| Severity | Description | ||||||
|---|---|---|---|---|---|---|---|
| CVE-2026-53909 | Medium | 5.3 v4 | - | - | -No fix available yet | 2026-07-01 | MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions. |
| CVE-2026-48283 | Critical | 10.0 v3 | - | - | -No fix available yet | 2026-06-30 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. |
| CVE-2026-48276 | Critical | 10.0 v3 | - | - | -No fix available yet | 2026-06-30 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. |
| CVE-2026-53691 | High | 8.6 v4 | - | - | -No fix available yet | 2026-06-30 | An Unrestricted File Upload vulnerability in Redeight CMS version 1.0 allows authenticated attackers to achieve Remote Code Execution via the POST "/admin/index.php?module=pages&mode=FileAdd" endpoint. The application fails to validate file extensions and MIME types, permitting the upload of arbitrary PHP scripts to the publicly accessible "/uploads/files/" directory where they can be executed directly by the web server. |
| CVE-2025-24815 | High | 7.8 v3 | 0.2% | - | -No fix available yet | 2026-06-30 | Nokia MantaRay NM is subject to an unrestricted file upload vulnerability due to insufficient file type validation. Successful exploitation could allow an authenticated attacker to upload malicious files onto the system. |
| CVE-2026-13165 | High | 8.6 v4 | 0.4% | - | -No fix available yet | 2026-06-29 | SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers). An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This can lead to remote code execution. This issue was fixed in version 1.2.2. |
| CVE-2026-13553 | High | 7.3 v3 | 0.5% | - | -No fix available yet | 2026-06-29 | A flaw has been found in itsourcecode Online Hotel Management System 1.0. Affected is an unknown function of the file /admin/mod_amenities/controller.php?action=add. Executing a manipulation of the argument image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. |
| CVE-2026-13547 | High | 7.3 v3 | 0.3% | - | -No fix available yet | 2026-06-29 | A vulnerability was determined in Hanwang e-Face General Management Platform 6.3.5.4. This issue affects some unknown processing of the file /manage/resourceUpload/upload.do. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. |
| CVE-2026-56414 | High | 7.2 v3 | 0.4% | - | -No fix available yet | 2026-06-26 | A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validating file type, structure, or size. This design omission enables the placement of unexpected or malformed data in locations intended for trusted certificate material, which could affect system integrity or behavior even after reboot. |
| CVE-2026-33560 | High | 7.1 v3 | 0.3% | - | -No fix available yet | 2026-06-26 | The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server. |
| CVE-2026-57658 | Critical | 9.1 v3 | 0.3% | - | -No fix available yet | 2026-06-26 | Administrator Arbitrary File Upload in TemplateSpare <= 4.2.0 versions. |
| CVE-2026-56059 | Critical | 9.9 v3 | 0.4% | - | -No fix available yet | 2026-06-26 | Subscriber Arbitrary File Upload in Travel Booking <= 2.2.5 versions. |
| CVE-2026-56058 | Critical | 9.9 v3 | 0.4% | - | -No fix available yet | 2026-06-26 | Subscriber Arbitrary File Upload in Quform <= 2.23.0 versions. |
| CVE-2026-56027 | Critical | 9.9 v3 | 0.3% | - | -No fix available yet | 2026-06-26 | Customer Arbitrary File Upload in Booster for WooCommerce <= 8.0.1 versions. |
| CVE-2026-57700 | Critical | 10.0 v3 | 0.4% | - | -No fix available yet | 2026-06-25 | Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This issue affects OMGF Pro: from n/a through 5.2.6. |
| CVE-2026-48946 | Medium | 6.3 v3 | 0.2% | - | -No fix available yet | 2026-06-25 | The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context. |
| CVE-2026-48945 | Medium | 5.3 v3 | 0.2% | - | -No fix available yet | 2026-06-25 | The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access. |
| CVE-2026-53948 | Medium | 5.4 v3 | 0.1% | - | -No fix available yet | 2026-06-24 | Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On installations that serve uploaded files from the same origin as the site, this could have been used to facilitate stored cross-site scripting against site visitors or staff. This vulnerability is fixed in 6.21.1. |
| CVE-2026-48939 | Critical | 9.8 v3 | 0.5% | - | Fix available | 2026-06-20 | A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution. |
| CVE-2026-48908 | Critical | 9.8 v3 | 0.8% | - | Fix available | 2026-06-20 | A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code. |
| CVE-2019-25758 | High | 8.8 v3 | 0.7% | - | -No fix available yet | 2026-06-19 | Joomla! Component vBizz 1.0.7 contains an unrestricted file upload vulnerability that allows authenticated attackers to upload arbitrary PHP files by submitting malicious files through the profile_pic parameter. Attackers can upload PHP files via POST requests to the employee view endpoint and execute them from the uploads directory to achieve remote code execution. |
| CVE-2026-54414 | Critical | 9.8 v3 | 0.7% | - | -No fix available yet | 2026-06-19 | FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), leading to arbitrary file write and administrator account takeover. The upload filename is validated by FolderController with basename() and REGEX_FILE_NAME, which permit URL-encoded sequences (the regex blocks / and \ but not %). The raw filename is then passed to UploadModel::handleUpload, where it is reconstructed as trim(urldecode(basename($fileName))), re-introducing path separators after validation (e.g. ..%2fusers%2fusers.txt becomes ../users/users.txt). UploadNamePolicy::isAllowedForWrite() applies basename() internally and therefore only evaluates the final component (users.txt), allowing the traversal sequence to pass the extension policy. The destin |
| CVE-2026-9860 | High | 8.8 v3 | 0.6% | - | -No fix available yet | 2026-06-18 | The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping — sanitize_text_field() does not strip single quotes, and filter_input(INPUT_POST) bypasses wp_magic_quotes() slashing — allowing a single quote in the account-id or api-key parameter to break out of the single-quoted PHP string literal in the write_config() define() statement. This makes it possible for authenticated attackers, with author-l |
| CVE-2026-52705 | Critical | 9.0 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms <= 1.4.5 versions. |
| CVE-2026-40749 | Critical | 9.9 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Subscriber Arbitrary File Upload in Charity Zone <= 1.1.1 versions. |
| CVE-2026-40748 | Critical | 9.9 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Subscriber Arbitrary File Upload in Kids Gift Shop <= 0.5.4 versions. |
| CVE-2026-40747 | Critical | 9.9 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Subscriber Arbitrary File Upload in Ecommerce Zone <= 0.9.7 versions. |
| CVE-2026-40746 | Critical | 9.9 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Subscriber Arbitrary File Upload in Restaurant Zone <= 0.7.8 versions. |
| CVE-2026-39598 | High | 8.0 v3 | 0.2% | - | -No fix available yet | 2026-06-17 | Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server. This issue affects Academy LMS Pro: from n/a before 3.5.2. |
| CVE-2026-39589 | Critical | 9.9 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Subscriber Arbitrary File Upload in Webenvo <= 0.0.6 versions. |
| CVE-2026-27041 | Critical | 9.9 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Contributor Arbitrary File Upload in Unlimited Elements for Elementor (Premium) <= 2.0.6 versions. |
| CVE-2026-25446 | Critical | 9.9 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Subscriber Arbitrary File Upload in WishList Member X <= 3.29.0 versions. |
| CVE-2026-22327 | Critical | 9.9 v3 | 0.5% | - | -No fix available yet | 2026-06-17 | Subscriber Arbitrary File Upload in Restaurt <= 1.0.4 versions. |
| CVE-2025-69129 | Critical | 10.0 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions. |
| CVE-2025-60218 | Critical | 9.9 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Subscriber Arbitrary File Upload in PT Luxa Addons <= 1.2.2 versions. |
| CVE-2025-59872 | Medium | 4.3 v3 | 0.5% | - | -No fix available yet | 2026-06-17 | HCL ZIE for Web is affetced by an Unrestricted File Upload vulnerability, If the server is configured to execute code, then it may be possible to obtain command execution on the server by uploading a file known as a web shell, which allows you to execute arbitrary code or operating system commands. For this attack to be successful, the file needs to be uploaded inside the Webroot, and the server must be configured to execute the code |
| CVE-2024-52488 | Critical | 9.9 v3 | 0.5% | - | -No fix available yet | 2026-06-17 | Subscriber Arbitrary File Upload in Grip <= 1.0.9 versions. |
| CVE-2026-40750 | Critical | 9.9 v3 | 0.3% | - | -No fix available yet | 2026-06-16 | Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server. This issue affects Kids Online Store: from n/a through 0.8.9. |
| CVE-2026-6933 | High | 8.8 v3 | 0.6% | - | -No fix available yet | 2026-06-16 | The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the 'createFromStub' function performing unsanitized string substitution of the 'premmerce_plugin_namespace' parameter directly into PHP stub files written to the wp-content/plugins/ directory. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, causing the generated plugin file to contain and execute that code when accessed via HTTP. This makes it possible for authenticated attackers with Subscriber-level access and above to create arbitrary PHP files on the serv |
| CVE-2026-40772 | Critical | 10.0 v3 | 0.3% | - | -No fix available yet | 2026-06-15 | Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions. |
| CVE-2026-39591 | Critical | 9.9 v3 | 0.5% | - | -No fix available yet | 2026-06-15 | Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions. |
| CVE-2026-39527 | Medium | 5.4 v3 | 0.3% | - | -No fix available yet | 2026-06-15 | Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions. |
| CVE-2026-50873 | Critical | 9.8 v3 | 0.4% | - | -No fix available yet | 2026-06-15 | An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or SVG file. |
| CVE-2018-25436 | Critical | 9.8 v3 | 0.7% | - | -No fix available yet | 2026-06-15 | WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution. |
| CVE-2026-5482 | Critical | 9.3 v4 | 0.4% | - | -No fix available yet | 2026-06-15 | Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14.0 |
| CVE-2026-34027 | Medium | 5.3 v4 | 0.3% | - | -No fix available yet | 2026-06-15 | The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application validates uploaded files based on the user-controlled HTTP Content-Type value and accepts the upload if this value contains an allowed string such as pdf, jpeg, tiff, or png. An authenticated attacker with any role or permission level can spoof the Content-Type value and upload arbitrary file content. |
| CVE-2026-53724 | Low | 2.1 v4 | 0.3% | - | -No fix available yet | 2026-06-12 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: n |
| CVE-2026-6211 | High | 8.7 v3 | 0.2% | - | -No fix available yet | 2026-06-12 | Unrestricted upload of file with dangerous type vulnerability in Global IT Informatics Services Inc. WEOLL allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WEOLL: from 2.0.9 before 3.2.45.33. |
| CVE-2026-53787 | Critical | 9.8 v3 | 3.7% | - | -No fix available yet | 2026-06-12 | Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint without authentication, session validation, or cart context. Attackers can upload PHP files to achieve remote code execution on servers where the media directory permits PHP execution, or alternatively enable malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory. |
| CVE-2026-46489 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-11 | SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17. |
- MediumCVSS 5.3 v4·EPSS -·No fix yet
MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Published 2026-07-01
- CriticalCVSS 10.0 v3·EPSS -·No fix yet
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Published 2026-06-30
- CriticalCVSS 10.0 v3·EPSS -·No fix yet
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Published 2026-06-30
- HighCVSS 8.6 v4·EPSS -·No fix yet
An Unrestricted File Upload vulnerability in Redeight CMS version 1.0 allows authenticated attackers to achieve Remote Code Execution via the POST "/admin/index.php?module=pages&mode=FileAdd" endpoint. The application fails to validate file extensions and MIME types, permitting the upload of arbitrary PHP scripts to the publicly accessible "/uploads/files/" directory where they can be executed directly by the web server.
Published 2026-06-30
- HighCVSS 7.8 v3·EPSS 0.2%·No fix yet
Nokia MantaRay NM is subject to an unrestricted file upload vulnerability due to insufficient file type validation. Successful exploitation could allow an authenticated attacker to upload malicious files onto the system.
Published 2026-06-30
- HighCVSS 8.6 v4·EPSS 0.4%·No fix yet
SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers). An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This can lead to remote code execution. This issue was fixed in version 1.2.2.
Published 2026-06-29
- HighCVSS 7.3 v3·EPSS 0.5%·No fix yet
A flaw has been found in itsourcecode Online Hotel Management System 1.0. Affected is an unknown function of the file /admin/mod_amenities/controller.php?action=add. Executing a manipulation of the argument image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used.
Published 2026-06-29
- HighCVSS 7.3 v3·EPSS 0.3%·No fix yet
A vulnerability was determined in Hanwang e-Face General Management Platform 6.3.5.4. This issue affects some unknown processing of the file /manage/resourceUpload/upload.do. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Published 2026-06-29
- HighCVSS 7.2 v3·EPSS 0.4%·No fix yet
A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validating file type, structure, or size. This design omission enables the placement of unexpected or malformed data in locations intended for trusted certificate material, which could affect system integrity or behavior even after reboot.
Published 2026-06-26
- HighCVSS 7.1 v3·EPSS 0.3%·No fix yet
The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.
Published 2026-06-26
- CriticalCVSS 9.1 v3·EPSS 0.3%·No fix yet
Administrator Arbitrary File Upload in TemplateSpare <= 4.2.0 versions.
Published 2026-06-26
- CriticalCVSS 9.9 v3·EPSS 0.4%·No fix yet
Subscriber Arbitrary File Upload in Travel Booking <= 2.2.5 versions.
Published 2026-06-26
- CriticalCVSS 9.9 v3·EPSS 0.4%·No fix yet
Subscriber Arbitrary File Upload in Quform <= 2.23.0 versions.
Published 2026-06-26
- CriticalCVSS 9.9 v3·EPSS 0.3%·No fix yet
Customer Arbitrary File Upload in Booster for WooCommerce <= 8.0.1 versions.
Published 2026-06-26
- CriticalCVSS 10.0 v3·EPSS 0.4%·No fix yet
Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This issue affects OMGF Pro: from n/a through 5.2.6.
Published 2026-06-25
- MediumCVSS 6.3 v3·EPSS 0.2%·No fix yet
The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
Published 2026-06-25
- MediumCVSS 5.3 v3·EPSS 0.2%·No fix yet
The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
Published 2026-06-25
- MediumCVSS 5.4 v3·EPSS 0.1%·No fix yet
Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On installations that serve uploaded files from the same origin as the site, this could have been used to facilitate stored cross-site scripting against site visitors or staff. This vulnerability is fixed in 6.21.1.
Published 2026-06-24
- CriticalCVSS 9.8 v3·EPSS 0.5%·Fix available
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
Published 2026-06-20
- CriticalCVSS 9.8 v3·EPSS 0.8%·Fix available
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
Published 2026-06-20
- HighCVSS 8.8 v3·EPSS 0.7%·No fix yet
Joomla! Component vBizz 1.0.7 contains an unrestricted file upload vulnerability that allows authenticated attackers to upload arbitrary PHP files by submitting malicious files through the profile_pic parameter. Attackers can upload PHP files via POST requests to the employee view endpoint and execute them from the uploads directory to achieve remote code execution.
Published 2026-06-19
- CriticalCVSS 9.8 v3·EPSS 0.7%·No fix yet
FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), leading to arbitrary file write and administrator account takeover. The upload filename is validated by FolderController with basename() and REGEX_FILE_NAME, which permit URL-encoded sequences (the regex blocks / and \ but not %). The raw filename is then passed to UploadModel::handleUpload, where it is reconstructed as trim(urldecode(basename($fileName))), re-introducing path separators after validation (e.g. ..%2fusers%2fusers.txt becomes ../users/users.txt). UploadNamePolicy::isAllowedForWrite() applies basename() internally and therefore only evaluates the final component (users.txt), allowing the traversal sequence to pass the extension policy. The destin
Published 2026-06-19
- HighCVSS 8.8 v3·EPSS 0.6%·No fix yet
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping — sanitize_text_field() does not strip single quotes, and filter_input(INPUT_POST) bypasses wp_magic_quotes() slashing — allowing a single quote in the account-id or api-key parameter to break out of the single-quoted PHP string literal in the write_config() define() statement. This makes it possible for authenticated attackers, with author-l
Published 2026-06-18
- CriticalCVSS 9.0 v3·EPSS 0.3%·No fix yet
Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms <= 1.4.5 versions.
Published 2026-06-17
- CriticalCVSS 9.9 v3·EPSS 0.4%·No fix yet
Subscriber Arbitrary File Upload in Charity Zone <= 1.1.1 versions.
Published 2026-06-17
- CriticalCVSS 9.9 v3·EPSS 0.4%·No fix yet
Subscriber Arbitrary File Upload in Kids Gift Shop <= 0.5.4 versions.
Published 2026-06-17
- CriticalCVSS 9.9 v3·EPSS 0.4%·No fix yet
Subscriber Arbitrary File Upload in Ecommerce Zone <= 0.9.7 versions.
Published 2026-06-17
- CriticalCVSS 9.9 v3·EPSS 0.4%·No fix yet
Subscriber Arbitrary File Upload in Restaurant Zone <= 0.7.8 versions.
Published 2026-06-17
- HighCVSS 8.0 v3·EPSS 0.2%·No fix yet
Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server. This issue affects Academy LMS Pro: from n/a before 3.5.2.
Published 2026-06-17
- CriticalCVSS 9.9 v3·EPSS 0.4%·No fix yet
Subscriber Arbitrary File Upload in Webenvo <= 0.0.6 versions.
Published 2026-06-17
- CriticalCVSS 9.9 v3·EPSS 0.3%·No fix yet
Contributor Arbitrary File Upload in Unlimited Elements for Elementor (Premium) <= 2.0.6 versions.
Published 2026-06-17
- CriticalCVSS 9.9 v3·EPSS 0.4%·No fix yet
Subscriber Arbitrary File Upload in WishList Member X <= 3.29.0 versions.
Published 2026-06-17
- CriticalCVSS 9.9 v3·EPSS 0.5%·No fix yet
Subscriber Arbitrary File Upload in Restaurt <= 1.0.4 versions.
Published 2026-06-17
- CriticalCVSS 10.0 v3·EPSS 0.4%·No fix yet
Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions.
Published 2026-06-17
- CriticalCVSS 9.9 v3·EPSS 0.4%·No fix yet
Subscriber Arbitrary File Upload in PT Luxa Addons <= 1.2.2 versions.
Published 2026-06-17
- MediumCVSS 4.3 v3·EPSS 0.5%·No fix yet
HCL ZIE for Web is affetced by an Unrestricted File Upload vulnerability, If the server is configured to execute code, then it may be possible to obtain command execution on the server by uploading a file known as a web shell, which allows you to execute arbitrary code or operating system commands. For this attack to be successful, the file needs to be uploaded inside the Webroot, and the server must be configured to execute the code
Published 2026-06-17
- CriticalCVSS 9.9 v3·EPSS 0.5%·No fix yet
Subscriber Arbitrary File Upload in Grip <= 1.0.9 versions.
Published 2026-06-17
- CriticalCVSS 9.9 v3·EPSS 0.3%·No fix yet
Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server. This issue affects Kids Online Store: from n/a through 0.8.9.
Published 2026-06-16
- HighCVSS 8.8 v3·EPSS 0.6%·No fix yet
The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the 'createFromStub' function performing unsanitized string substitution of the 'premmerce_plugin_namespace' parameter directly into PHP stub files written to the wp-content/plugins/ directory. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, causing the generated plugin file to contain and execute that code when accessed via HTTP. This makes it possible for authenticated attackers with Subscriber-level access and above to create arbitrary PHP files on the serv
Published 2026-06-16
- CriticalCVSS 10.0 v3·EPSS 0.3%·No fix yet
Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
Published 2026-06-15
- CriticalCVSS 9.9 v3·EPSS 0.5%·No fix yet
Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions.
Published 2026-06-15
- MediumCVSS 5.4 v3·EPSS 0.3%·No fix yet
Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions.
Published 2026-06-15
- CriticalCVSS 9.8 v3·EPSS 0.4%·No fix yet
An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or SVG file.
Published 2026-06-15
- CriticalCVSS 9.8 v3·EPSS 0.7%·No fix yet
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.
Published 2026-06-15
- CriticalCVSS 9.3 v4·EPSS 0.4%·No fix yet
Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14.0
Published 2026-06-15
- MediumCVSS 5.3 v4·EPSS 0.3%·No fix yet
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application validates uploaded files based on the user-controlled HTTP Content-Type value and accepts the upload if this value contains an allowed string such as pdf, jpeg, tiff, or png. An authenticated attacker with any role or permission level can spoof the Content-Type value and upload arbitrary file content.
Published 2026-06-15
- CVSS 2.1 v4·EPSS 0.3%·No fix yet
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: n
Published 2026-06-12
- HighCVSS 8.7 v3·EPSS 0.2%·No fix yet
Unrestricted upload of file with dangerous type vulnerability in Global IT Informatics Services Inc. WEOLL allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WEOLL: from 2.0.9 before 3.2.45.33.
Published 2026-06-12
- CriticalCVSS 9.8 v3·EPSS 3.7%·No fix yet
Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint without authentication, session validation, or cart context. Attackers can upload PHP files to achieve remote code execution on servers where the media directory permits PHP execution, or alternatively enable malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory.
Published 2026-06-12
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.
Published 2026-06-11
Uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog.