CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,083 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 65 of 82
- CVE-2025-1818MEDIUMCVSS 6.3EG 6.32025-03-02
A vulnerability, which was classified as critical, has been found in zj1983 zz up to 2024-8. This issue affects some unknown processing of the file src/main/java/com/futvan/z/system/zfile/ZfileAction.upload. The manipulation of the argumen…
- CVE-2025-1834MEDIUMCVSS 6.3EG 6.32025-03-02
A vulnerability, which was classified as critical, was found in zj1983 zz up to 2024-8. This affects an unknown part of the file /resolve. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the a…
- CVE-2025-1835MEDIUMCVSS 6.3EG 6.32025-03-02
A vulnerability has been found in osuuu LightPicture 1.2.2 and classified as critical. This vulnerability affects the function upload of the file /app/controller/Api.php. The manipulation of the argument file leads to unrestricted upload. …
- CVE-2025-1862MEDIUMCVSS 6.7EG 6.72025-09-26
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. A malicious actor with administrative privileges can upload arbitrary…
- CVE-2025-1890MEDIUMCVSS 6.3EG 6.32025-03-04
A vulnerability has been found in shishuocms 1.1 and classified as critical. This vulnerability affects the function handleRequest of the file src/main/java/com/shishuo/cms/action/manage/ManageUpLoadAction.java. The manipulation of the arg…
- CVE-2025-1980CRITICALCVSS 9.4EG 9.42025-04-16
The Ready_ application's Profile section allows users to upload files of any type and extension without restriction. If the server is misconfigured, as it was by default when installed at the turn of 2021 and 2022, it can result in Remote …
- CVE-2025-2005CRITICALCVSS 9.8EG 9.82025-04-02
The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible fo…
- CVE-2025-2006HIGHCVSS 8.8EG 8.82025-03-29
The Inline Image Upload for BBPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension validation in the file uploading functionality in all versions up to, and including, 1.1.19. This makes it possi…
- CVE-2025-2008HIGHCVSS 8.8EG 8.82025-04-01
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This …
- CVE-2025-20130MEDIUMCVSS 4.9EG 4.92025-06-04
A vulnerability in the API of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker with administrative privileges to upload files to an affected device. Th…
- CVE-2025-20274MEDIUMCVSS 6.3EG 6.32025-07-16
A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to improper validation o…
- CVE-2025-20287MEDIUMCVSS 4.3EG 8.82025-09-03
A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to impro…
- CVE-2025-2031MEDIUMCVSS 6.3EG 6.32025-03-06
A vulnerability classified as critical has been found in ChestnutCMS up to 1.5.2. This affects the function uploadFile of the file /dev-api/cms/file/upload. The manipulation of the argument file leads to unrestricted upload. It is possible…
- CVE-2025-2035MEDIUMCVSS 6.3EG 6.32025-03-06
A vulnerability was found in s-a-zhd Ecommerce-Website-using-PHP 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /customer_register.php. The manipulation of the argument name leads to unrest…
- CVE-2025-20354CRITICALCVSS 9.8EG 9.82025-11-05
A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with root permissions on an affected system. …
- CVE-2025-20375MEDIUMCVSS 6.5EG 6.52025-11-05
A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to upload and execute arbitrary files. This vulnerability is due to an insufficient input validation associated to specific UI features. An…
- CVE-2025-20376MEDIUMCVSS 6.5EG 6.52025-11-05
A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to upload and execute arbitrary files. This vulnerability is due to an insufficient input validation associated to file upload mechanisms. …
- CVE-2025-2115MEDIUMCVSS 6.3EG 6.32025-03-09
A vulnerability, which was classified as critical, was found in zzskzy Warehouse Refinement Management System 3.1. Affected is the function ProcessRequest of the file /AcceptZip.ashx. The manipulation of the argument file leads to unrestri…
- CVE-2025-2155HIGHCVSS 8.8EG 8.82025-12-24
Unrestricted Upload of File with Dangerous Type vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Remote Code Inclusion. This issue affects Specto CM: before 17032025.
- CVE-2025-21624CRITICALCVSS 9.8EG 9.82025-01-07
ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 239, a file upload vulnerability exists in the Manage Playlist functionality of the application, specifically surrounding the uploading of playlist cover images. W…
- CVE-2025-22132HIGHCVSS 8.3EG 8.32025-01-07
WeGIA is a web manager for charitable institutions. A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. By uploading a file conta…
- CVE-2025-22133CRITICALCVSS 9.9EG 9.92025-01-07
WeGIA is a web manager for charitable institutions. Prior to 3.2.8, a critical vulnerability was identified in the /WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. The endpoint accepts file uploads without proper validation…
- CVE-2025-22137CRITICALCVSS 9.8EG 9.82025-01-08
Pingvin Share is a self-hosted file sharing platform and an alternative for WeTransfer. This vulnerability allows an authenticated or unauthenticated (if anonymous shares are allowed) user to overwrite arbitrary files on the server, includ…
- CVE-2025-22152CRITICALCVSS 9.1EG 9.12025-01-10
Atheos is a self-hosted browser-based cloud IDE. Prior to v600, the $path and $target parameters are not properly validated across multiple components, allowing an attacker to read, modify, or execute arbitrary files on the server. These v…
- CVE-2025-2216MEDIUMCVSS 6.3EG 6.32025-03-12
A vulnerability, which was classified as critical, has been found in zzskzy Warehouse Refinement Management System 1.3. Affected by this issue is the function UploadCrash of the file /crash/log/SaveCrash.ashx. The manipulation of the argum…
- CVE-2025-2219HIGHCVSS 7.3EG 7.32025-03-12
A vulnerability was found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. This issue affects some unknown processing of the file /api/upload/image. The manipulation of the argument file leads to unrestricted upload. The at…
- CVE-2025-22213HIGHCVSS 7.1EG 7.12025-03-11
Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions.
- CVE-2025-22389HIGHCVSS 8.0EG 8.02025-01-04
An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS, where the application does not properly validate uploaded files. This allows the upload of potentially malicious fi…
- CVE-2025-22470CRITICALCVSS 9.8EG 9.82025-08-06
CL4/6NX Plus and CL4/6NX-J Plus (Japan model) with the firmware versions prior to 1.15.5-r1 allow crafted dangerous files to be uploaded. An arbitrary Lua script may be executed on the system with the root privilege.
- CVE-2025-2249HIGHCVSS 8.8EG 8.82025-03-29
The SoJ SoundSlides plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the soj_soundslides_options_subpanel() function in all versions up to, and including, 1.2.2. This makes it possible for…
- CVE-2025-22504CRITICALCVSS 10.0EG 10.02025-01-09
Unrestricted Upload of File with Dangerous Type vulnerability in jumpdemand 4ECPS Web Forms 4ecps-webforms allows Upload a Web Shell to a Web Server.This issue affects 4ECPS Web Forms: from n/a through <= 0.2.18.
- CVE-2025-22654CRITICALCVSS 10.0EG 10.02025-02-18
Unrestricted Upload of File with Dangerous Type vulnerability in kodeshpa Simplified simplified allows Using Malicious Files.This issue affects Simplified: from n/a through <= 1.0.6.
- CVE-2025-22723CRITICALCVSS 9.1EG 9.12025-01-21
Unrestricted Upload of File with Dangerous Type vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders allows Upload a Web Shell to…
- CVE-2025-22782CRITICALCVSS 9.9EG 9.92025-01-15
Unrestricted Upload of File with Dangerous Type vulnerability in Web Ready Now WR Price List Manager For Woocommerce wr-price-list-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects WR Price List Manager For Wooco…
- CVE-2025-23171HIGHCVSS 7.2EG 7.22025-06-19
The Versa Director SD-WAN orchestration platform provides an option to upload various types of files. The Versa Director does not correctly limit file upload permissions. The UI appears not to allow file uploads but uploads still succeed. …
- CVE-2025-23213HIGHCVSS 8.7EG 8.72025-01-28
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The file upload feature allows to upload arbitrary files, including html and svg. Both can contain malicious content (XSS Payloads). This …
- CVE-2025-2350MEDIUMCVSS 6.3EG 6.32025-03-16
A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been rated as critical. Affected by this issue is some unknown functionality of the file /action/upload_file. The manipulation leads to unrestricted upload. Access to t…
- CVE-2025-23918CRITICALCVSS 9.9EG 9.92025-01-22
Unrestricted Upload of File with Dangerous Type vulnerability in Enrico Sandoli Smallerik File Browser smallerik-file-browser allows Upload a Web Shell to a Web Server.This issue affects Smallerik File Browser: from n/a through <= 1.1.
- CVE-2025-23921CRITICALCVSS 9.0EG 9.02025-01-22
Unrestricted Upload of File with Dangerous Type vulnerability in sh1zen Multi Uploader for Gravity Forms gf-multi-uploader allows Upload a Web Shell to a Web Server.This issue affects Multi Uploader for Gravity Forms: from n/a through <= 1…
- CVE-2025-23942CRITICALCVSS 9.1EG 9.12025-01-22
Unrestricted Upload of File with Dangerous Type vulnerability in ngocuct0912 WP Load Gallery wp-load-gallery allows Upload a Web Shell to a Web Server.This issue affects WP Load Gallery: from n/a through <= 2.1.6.
- CVE-2025-23953CRITICALCVSS 10.0EG 10.02025-01-22
Unrestricted Upload of File with Dangerous Type vulnerability in Scriptonite user files user-files allows Upload a Web Shell to a Web Server.This issue affects user files: from n/a through <= 2.4.2.
- CVE-2025-2396HIGHCVSS 8.8EG 8.82025-03-17
The U-Office Force from e-Excellence has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
- CVE-2025-23968CRITICALCVSS 9.1EG 9.12025-07-03
Unrestricted Upload of File with Dangerous Type vulnerability in WebFactory AiBud WP aibuddy-openai-chatgpt allows Upload a Web Shell to a Web Server.This issue affects AiBud WP: from n/a through <= 1.9.
- CVE-2025-24489MEDIUMCVSS 6.3EG 6.32025-08-21
An attacker could exploit this vulnerability by uploading arbitrary files via a specific service, which could lead to system compromise.
- CVE-2025-24505HIGHCVSS 8.8EG 8.82025-01-30
This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by uploading a specially crafted upgrade file.
- CVE-2025-24650CRITICALCVSS 9.1EG 9.12025-01-24
Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic allows Upload a Web Shell to a Web Server.This issue affects Tourfic: from n/a through <= 2.15.3.
- CVE-2025-24775CRITICALCVSS 9.9EG 9.92025-08-14
Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms forms-by-made-it allows Upload a Web Shell to a Web Server.This issue affects Forms: from n/a through <= 2.9.0.
- CVE-2025-24801HIGHCVSS 8.5EG 8.52025-03-18
GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.
- CVE-2025-24815HIGHCVSS 7.8EG 7.82026-06-30
Nokia MantaRay NM is subject to an unrestricted file upload vulnerability due to insufficient file type validation. Successful exploitation could allow an authenticated attacker to upload malicious files onto the system.
- CVE-2025-24862LOWCVSS 2.0EG 2.02025-11-11
Unrestricted upload of file with dangerous type for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with a privileged user…
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →