CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,083 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 76 of 82
- CVE-2025-8764MEDIUMCVSS 5.4EG 6.32025-08-09
A vulnerability classified as critical has been found in linlinjava litemall up to 1.8.0. Affected is the function Upload of the file /wx/storage/upload. The manipulation of the argument File leads to unrestricted upload. It is possible to…
- CVE-2025-8775CRITICALCVSS 9.8EG 6.32025-08-09
A vulnerability was found in Qiyuesuo Eelectronic Signature Platform up to 4.34 and classified as critical. Affected by this issue is the function execute of the file /api/code/upload of the component Scheduled Task Handler. The manipulati…
- CVE-2025-8798MEDIUMCVSS 6.1EG 7.32025-08-10
A vulnerability was found in oitcode samarium up to 0.9.6. It has been classified as critical. Affected is an unknown function of the file /dashboard/product of the component Create Product Page. The manipulation leads to unrestricted uplo…
- CVE-2025-8841MEDIUMCVSS 6.1EG 6.32025-08-11
A vulnerability was identified in zlt2000 microservices-platform up to 6.0.0. Affected by this vulnerability is the function Upload of the file zlt-business/file-center/src/main/java/com/central/file/controller/FileController.java. The man…
- CVE-2025-8859HIGHCVSS 8.8EG 6.32025-08-11
A vulnerability was identified in code-projects eBlog Site 1.0. Affected by this vulnerability is an unknown functionality of the file /native/admin/save-slider.php of the component File Upload Module. The manipulation leads to unrestricte…
- CVE-2025-8889LOWCVSS 3.8EG 6.52025-09-09
The Compress & Upload WordPress plugin before 1.0.5 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in mult…
- CVE-2025-8965HIGHCVSS 8.8EG 6.32025-08-14
A vulnerability has been found in linlinjava litemall up to 1.8.0. This vulnerability affects the function create of the file litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminStorageController.java of the component E…
- CVE-2025-9099MEDIUMCVSS 6.3EG 6.32025-08-18
A vulnerability was identified in Acrel Environmental Monitoring Cloud Platform up to 20250804. This affects an unknown part of the file /NewsManage/UploadNewsImg. The manipulation of the argument File leads to unrestricted upload. It is p…
- CVE-2025-9112HIGHCVSS 8.8EG 8.82025-09-08
The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'doccure_temp_file_uploader' function in all versions up to, and including, 1.5.0. This makes it possible for authenticate…
- CVE-2025-9113CRITICALCVSS 9.8EG 9.82025-09-08
The Doccure Core plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media' function in all versions up to, and including, 1.5.3. This makes it possible for unauth…
- CVE-2025-9153HIGHCVSS 8.8EG 6.32025-08-19
A vulnerability was detected in itsourcecode Online Tour and Travel Management System 1.0. This vulnerability affects unknown code of the file /admin/operations/travellers.php. The manipulation of the argument photo results in unrestricted…
- CVE-2025-9212HIGHCVSS 7.5EG 7.52025-10-03
The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wp_dispatcher_process_upload() function in all versions up to, and including, 1.2.0. This makes it possible for authe…
- CVE-2025-9216HIGHCVSS 8.8EG 8.82025-09-17
The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all ve…
- CVE-2025-9296CRITICALCVSS 9.8EG 4.72025-08-21
A security vulnerability has been detected in Emlog Pro up to 2.5.18. This affects an unknown function of the file /admin/blogger.php?action=update_avatar. Such manipulation of the argument image leads to unrestricted upload. It is possibl…
- CVE-2025-9397CRITICALCVSS 9.8EG 6.32025-08-24
A weakness has been identified in givanz Vvveb up to 1.0.7.2. Affected is an unknown function of the file /system/traits/media.php. Executing manipulation of the argument files[] can lead to unrestricted upload. The attack can be launched …
- CVE-2025-9400HIGHCVSS 8.8EG 6.32025-08-25
A flaw has been found in YiFang CMS up to 2.0.5. This affects the function mergeMultipartUpload of the file app/utils/base/plugin/P_file.php. This manipulation of the argument File causes unrestricted upload. Remote exploitation of the att…
- CVE-2025-9406CRITICALCVSS 9.8EG 6.32025-08-25
A weakness has been identified in xuhuisheng lemon up to 1.13.0. This affects the function uploadImage of the file CmsArticleController.java of the component com.mossle.cms.web.CmsArticleController.uploadImage. This manipulation of the arg…
- CVE-2025-9415CRITICALCVSS 9.8EG 6.32025-08-25
A vulnerability was identified in GreenCMS up to 2.3.0603. This affects an unknown part of the file /index.php?m=admin&c=media&a=fileconnect. The manipulation of the argument upload[] leads to unrestricted upload. The attack is possible to…
- CVE-2025-9475CRITICALCVSS 9.8EG 7.32025-08-26
A flaw has been found in SourceCodester Human Resource Information System 1.0. Affected by this vulnerability is an unknown functionality of the file /Admin_Dashboard/process/editemployee_process.php. This manipulation of the argument empl…
- CVE-2025-9476CRITICALCVSS 9.8EG 7.32025-08-26
A vulnerability has been found in SourceCodester Human Resource Information System 1.0. Affected by this issue is some unknown functionality of the file /Superadmin_Dashboard/process/editemployee_process.php. Such manipulation of the argum…
- CVE-2025-9515HIGHCVSS 7.2EG 7.22025-09-06
The Multi Step Form plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the import functionality in all versions up to, and including, 1.7.25. This makes it possible for authenticated attack…
- CVE-2025-9561HIGHCVSS 8.8EG 8.82025-10-03
The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3.8.1 to 3.8.2. This makes it poss…
- CVE-2025-9712HIGHCVSS 8.8EG 8.82025-09-09
Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
- CVE-2025-9772CRITICALCVSS 9.8EG 9.82025-09-01
A vulnerability was detected in RemoteClinic up to 2.0. This affects an unknown part of the file /staff/edit.php. Performing manipulation of the argument image results in unrestricted upload. The attack can be initiated remotely. The explo…
- CVE-2025-9775CRITICALCVSS 9.8EG 7.32025-09-01
A vulnerability was found in RemoteClinic up to 2.0. Impacted is an unknown function of the file /staff/edit-my-profile.php. The manipulation of the argument image results in unrestricted upload. The attack may be launched remotely. The ex…
- CVE-2025-9795MEDIUMCVSS 5.4EG 6.32025-09-01
A vulnerability has been found in xujeff tianti 天梯 up to 2.3. The impacted element is the function ajaxUploadFile of the file src/main/java/com/jeff/tianti/controller/UploadController.java. The manipulation of the argument upfile leads…
- CVE-2025-9800MEDIUMCVSS 6.1EG 6.12025-09-01
A weakness has been identified in SimStudioAI sim up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. Affected by this issue is the function Import of the file apps/sim/app/api/files/upload/route.ts of the component HTML File Parser. Executing…
- CVE-2025-9841HIGHCVSS 8.8EG 6.32025-09-03
A security vulnerability has been detected in code-projects Mobile Shop Management System 1.0. This affects an unknown function of the file AddNewProduct.php. The manipulation of the argument ProductImage leads to unrestricted upload. The …
- CVE-2025-9846CRITICALCVSS 10.0EG 10.02025-09-23
Unrestricted Upload of File with Dangerous Type vulnerability in TalentSys Consulting Information Technology Industry Inc. Inka.Net allows Command Injection. This issue affects Inka.Net: before 6.7.1.
- CVE-2025-9847CRITICALCVSS 9.8EG 9.82025-09-03
A weakness has been identified in ScriptAndTools Real Estate Management System 1.0. Impacted is an unknown function of the file register.php. This manipulation of the argument uimage causes unrestricted upload. Remote exploitation of the a…
- CVE-2025-9872HIGHCVSS 8.8EG 8.82025-09-09
Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
- CVE-2025-9941HIGHCVSS 8.8EG 6.32025-09-04
A flaw has been found in CodeAstro Real Estate Management System 1.0. This impacts an unknown function of the file /register.php. Executing manipulation of the argument uimage can lead to unrestricted upload. The attack can be launched rem…
- CVE-2025-9942HIGHCVSS 8.8EG 6.32025-09-04
A vulnerability has been found in CodeAstro Real Estate Management System 1.0. Affected is an unknown function of the file /submitproperty.php. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploi…
- CVE-2026-0496MEDIUMCVSS 6.6EG 6.62026-01-13
SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availabilit…
- CVE-2026-0547MEDIUMCVSS 6.3EG 6.32026-01-02
A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argume…
- CVE-2026-0566MEDIUMCVSS 4.7EG 4.72026-01-02
A security vulnerability has been detected in code-projects Content Management System 1.0. Impacted is an unknown function of the file /admin/edit_posts.php. The manipulation of the argument image leads to unrestricted upload. The attack i…
- CVE-2026-0577MEDIUMCVSS 6.3EG 6.32026-01-04
A flaw has been found in code-projects Online Product Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /handgunner-administrator/prod.php. Executing a manipulation can lead to unrestricted uplo…
- CVE-2026-0643HIGHCVSS 7.3EG 7.32026-01-07
A flaw has been found in projectworlds House Rental and Property Listing 1.0. Impacted is an unknown function of the file /app/register.php?action=reg of the component Signup. This manipulation of the argument image causes unrestricted upl…
- CVE-2026-0740CRITICALCVSS 9.8EG 9.82026-04-07
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. T…
- CVE-2026-0911HIGHCVSS 7.5EG 7.52026-01-24
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including,…
- CVE-2026-10071CRITICALCVSS 9.8EG 9.82026-05-29
DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
- CVE-2026-10072HIGHCVSS 7.2EG 7.22026-05-29
DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
- CVE-2026-10172MEDIUMCVSS 6.3EG 6.32026-05-31
A security flaw has been discovered in Bdtask Multi-Store Inventory Management System 1.0. The affected element is the function Upload of the file application/modules/dashboard/controllers/Module.php of the component Component Module. The …
- CVE-2026-10205MEDIUMCVSS 6.3EG 6.32026-06-01
A security vulnerability has been detected in Metasoft 美特软件 MetaCRM 6.4.0. The impacted element is an unknown function of the file develop/systparam/softlogo/upload.jsp. Such manipulation leads to unrestricted upload. The attack ma…
- CVE-2026-1021CRITICALCVSS 9.8EG 9.82026-01-16
Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
- CVE-2026-1061MEDIUMCVSS 6.3EG 6.32026-01-17
A vulnerability was detected in xiweicheng TMS up to 2.28.0. Affected by this issue is the function Upload of the file src/main/java/com/lhjz/portal/controller/FileController.java. The manipulation of the argument filename results in unres…
- CVE-2026-1065HIGHCVSS 7.2EG 7.22026-02-03
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak subst…
- CVE-2026-10806MEDIUMCVSS 6.3EG 6.32026-06-04
A vulnerability was found in mjperpinosa stumasy. The affected element is an unknown function of the file application/PHP/objects/updates/add_post.php. Performing a manipulation of the argument up_file_to_post results in unrestricted uploa…
- CVE-2026-10807MEDIUMCVSS 6.3EG 6.32026-06-04
A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change_profile_image.php. Executing a manipulation of the argument pr_profile_image can lead to…
- CVE-2026-1107MEDIUMCVSS 6.3EG 6.32026-01-18
A weakness has been identified in EyouCMS up to 1.7.1/5.0. Impacted is the function check_userinfo of the file Diyajax.php of the component Member Avatar Handler. Executing a manipulation of the argument viewfile can lead to unrestricted u…
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →