CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,081 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 61 of 82
- CVE-2025-0582MEDIUMCVSS 4.7EG 4.72025-01-20
A vulnerability classified as critical was found in itsourcecode Farm Management System up to 1.0. This vulnerability affects unknown code of the file /add-pig.php. The manipulation of the argument pigphoto leads to unrestricted upload. Th…
- CVE-2025-0645HIGHCVSS 7.2EG 7.22025-11-20
Unrestricted Upload of File with Dangerous Type vulnerability in Narkom Communication and Software Technologies Trade Ltd. Co. Pyxis Signage allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Pyxis Signage…
- CVE-2025-0702MEDIUMCVSS 6.3EG 6.32025-01-24
A vulnerability classified as critical was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. This vulnerability affects unknown code of the file src/main/java/io/github/controller/SysFileController.java. The manip…
- CVE-2025-0722MEDIUMCVSS 4.7EG 4.72025-01-27
A vulnerability classified as critical was found in needyamin image_gallery 1.0. This vulnerability affects unknown code of the file /admin/gallery.php of the component Cover Image Handler. The manipulation of the argument image leads to u…
- CVE-2025-0731MEDIUMCVSS 6.5EG 6.52025-02-26
An unauthenticated remote attacker can upload a .aspx file instead of a PV system picture through the demo account. The code can only be executed in the security context of the user.
- CVE-2025-0928HIGHCVSS 8.8EG 8.82025-07-08
In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. Th…
- CVE-2025-0984HIGHCVSS 8.2EG 8.22025-05-06
Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netoloji Software E-Flow allows Accessing Functionality Not Properly Constrained …
- CVE-2025-10000MEDIUMCVSS 6.4EG 6.42025-09-30
The Qyrr – simply and modern QR-Code creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the blob_to_file() function in all versions up to, and including, 2.0.7. This makes it poss…
- CVE-2025-10001HIGHCVSS 7.2EG 7.22025-09-10
The Import any XML, CSV or Excel File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 3.9.3. This makes it poss…
- CVE-2025-10009HIGHCVSS 8.6EG 8.62025-09-22
Incorrect handling of uploaded files in the admin "Restore" function in Invoice Ninja <= 5.11.72 allows attackers with admin credentials to execute arbitrary code on the server via uploaded .php files.
- CVE-2025-10041CRITICALCVSS 9.8EG 9.82025-10-15
The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.2.5. This makes it possible for unauthe…
- CVE-2025-10049HIGHCVSS 7.2EG 7.22025-09-10
The Responsive Filterable Portfolio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the HdnMediaSelection_image field in all versions up to, and including, 1.0.24. This makes it possible…
- CVE-2025-10051HIGHCVSS 7.2EG 7.22025-10-15
The Demo Import Kit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.1.0 via the import functionality. This makes it possible for authenticated attacke…
- CVE-2025-10081MEDIUMCVSS 4.7EG 4.72025-09-08
A flaw has been found in SourceCodester Pet Management System 1.0. This impacts an unknown function of the file /admin/profile.php. This manipulation of the argument website_image causes unrestricted upload. Remote exploitation of the atta…
- CVE-2025-10083MEDIUMCVSS 6.3EG 6.32025-09-08
A vulnerability was determined in SourceCodester Pet Grooming Management Software 1.0. Affected by this issue is some unknown functionality of the file /admin/profile.php. Executing manipulation can lead to unrestricted upload. The attack …
- CVE-2025-10085MEDIUMCVSS 6.3EG 6.32025-09-08
A security flaw has been discovered in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code of the file manage_website.php. The manipulation results in unrestricted upload. It is possible to launch t…
- CVE-2025-10116HIGHCVSS 7.3EG 7.32025-09-09
A vulnerability was identified in SiempreCMS up to 1.3.6. This vulnerability affects unknown code of the file /docs/admin/file_upload.php. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit is …
- CVE-2025-10147CRITICALCVSS 9.8EG 9.82025-09-23
The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_as_original_file' function in all versions up to, and including, 4.2.6. This makes it possible for …
- CVE-2025-1025HIGHCVSS 7.5EG 7.52025-02-05
Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.
- CVE-2025-1028HIGHCVSS 8.1EG 8.12025-02-05
The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible for unauthenticated…
- CVE-2025-10371HIGHCVSS 7.3EG 7.32025-09-13
A security flaw has been discovered in eCharge Hardy Barth Salia PLCC up to 2.3.81. This issue affects some unknown processing of the file /api.php. The manipulation of the argument setrfidlist results in unrestricted upload. The attack ma…
- CVE-2025-10398MEDIUMCVSS 6.3EG 6.32025-09-14
A security flaw has been discovered in fcba_zzm ics-park Smart Park Management System 2.0. This vulnerability affects unknown code of the file FileUploadUtils.java. The manipulation of the argument File results in unrestricted upload. The …
- CVE-2025-10412CRITICALCVSS 9.8EG 9.82025-09-23
The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all ve…
- CVE-2025-10424HIGHCVSS 7.3EG 7.32025-09-15
A vulnerability was determined in 1000projects Online Student Project Report Submission and Evaluation System 1.0. The affected element is an unknown function of the file /admin/controller/faculty_controller.php. This manipulation of the a…
- CVE-2025-10425HIGHCVSS 7.3EG 7.32025-09-15
A vulnerability was identified in 1000projects Online Student Project Report Submission and Evaluation System 1.0. The impacted element is an unknown function of the file /admin/controller/student_controller.php. Such manipulation of the a…
- CVE-2025-10427MEDIUMCVSS 6.3EG 6.32025-09-15
A weakness has been identified in SourceCodester Pet Grooming Management Software 1.0. This impacts an unknown function of the file /admin/operation/user.php. Executing manipulation of the argument website_image can lead to unrestricted up…
- CVE-2025-10428MEDIUMCVSS 6.3EG 6.32025-09-15
A security vulnerability has been detected in SourceCodester Pet Grooming Management Software 1.0. Affected is an unknown function of the file /admin/seo_setting.php of the component Setting Handler. The manipulation of the argument websit…
- CVE-2025-10447HIGHCVSS 7.3EG 7.32025-09-15
A vulnerability was detected in Campcodes Online Job Finder System 1.0. The impacted element is an unknown function of the file /eris/applicationform.php. The manipulation of the argument picture results in unrestricted upload. It is possi…
- CVE-2025-10465HIGHCVSS 8.8EG 8.82026-02-09
Unrestricted Upload of File with Dangerous Type vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Sensaway allows Upload a Web Shell to a Web Server. This issue affects Sensaway: through 09022026. NOTE: Becaus…
- CVE-2025-10480MEDIUMCVSS 6.3EG 6.32025-09-15
A weakness has been identified in SourceCodester Online Student File Management System 1.0. This affects an unknown function of the file /save_file.php. Executing manipulation can lead to unrestricted upload. The attack may be launched rem…
- CVE-2025-10544HIGHCVSS 8.6EG 8.62025-09-26
Unrestricted file upload vulnerability in DocAve 6.13.2, Perimeter 1.12.3, Compliance Guardian 4.7.1, and earlier versions, allowing administrator users to upload files without proper validation. An attacker could exploit this vulnerabilit…
- CVE-2025-10600HIGHCVSS 7.3EG 7.32025-09-17
A flaw has been found in SourceCodester Online Exam Form Submission 1.0. This impacts an unknown function of the file /register.php. This manipulation of the argument img causes unrestricted upload. It is possible to initiate the attack re…
- CVE-2025-10615MEDIUMCVSS 6.3EG 6.32025-09-17
A vulnerability was identified in itsourcecode E-Commerce Website 1.0. This impacts an unknown function of the file /admin/products.php. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit is pu…
- CVE-2025-10616MEDIUMCVSS 6.3EG 6.32025-09-17
A security flaw has been discovered in itsourcecode E-Commerce Website 1.0. Affected is an unknown function of the file /admin/users.php. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit has…
- CVE-2025-10647HIGHCVSS 8.8EG 8.82025-09-19
The Embed PDF for WPForms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_handler_download_pdf_media function in all versions up to, and including, 1.1.5. This makes it possible …
- CVE-2025-10669MEDIUMCVSS 6.3EG 6.32025-09-18
A vulnerability was detected in Airsonic-Advanced up to 10.6.0. This vulnerability affects unknown code of the component Playlist Upload Handler. Performing manipulation results in unrestricted upload. It is possible to initiate the attack…
- CVE-2025-1070HIGHCVSS 8.1EG 8.12025-02-13
CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could render the device inoperable when a malicious file is downloaded.
- CVE-2025-10741MEDIUMCVSS 6.3EG 6.32025-09-20
A security vulnerability has been detected in Selleo Mentingo up to 2025.08.27. The affected element is an unknown function of the component Profile Picture Handler. The manipulation of the argument userAvatar leads to unrestricted upload.…
- CVE-2025-10747HIGHCVSS 7.2EG 7.22025-09-26
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. This makes it possible for authenticated at…
- CVE-2025-10754HIGHCVSS 7.2EG 7.22025-10-15
The DocoDoco Store Locator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 1.0.1. This makes it possible for authenticat…
- CVE-2025-10755MEDIUMCVSS 6.3EG 6.32025-09-20
A vulnerability was detected in Selleo Mentingo 2025.08.27. The impacted element is an unknown function of the component Content-Type Handler. The manipulation of the argument userAvatar results in unrestricted upload. The attack may be pe…
- CVE-2025-10763MEDIUMCVSS 6.3EG 6.32025-09-21
A vulnerability was determined in academico-sis academico up to d9a9e2636fbf7e5845ee086bcb03ca62faceb6ab. Affected by this issue is some unknown functionality of the file /edit-photo of the component Profile Picture Handler. This manipulat…
- CVE-2025-10856HIGHCVSS 8.1EG 8.12026-01-22
Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection. This issue affects Teknoera: through 01102025.
- CVE-2025-10907HIGHCVSS 8.4EG 8.42025-11-05
An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially craf…
- CVE-2025-1093CRITICALCVSS 9.8EG 9.82025-04-19
The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to u…
- CVE-2025-11020HIGHCVSS 8.8EG 8.82025-10-02
An attacker can obtain server information using Path Traversal vulnerability to conduct SQL Injection, which possibly exploits Unrestricted Upload of File with Dangerous Type vulnerability in MarkAny SafePC Enterprise on Windows, Linux.Thi…
- CVE-2025-11078MEDIUMCVSS 6.3EG 6.32025-09-27
A vulnerability was identified in itsourcecode Open Source Job Portal 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/user/controller.php?action=photos. The manipulation of the argument photo leads to unr…
- CVE-2025-11103MEDIUMCVSS 4.7EG 4.72025-09-28
A security vulnerability has been detected in Projectworlds Online Tours and Travels 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/change-image.php. The manipulation of the argument packageimage leads t…
- CVE-2025-11136MEDIUMCVSS 4.7EG 4.72025-09-29
A flaw has been found in YiFang CMS up to 2.0.2. The impacted element is the function webUploader of the file app/app/controller/File.php of the component Backend. Executing manipulation of the argument uploadpath can lead to unrestricted …
- CVE-2025-11170CRITICALCVSS 9.8EG 9.82025-11-11
The WP移行専用プラグイン for CPI plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the Cpiwm_Import_Controller::import function in all versions up to, and including, 1.0.2. This ma…
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →