2024-48594HIGHCVSS 8.8EG 8.82024-10-28
File Upload vulnerability in Prison Management System v.1.0 allows a remote attacker to execute arbitrary code via the file upload component.
- CVE-2024-48646HIGHCVSS 8.1EG 8.12024-10-30
An Unrestricted File Upload vulnerability exists in Sage 1000 v7.0.0, which allows authorized users to upload files without proper validation. An attacker could exploit this vulnerability by uploading malicious files, such as HTML, scripts…
- CVE-2024-48734HIGHCVSS 8.8EG 8.82024-10-30
Unrestricted file upload in /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} in SAS Studio 9.4 allows remote attacker to upload malicious files. NOTE: this is disputed by the vendor because file upload is allowed for authorized user…
- CVE-2024-48760CRITICALCVSS 9.8EG 9.82025-01-14
An issue in GestioIP v3.5.7 allows a remote attacker to execute arbitrary code via the file upload function. The attacker can upload a malicious perlcmd.cgi file that overwrites the original upload.cgi file, enabling remote command executi…
- CVE-2024-48781CRITICALCVSS 9.8EG 9.82024-10-15
An issue in Wanxing Technology Yitu Project Management Kirin Edition 2.3.6 allows a remote attacker to execute arbitrary code via a specially constructed so file/opt/EdrawProj-2/plugins/imageformat.
- CVE-2024-48782CRITICALCVSS 9.8EG 9.82024-10-15
File Upload vulnerability in DYCMS Open-Source Version v2.0.9.41 allows a remote attacker to execute arbitrary code via the application only detecting the extension of image files in the front-end.
- CVE-2024-4904MEDIUMCVSS 6.3EG 6.32024-05-15
A vulnerability was found in Byzoro Smart S200 Management Platform up to 20240507. It has been rated as critical. This issue affects some unknown processing of the file /useratte/userattestation.php. The manipulation of the argument web_im…
- CVE-2024-4920HIGHCVSS 7.3EG 7.32024-05-16
A vulnerability was found in SourceCodester Online Discussion Forum Site 1.0. It has been rated as critical. This issue affects some unknown processing of the file registerH.php. The manipulation of the argument ima leads to unrestricted u…
- CVE-2024-4921MEDIUMCVSS 6.3EG 6.32024-05-16
A vulnerability classified as critical has been found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0. Affected is an unknown function of the file /employee_gatepass/classes/Users.php?f=ssave. The manipulation of the ar…
- CVE-2024-49216CRITICALCVSS 10.0EG 10.02024-10-16
Unrestricted Upload of File with Dangerous Type vulnerability in jclay06 Feed Comments Number feed-comments-number allows Upload a Web Shell to a Web Server.This issue affects Feed Comments Number: from n/a through <= 0.2.1.
- CVE-2024-4923MEDIUMCVSS 6.3EG 6.32024-05-16
A vulnerability has been found in Codezips E-Commerce Site 1.0 and classified as critical. This vulnerability affects unknown code of the file admin/addproduct.php. The manipulation of the argument profilepic leads to unrestricted upload. …
- CVE-2024-49242CRITICALCVSS 10.0EG 10.02024-10-16
Unrestricted Upload of File with Dangerous Type vulnerability in Shafiq Digital Lottery digital-lottery allows Upload a Web Shell to a Web Server.This issue affects Digital Lottery: from n/a through <= 3.0.5.
- CVE-2024-49257CRITICALCVSS 10.0EG 10.02024-10-16
Unrestricted Upload of File with Dangerous Type vulnerability in Denis Azz Anonim Posting azz-anonim-posting allows Upload a Web Shell to a Web Server.This issue affects Azz Anonim Posting: from n/a through <= 0.9.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →