CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,081 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 59 of 82
- CVE-2024-7192MEDIUMCVSS 6.3EG 6.32024-07-29
A vulnerability, which was classified as critical, was found in itsourcecode Society Management System 1.0. This affects an unknown part of the file /admin/student.php. The manipulation of the argument image leads to unrestricted upload. I…
- CVE-2024-7257CRITICALCVSS 9.8EG 9.82024-08-03
The YayExtra – WooCommerce Extra Product Options plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_upload_file function in all versions up to, and including, 1.3.7. This makes …
- CVE-2024-7277MEDIUMCVSS 4.7EG 4.72024-07-31
A vulnerability was found in itsourcecode Alton Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/menu.php of the component Add a Menu. The manipulation of the argumen…
- CVE-2024-7329MEDIUMCVSS 6.3EG 6.32024-07-31
A vulnerability, which was classified as critical, was found in YouDianCMS 7. Affected is an unknown function of the file /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php. The manipulation of the argument files leads to unrestr…
- CVE-2024-7342LOWCVSS 3.5EG 3.52024-08-01
A vulnerability was found in Baidu UEditor 1.4.3.3. It has been classified as problematic. This affects an unknown part of the file /ueditor/php/controller.php?action=uploadfile&encode=utf-8. The manipulation of the argument upfile leads t…
- CVE-2024-7384HIGHCVSS 7.5EG 7.52024-08-22
The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the acym_extractArchive function in all ve…
- CVE-2024-7399HIGHCVSS 8.8EG 9.0⚠ KEV2024-08-12
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority.
- CVE-2024-7450MEDIUMCVSS 6.3EG 6.32024-08-04
A vulnerability has been found in itsourcecode Placement Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /resume_upload.php of the component Image Handler. The manipu…
- CVE-2024-7484HIGHCVSS 7.2EG 7.22024-08-06
The CRM Perks Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'handle_uploaded_files' function in versions up to, and including, 1.1.3. This makes it possible for authenticated …
- CVE-2024-7495MEDIUMCVSS 6.3EG 6.32024-08-06
A vulnerability, which was classified as critical, was found in itsourcecode Laravel Accounting System 1.0. This affects an unknown part of the file app/Http/Controllers/HomeController.php. The manipulation of the argument image leads to u…
- CVE-2024-7500MEDIUMCVSS 6.3EG 6.32024-08-06
A vulnerability was found in itsourcecode Airline Reservation System 1.0. It has been rated as critical. Affected by this issue is the function save_settings of the file admin/admin_class.php. The manipulation of the argument img leads to …
- CVE-2024-7506MEDIUMCVSS 6.3EG 6.32024-08-06
A vulnerability has been found in itsourcecode Tailoring Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /setlogo.php. The manipulation of the argument bgimg leads to…
- CVE-2024-7559HIGHCVSS 8.8EG 8.82024-08-23
The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions up to, and including, 8.3.7. This makes i…
- CVE-2024-7620MEDIUMCVSS 6.6EG 6.62024-09-07
The Customizer Export/Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_import' function in all versions up to, and including, 0.9.7. This makes it possible for authenticated a…
- CVE-2024-7694HIGHCVSS 7.2EG 9.0⚠ KEV2024-08-12
ThreatSonar Anti-Ransomware from TeamT5 does not properly validate the content of uploaded files. Remote attackers with administrator privileges on the product platform can upload malicious files, which can be used to execute arbitrary sy…
- CVE-2024-7705MEDIUMCVSS 4.7EG 4.72024-08-12
A vulnerability was found in Fujian mwcms 1.0.0. It has been declared as critical. Affected by this vulnerability is the function uploadeditor of the file /uploadeditor.html?action=uploadimage of the component Image Upload. The manipulatio…
- CVE-2024-7706MEDIUMCVSS 4.7EG 4.72024-08-12
A vulnerability was found in Fujian mwcms 1.0.0. It has been rated as critical. Affected by this issue is the function uploadimage of the file /uploadfile.html. The manipulation of the argument upfile leads to unrestricted upload. The atta…
- CVE-2024-7732CRITICALCVSS 9.8EG 9.82024-08-14
Dr.ID Access Control System from SECOM does not properly validate a specific page parameter, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents.
- CVE-2024-7770HIGHCVSS 8.8EG 8.82024-09-10
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, an…
- CVE-2024-7772CRITICALCVSS 9.8EG 9.82024-09-26
The Jupiter X Core plugin for WordPress is vulnerable to arbitrary file uploads due to a mishandled file type validation in the 'validate' function in all versions up to, and including, 4.6.5. This makes it possible for unauthenticated att…
- CVE-2024-7855HIGHCVSS 8.8EG 8.82024-10-02
The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_review() function in all versions up to, and including, 2.1.2. This makes it possible for authenticated att…
- CVE-2024-7903MEDIUMCVSS 6.3EG 6.32024-08-18
A vulnerability was found in DedeBIZ 6.3.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file admin/media_add.php of the component File Extension Handler. The manipulation of the argum…
- CVE-2024-7904MEDIUMCVSS 6.3EG 6.32024-08-18
A vulnerability was found in DedeBIZ 6.3.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file admin/file_manage_control.php of the component File Extension Handler. The manipulation of the argu…
- CVE-2024-7905MEDIUMCVSS 6.3EG 6.32024-08-18
A vulnerability classified as critical has been found in DedeBIZ 6.3.0. This affects the function AdminUpload of the file admin/archives_do.php. The manipulation of the argument litpic leads to unrestricted upload. It is possible to initia…
- CVE-2024-7906MEDIUMCVSS 6.3EG 6.32024-08-18
A vulnerability classified as critical was found in DedeBIZ 6.3.0. This vulnerability affects the function get_mime_type of the file /admin/dialog/select_images_post.php of the component Attachment Settings. The manipulation of the argumen…
- CVE-2024-7910MEDIUMCVSS 4.7EG 4.72024-08-18
A vulnerability was found in CodeAstro Online Railway Reservation System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/emp-profile-avatar.php of the component Profile Photo Update H…
- CVE-2024-7917MEDIUMCVSS 4.7EG 4.72024-08-18
A vulnerability, which was classified as critical, has been found in DouPHP 1.7 Release 20220822. Affected by this issue is some unknown functionality of the file /admin/system.php of the component Favicon Handler. The manipulation of the …
- CVE-2024-7943MEDIUMCVSS 6.3EG 6.32024-08-20
A vulnerability was found in itsourcecode Laravel Property Management System 1.0 and classified as critical. This issue affects the function upload of the file PropertiesController.php. The manipulation of the argument file leads to unrest…
- CVE-2024-7944MEDIUMCVSS 6.3EG 6.32024-08-20
A vulnerability was found in itsourcecode Laravel Property Management System 1.0. It has been classified as critical. Affected is the function UpdateDocumentsRequest of the file DocumentsController.php. The manipulation leads to unrestrict…
- CVE-2024-7985HIGHCVSS 7.5EG 7.52024-10-29
The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the "fileorganizer_ajax_handler" function in all versions up to, and including, 1.…
- CVE-2024-7987HIGHCVSS 7.8EG 7.82024-08-26
A remote code execution vulnerability exists in the Rockwell Automation ThinManager® ThinServer™ that allows a threat actor to execute arbitrary code with System privileges. To exploit this vulnerability and a threat actor must abuse t…
- CVE-2024-8019CRITICALCVSS 9.1EG 9.12025-03-20
In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows host. The vulnerability occurs at the `/api/v1/upload_file/` endpoint, allowing an attacker to write or overwrite arbit…
- CVE-2024-8066HIGHCVSS 7.5EG 7.52024-11-28
The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing validation in the 'fsConnector' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated at…
- CVE-2024-8089MEDIUMCVSS 6.3EG 6.32024-08-23
A vulnerability was found in SourceCodester E-Commerce System 1.0. It has been classified as critical. Affected is an unknown function of the file /ecommerce/admin/products/controller.php. The manipulation of the argument photo leads to un…
- CVE-2024-8126HIGHCVSS 7.5EG 7.52024-09-26
The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.8. This makes it possible for authenticated attackers, with Subscriber-…
- CVE-2024-8164MEDIUMCVSS 6.3EG 6.32024-08-26
A vulnerability was determined in Chengdu Everbrite Network Technology BeikeShop up to 1.5.5. This affects the function rename of the file /Admin/Http/Controllers/FileManagerController.php. This manipulation of the argument new_name causes…
- CVE-2024-8166MEDIUMCVSS 4.7EG 4.72024-08-26
A vulnerability has been found in Ruijie EG2000K 11.1(6)B2 and classified as critical. This vulnerability affects unknown code of the file /tool/index.php?c=download&a=save. The manipulation of the argument content leads to unrestricted up…
- CVE-2024-8170LOWCVSS 3.5EG 3.52024-08-26
A vulnerability classified as problematic has been found in SourceCodester Zipped Folder Manager App 1.0. This affects an unknown part of the file /endpoint/add-folder.php. The manipulation of the argument folder leads to unrestricted uplo…
- CVE-2024-8232HIGHCVSS 7.5EG 7.52024-09-10
SpiderControl SCADA Web Server has a vulnerability that could allow an attacker to upload specially crafted malicious files without authentication.
- CVE-2024-8242MEDIUMCVSS 4.3EG 4.32024-09-13
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4…
- CVE-2024-8294MEDIUMCVSS 6.3EG 6.32024-08-29
A vulnerability, which was classified as critical, was found in FeehiCMS up to 2.1.1. This affects the function update of the file /admin/index.php?r=friendly-link%2Fupdate. The manipulation of the argument FriendlyLink[image] leads to unr…
- CVE-2024-8295MEDIUMCVSS 6.3EG 6.32024-08-29
A vulnerability has been found in FeehiCMS up to 2.1.1 and classified as critical. This vulnerability affects the function createBanner of the file /admin/index.php?r=banner%2Fbanner-create. The manipulation of the argument BannerForm[img]…
- CVE-2024-8296MEDIUMCVSS 6.3EG 6.32024-08-29
A vulnerability was found in FeehiCMS up to 2.1.1 and classified as critical. This issue affects the function insert of the file /admin/index.php?r=user%2Fcreate. The manipulation of the argument User[avatar] leads to unrestricted upload. …
- CVE-2024-8330HIGHCVSS 8.8EG 8.82024-08-30
6SHR system from Gether Technology does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload web shell scripts and use them to execute arbitrary system commands on the server.
- CVE-2024-8338MEDIUMCVSS 6.3EG 6.32024-08-30
A vulnerability was found in HFO4 shudong-share 2.4.7. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /includes/fileReceive.php of the component File Extension Handler. The manipula…
- CVE-2024-8341MEDIUMCVSS 6.3EG 6.32024-08-30
A vulnerability classified as critical was found in SourceCodester Petshop Management System 1.0. This vulnerability affects unknown code of the file /controllers/add_user.php. The manipulation of the argument avatar leads to unrestricted …
- CVE-2024-8342MEDIUMCVSS 6.3EG 6.32024-08-30
A vulnerability, which was classified as critical, has been found in SourceCodester Petshop Management System 1.0. This issue affects some unknown processing of the file /controllers/add_client.php. The manipulation of the argument image_p…
- CVE-2024-8425CRITICALCVSS 9.8EG 9.82025-02-28
The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions u…
- CVE-2024-8463CRITICALCVSS 9.9EG 9.92024-09-05
File upload restriction bypass vulnerability in PHPGurukul Job Portal 1.0, the exploitation of which could allow an authenticated user to execute an RCE via webshell.
- CVE-2024-8525CRITICALCVSS 10.0EG 10.02024-11-21
An unrestricted upload of file with dangerous type in Automated Logic WebCTRL 7.0 could allow an unauthenticated user to perform remote command execution via a crafted HTTP POST request which could lead to uploading a malicious file.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →