CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,083 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 74 of 82
- CVE-2025-66802CRITICALCVSS 9.8EG 9.82026-01-12
Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE (Remote Code Execution). The application receives a reverse shell (php) into imagem of the user enabling RCE.
- CVE-2025-66837MEDIUMCVSS 6.8EG 6.82026-01-07
A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to execute arbitrary code via uploading a crafted PDF file/Malware
- CVE-2025-66908MEDIUMCVSS 5.3EG 5.32025-12-19
Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an improper file type validation vulnerability in the OCR image upload functionality. The OcrController in turms-ai-serving/src/main/java/im/turms/ai/domain/ocr/controller/OcrCo…
- CVE-2025-67077HIGHCVSS 8.8EG 6.52026-01-15
File upload vulnerability in Omnispace Agora Project before 25.10 allowing authenticated, or under certain conditions also guest users, via the UploadTmpFile action.
- CVE-2025-67079CRITICALCVSS 9.8EG 9.82026-01-15
File upload vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute code through the MSL engine of the Imagick library via crafted PDF file to the file upload and thumbnail functions.
- CVE-2025-67164CRITICALCVSS 9.9EG 9.92025-12-17
An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2025-67260HIGHCVSS 8.8EG 8.82026-03-20
The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and versions has a file upload vulnerability that may allow attackers to execute arbitrary code. Vulnerable components include Terrapack TkWebCoreNG:: 1.0…
- CVE-2025-67288CRITICALCVSS 10.0EG 10.02025-12-22
An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in th…
- CVE-2025-67289CRITICALCVSS 9.6EG 9.62025-12-22
An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.
- CVE-2025-67325CRITICALCVSS 9.8EG 9.82026-01-08
Unrestricted file upload in the hotel review feature in QloApps versions 1.7.0 and earlier allows remote unauthenticated attackers to achieve remote code execution.
- CVE-2025-67506CRITICALCVSS 9.8EG 9.82025-12-10
PipesHub is a fully extensible workplace AI platform for enterprise search and workflow automation. Versions prior to 0.1.0-beta expose POST /api/v1/record/buffer/convert through missing authentication. The endpoint accepts a file upload a…
- CVE-2025-67706MEDIUMCVSS 5.6EG 5.62025-12-31
ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the s…
- CVE-2025-67707MEDIUMCVSS 5.6EG 5.62025-12-31
ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the s…
- CVE-2025-67886MEDIUMCVSS 6.3EG 6.32026-05-08
Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier…
- CVE-2025-67910CRITICALCVSS 9.1EG 9.82026-01-08
Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload a Web Shell to a Web Server.This issue affects Contentstudio: from n/a through <= 1.3.7.
- CVE-2025-67924CRITICALCVSS 9.9EG 9.82026-01-08
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload a Web Shell to a Web Server.This issue affects Corpkit: from n/a through <= 2.0.
- CVE-2025-67968CRITICALCVSS 9.9EG 9.92026-01-22
Unrestricted Upload of File with Dangerous Type vulnerability in InspiryThemes Real Homes CRM realhomes-crm allows Using Malicious Files.This issue affects Real Homes CRM: from n/a through <= 1.0.0.
- CVE-2025-68001CRITICALCVSS 10.0EG 9.82026-01-22
Unrestricted Upload of File with Dangerous Type vulnerability in garidium g-FFL Checkout g-ffl-checkout allows Upload a Web Shell to a Web Server.This issue affects g-FFL Checkout: from n/a through <= 2.1.0.
- CVE-2025-6802CRITICALCVSS 9.8EG 9.82025-07-07
Marvell QConvergeConsole getFileFromURL Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole. Authenticatio…
- CVE-2025-68109CRITICALCVSS 9.1EG 9.12025-12-17
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file an…
- CVE-2025-6837CRITICALCVSS 9.8EG 6.32025-06-29
A vulnerability classified as critical was found in code-projects Library System 1.0. Affected by this vulnerability is an unknown functionality of the file /profile.php. The manipulation of the argument image leads to unrestricted upload.…
- CVE-2025-68398CRITICALCVSS 9.1EG 9.12025-12-18
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.
- CVE-2025-6843CRITICALCVSS 9.8EG 7.32025-06-29
A vulnerability was found in code-projects Simple Photo Gallery 1.0. It has been classified as critical. Affected is an unknown function of the file /upload-photo.php. The manipulation of the argument file_img leads to unrestricted upload.…
- CVE-2025-6848HIGHCVSS 8.8EG 6.32025-06-29
A vulnerability, which was classified as critical, has been found in code-projects Simple Forum 1.0. This issue affects some unknown processing of the file /forum1.php. The manipulation of the argument File leads to unrestricted upload. Th…
- CVE-2025-68549CRITICALCVSS 9.9EG 9.92026-02-20
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Wiguard wiguard allows Upload a Web Shell to a Web Server.This issue affects Wiguard: from n/a through < 2.0.1.
- CVE-2025-68553CRITICALCVSS 9.9EG 9.92026-03-05
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Lendiz lendiz allows Upload a Web Shell to a Web Server.This issue affects Lendiz: from n/a through < 2.0.1.
- CVE-2025-68554CRITICALCVSS 9.9EG 9.92026-03-05
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Keenarch keenarch allows Using Malicious Files.This issue affects Keenarch: from n/a through < 2.0.1.
- CVE-2025-68555CRITICALCVSS 9.9EG 9.92026-03-05
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Nutrie nutrie allows Upload a Web Shell to a Web Server.This issue affects Nutrie: from n/a through < 2.0.1.
- CVE-2025-68562CRITICALCVSS 9.9EG 9.92025-12-29
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through 8.7.3.
- CVE-2025-6870MEDIUMCVSS 4.7EG 4.72025-06-29
A vulnerability was found in SourceCodester Simple Company Website 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Content.php?f=service. The manipulation of the argument img le…
- CVE-2025-6872HIGHCVSS 7.2EG 4.72025-06-29
A vulnerability classified as critical was found in SourceCodester Simple Company Website 1.0. This vulnerability affects unknown code of the file /classes/SystemSettings.php?f=update_settings. The manipulation of the argument img leads to…
- CVE-2025-6873HIGHCVSS 7.2EG 4.72025-06-29
A vulnerability, which was classified as critical, has been found in SourceCodester Simple Company Website 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save. The manipulation of the argument img leads to…
- CVE-2025-68909CRITICALCVSS 9.9EG 9.82026-01-22
Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogistic blogistic allows Using Malicious Files.This issue affects Blogistic: from n/a through <= 1.0.5.
- CVE-2025-68910CRITICALCVSS 9.9EG 9.82026-01-22
Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogzee blogzee allows Using Malicious Files.This issue affects Blogzee: from n/a through <= 1.0.5.
- CVE-2025-68986CRITICALCVSS 9.9EG 9.92026-01-22
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Miion miion allows Upload a Web Shell to a Web Server.This issue affects Miion: from n/a through <= 1.2.7.
- CVE-2025-6900CRITICALCVSS 9.8EG 6.32025-06-30
A vulnerability has been found in code-projects Library System 1.0 and classified as critical. This vulnerability affects unknown code of the file /add-book.php. The manipulation of the argument image leads to unrestricted upload. The atta…
- CVE-2025-69129CRITICALCVSS 10.0EG 10.02026-06-17
Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions.
- CVE-2025-69312CRITICALCVSS 9.1EG 9.12026-01-22
Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1.
- CVE-2025-69403CRITICALCVSS 9.9EG 9.92026-02-20
Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.3.0.
- CVE-2025-69559CRITICALCVSS 9.8EG 9.82026-01-27
code-projects Computer Book Store 1.0 is vulnerable to File Upload in admin_add.php.
- CVE-2025-69565CRITICALCVSS 9.8EG 9.82026-01-27
code-projects Mobile Shop Management System 1.0 is vulnerable to File Upload in /ExAddProduct.php.
- CVE-2025-69618MEDIUMCVSS 6.5EG 6.52026-02-04
An arbitrary file overwrite vulnerability in the file import process of Tarot, Astro & Healing v11.4.0 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive informat…
- CVE-2025-69828CRITICALCVSS 10.0EG 10.02026-01-22
File Upload vulnerability in TMS Global Software TMS Management Console v.6.3.7.27386.20250818 allows a remote attacker to execute arbitrary code via the Logo upload in /Customer/AddEdit
- CVE-2025-69906HIGHCVSS 8.8EG 8.82026-02-05
Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typ…
- CVE-2025-69981CRITICALCVSS 9.8EG 9.82026-02-03
FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to o…
- CVE-2025-70457CRITICALCVSS 9.8EG 9.82026-01-23
A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application pr…
- CVE-2025-7063CRITICALCVSS 9.8EG 9.82025-09-30
Due to client-controlled permission check parameter, PAD CMS's file upload functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote …
- CVE-2025-7065CRITICALCVSS 9.8EG 9.82025-09-30
Due to client-controlled permission check parameter, PAD CMS's photo upload functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote…
- CVE-2025-7075HIGHCVSS 8.8EG 6.32025-07-06
A vulnerability was found in BlackVue Dashcam 590X up to 20250624. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /upload.cgi of the component HTTP Endpoint. The manipulation leads …
- CVE-2025-70849MEDIUMCVSS 6.1EG 6.12026-02-03
Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy …
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →