CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,081 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 57 of 82
- CVE-2024-5247HIGHCVSS 8.8EG 8.82024-05-23
NETGEAR ProSAFE Network Management System UpLoadServlet Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network…
- CVE-2024-52476CRITICALCVSS 10.0EG 10.02024-12-02
Unrestricted Upload of File with Dangerous Type vulnerability in Stefan Bohacek Fediverse Embeds fediverse-embeds allows Upload a Web Shell to a Web Server.This issue affects Fediverse Embeds: from n/a through <= 1.5.3.
- CVE-2024-52488CRITICALCVSS 9.9EG 9.92026-06-17
Subscriber Arbitrary File Upload in Grip <= 1.0.9 versions.
- CVE-2024-52490CRITICALCVSS 10.0EG 10.02024-11-28
Unrestricted Upload of File with Dangerous Type vulnerability in pathomation Pathomation pathomation allows Upload a Web Shell to a Web Server.This issue affects Pathomation: from n/a through <= 2.5.1.
- CVE-2024-52677CRITICALCVSS 9.8EG 9.82024-11-20
HkCms <= v2.3.2.240702 is vulnerable to file upload in the getFileName method in /app/common/library/Upload.php.
- CVE-2024-52769HIGHCVSS 7.2EG 7.22024-11-20
An arbitrary file upload vulnerability in the component /admin/friendlink_edit of DedeBIZ v6.3.0 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-5278MEDIUMCVSS 6.1EG 6.52024-06-06
gaizhenbiao/chuanhuchatgpt is vulnerable to an unrestricted file upload vulnerability due to insufficient validation of uploaded file types in its `/upload` endpoint. Specifically, the `handle_file_upload` function does not sanitize or val…
- CVE-2024-53345HIGHCVSS 8.8EG 8.82025-01-07
An authenticated arbitrary file upload vulnerability in Car Rental Management System v1.0 to v1.3 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-53564LOWCVSS 2.2EG 8.82024-12-02
A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no …
- CVE-2024-53619MEDIUMCVSS 6.3EG 6.32024-11-26
An authenticated arbitrary file upload vulnerability in the Documents module of SPIP v4.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file.
- CVE-2024-53677CRITICALCVSS 9.8EG 9.82024-12-11
File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execut…
- CVE-2024-5377HIGHCVSS 7.3EG 7.32024-05-26
A vulnerability was found in SourceCodester Vehicle Management System 1.0. It has been classified as critical. This affects an unknown part of the file /newvehicle.php. The manipulation of the argument file leads to unrestricted upload. It…
- CVE-2024-53811MEDIUMCVSS 6.6EG 6.62024-12-06
Unrestricted Upload of File with Dangerous Type vulnerability in POSIMYTH WDesignkit wdesignkit allows Upload a Web Shell to a Web Server.This issue affects WDesignkit: from n/a through <= 1.0.40.
- CVE-2024-53822CRITICALCVSS 10.0EG 10.02024-12-09
Unrestricted Upload of File with Dangerous Type vulnerability in Genetech Pie Register Premium.This issue affects Pie Register Premium: from n/a before 3.8.3.3.
- CVE-2024-53863CRITICALCVSS 9.1EG 9.12024-12-03
Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats…
- CVE-2024-53982HIGHCVSS 8.7EG 8.72024-12-04
ZOO-Project is a C-based WPS (Web Processing Service) implementation. A path traversal vulnerability was discovered in Zoo-Project Echo example. The Echo example available by default in Zoo installs implements file caching, which can be co…
- CVE-2024-54214CRITICALCVSS 10.0EG 10.02024-12-06
Unrestricted Upload of File with Dangerous Type vulnerability in roninwp Revy revy allows Upload a Web Shell to a Web Server.This issue affects Revy: from n/a through <= 1.18.
- CVE-2024-54262CRITICALCVSS 9.9EG 9.92024-12-13
Unrestricted Upload of File with Dangerous Type vulnerability in sidngr Import Export For WooCommerce import-export-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects Import Export For WooCommerce: from n/a throug…
- CVE-2024-54285CRITICALCVSS 9.1EG 9.12024-12-16
Unrestricted Upload of File with Dangerous Type vulnerability in SeedProd LLC SeedProd Pro allows Upload a Web Shell to a Web Server.This issue affects SeedProd Pro: from n/a through 6.18.10.
- CVE-2024-54370CRITICALCVSS 9.9EG 9.92024-12-16
Unrestricted Upload of File with Dangerous Type vulnerability in SuitePlugins Video & Photo Gallery for Ultimate Member gallery-for-ultimate-member allows Upload a Web Shell to a Web Server.This issue affects Video & Photo Gallery for Ulti…
- CVE-2024-5441HIGHCVSS 8.8EG 8.82024-07-09
The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image function in all versions up to, and including, 7.11.0. This makes it possible for authent…
- CVE-2024-5450CRITICALCVSS 9.1EG 9.12024-07-13
The Bug Library WordPress plugin before 2.1.1 does not check the file type on user-submitted bug reports, allowing an unauthenticated user to upload PHP files
- CVE-2024-54525HIGHCVSS 8.8EG 8.82025-03-17
A logic issue was addressed with improved file handling. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, tvOS 18.2, visionOS 2.2, watchOS 11.2. Restoring a maliciously crafted backup file may lead to modification of pr…
- CVE-2024-54918CRITICALCVSS 9.8EG 9.82024-12-09
Kashipara E-learning Management System v1.0 is vulnerable to Remote Code Execution via File Upload in /teacher_avatar.php.
- CVE-2024-55078CRITICALCVSS 9.8EG 9.82025-01-03
An arbitrary file upload vulnerability in the component /adminUser/updateImg of WukongCRM-11.0-JAVA v11.3.3 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-5518MEDIUMCVSS 6.3EG 6.32024-05-30
A vulnerability classified as critical has been found in itsourcecode Online Discussion Forum 1.0. This affects an unknown part of the file change_profile_picture.php. The manipulation of the argument image leads to unrestricted upload. It…
- CVE-2024-55417MEDIUMCVSS 4.3EG 4.32025-01-30
DevDojo Voyager through version 1.8.0 is vulnerable to bypassing the file type verification when an authenticated user uploads a file via /admin/media/upload. An authenticated user can upload a web shell causing arbitrary code execution on…
- CVE-2024-55514MEDIUMCVSS 6.3EG 6.32024-12-17
A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 3.90. The component affected by this issue is /upload_sfmig.php on the web interface. By crafting a suitable form name, arbitrary files can be uploaded, potentia…
- CVE-2024-55926HIGHCVSS 7.6EG 6.32025-01-23
A vulnerability found in Xerox Workplace Suite allows arbitrary file read, upload, and deletion on the server through crafted header manipulation. By exploiting improper validation of headers, attackers can gain unauthorized access to data
- CVE-2024-56046CRITICALCVSS 10.0EG 10.02024-12-31
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through <= 1.9.9.
- CVE-2024-56050CRITICALCVSS 9.9EG 9.92024-12-18
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.3.
- CVE-2024-56052CRITICALCVSS 9.9EG 9.92024-12-18
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.2.
- CVE-2024-56054CRITICALCVSS 9.1EG 9.12024-12-18
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.2.
- CVE-2024-56057CRITICALCVSS 9.9EG 9.92024-12-18
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.2.
- CVE-2024-56064CRITICALCVSS 10.0EG 10.02024-12-31
Unrestricted Upload of File with Dangerous Type vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Upload a Web Shell to a Web Server.This issue affects WP SuperBackup: from n/a through <= 2.3.3.
- CVE-2024-56249CRITICALCVSS 9.1EG 9.12025-01-02
Unrestricted Upload of File with Dangerous Type vulnerability in Ludwig You WPMasterToolKit wpmastertoolkit allows Upload a Web Shell to a Web Server.This issue affects WPMasterToolKit: from n/a through <= 1.13.1.
- CVE-2024-56264MEDIUMCVSS 6.6EG 6.62025-01-02
Unrestricted Upload of File with Dangerous Type vulnerability in Beee ACF City Selector acf-city-selector allows Upload a Web Shell to a Web Server.This issue affects ACF City Selector: from n/a through <= 1.14.0.
- CVE-2024-5630HIGHCVSS 8.8EG 8.82024-07-15
The Insert or Embed Articulate Content into WordPress plugin before 4.3000000024 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
- CVE-2024-56508HIGHCVSS 7.6EG 7.62024-12-27
LinkAce is a self-hosted archive to collect links of your favorite websites. Prior to 1.15.6, a file upload vulnerability exists in the LinkAce. This issue occurs in the "Import Bookmarks" functionality, where malicious HTML files can be u…
- CVE-2024-56828CRITICALCVSS 9.8EG 9.82025-01-06
File Upload vulnerability in ChestnutCMS through 1.5.0. Based on the code analysis, it was determined that the /api/member/avatar API endpoint receives a base64 string as input. This string is then passed to the memberService.uploadAvatarB…
- CVE-2024-56829CRITICALCVSS 10.0EG 10.02025-01-02
Huang Yaoshi Pharmaceutical Management Software through 16.0 allows arbitrary file upload via a .asp filename in the fileName element of the UploadFile element in a SOAP request to /XSDService.asmx.
- CVE-2024-56897CRITICALCVSS 9.8EG 9.82025-02-24
Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling re…
- CVE-2024-56975CRITICALCVSS 9.8EG 9.82025-03-28
InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerability in the upload_file method of the Upload controller.
- CVE-2024-57169CRITICALCVSS 9.8EG 9.82025-03-18
A file upload bypass vulnerability exists in SOPlanning 1.53.00, specifically in /process/upload.php. This vulnerability allows remote attackers to bypass upload restrictions and potentially achieve remote code execution by uploading malic…
- CVE-2024-5734MEDIUMCVSS 6.3EG 6.32024-06-07
A vulnerability classified as critical has been found in itsourcecode Online Discussion Forum 1.0. Affected is an unknown function of the file /members/poster.php. The manipulation of the argument image leads to unrestricted upload. It is …
- CVE-2024-57407HIGHCVSS 7.3EG 7.32025-02-10
An arbitrary file upload vulnerability in the component /userPicture of Timo v2.0.3 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-57408HIGHCVSS 7.2EG 7.22025-02-10
An arbitrary file upload vulnerability in the component /comm/upload of cool-admin-java v1.0 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-5745HIGHCVSS 7.3EG 6.32024-06-07
A vulnerability was found in itsourcecode Bakery Online Ordering System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/modules/product/controller.php?action=add. The manipulation of the argument…
- CVE-2024-57450CRITICALCVSS 9.8EG 9.82025-02-03
ChestnutCMS <=1.5.0 is vulnerable to File Upload via the Create template function.
- CVE-2024-57668HIGHCVSS 8.8EG 9.82025-02-06
In Code-projects Shopping Portal v1.0, the insert-product.php page has an arbitrary file upload vulnerability.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →