Total
3699 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6266 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2025-12-31 | 6.3 Medium |
| A vulnerability was detected in Teledyne FLIR AX8 up to 1.46. Affected by this vulnerability is an unknown functionality of the file /upload.php. Performing manipulation of the argument File results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading to version 1.49.16 addresses this issue. Upgrading the affected component is recommended. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities." | ||||
| CVE-2025-15009 | 2 1000mz, Liweiyi | 2 Chestnutcms, Chestnutcms | 2025-12-31 | 6.3 Medium |
| A flaw has been found in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function FilenameUtils.getExtension of the file /dev-api/common/upload of the component Filename Handler. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used. | ||||
| CVE-2025-63994 | 1 Psolom | 1 Richfilemanager | 2025-12-31 | 9.8 Critical |
| An arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager v2.7.6 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2025-15050 | 2 Code-projects, Fabian | 2 Student Management System, Student File Management System | 2025-12-30 | 6.3 Medium |
| A security vulnerability has been detected in code-projects Student File Management System 1.0. This affects an unknown part of the file /save_file.php. Such manipulation of the argument File leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2024-58313 | 1 Xbtitfm | 1 Xbtitfm | 2025-12-30 | 7.2 High |
| xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands. | ||||
| CVE-2023-53871 | 1 Soosyze | 1 Soosyze | 2025-12-30 | 9.8 Critical |
| Soosyze 2.0.0 contains a file upload vulnerability that allows attackers to upload arbitrary HTML files with embedded PHP code to the application. Attackers can exploit the broken file upload mechanism to potentially view sensitive file paths and execute malicious PHP scripts on the server. | ||||
| CVE-2025-15110 | 1 Jackq | 1 Xcms | 2025-12-29 | 4.7 Medium |
| A vulnerability has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. Affected is the function Upload of the file Admin/Home/Controller/ProductImageController.class.php of the component Backend. Such manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2025-15109 | 1 Jackq | 1 Xcms | 2025-12-29 | 7.3 High |
| A flaw has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. This impacts an unknown function of the file Public/javascripts/admin/plupload-2.1.2/examples/upload.php. This manipulation causes unrestricted upload. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2025-15067 | 2025-12-29 | 7.7 High | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Innorix Innorix WP allows Upload a Web Shell to a Web Server.This issue affects Innorix WP from All versions If the "exam" directory exists under the directory where the product is installed (ex: innorix/exam) | ||||
| CVE-2025-2155 | 2025-12-29 | 8.8 High | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Remote Code Inclusion.This issue affects Specto CM: before 17032025. | ||||
| CVE-2025-15152 | 2025-12-29 | 6.3 Medium | ||
| A vulnerability was identified in h-moses moga-mall up to 392d631a5ef15962a9bddeeb9f1269b9085473fa. This vulnerability affects the function addProduct of the file src/main/java/com/ms/product/controller/PmsProductController.java. Such manipulation of the argument objectName leads to unrestricted upload. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. | ||||
| CVE-2025-2748 | 1 Kentico | 1 Xperience | 2025-12-27 | 6.1 Medium |
| The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178. | ||||
| CVE-2023-53971 | 1 Webtareas Project | 1 Webtareas | 2025-12-26 | 8.8 High |
| WebTareas 2.4 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the chat photo upload functionality. Attackers can upload a PHP file with arbitrary code to the /files/Messages/ directory and execute it directly through the generated file path. | ||||
| CVE-2023-53980 | 1 Projectsend | 1 Projectsend | 2025-12-26 | 9.8 Critical |
| ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server. | ||||
| CVE-2019-25229 | 1 Kentico | 1 Xperience | 2025-12-24 | 8.8 High |
| An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC form file uploader components. Attackers can manipulate file names and upload potentially malicious files to the system, enabling unauthorized file uploads. | ||||
| CVE-2023-53952 | 1 Dotclear | 1 Dotclear | 2025-12-24 | 8.8 High |
| Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed, enabling arbitrary code execution on the server. | ||||
| CVE-2023-53933 | 1 S9y | 1 Serendipity | 2025-12-24 | 8.8 High |
| Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbitrary commands on the server. | ||||
| CVE-2023-53922 | 1 Tinywebgallery | 1 Tinywebgallery | 2025-12-24 | 9.8 Critical |
| TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL. | ||||
| CVE-2025-14885 | 2 Lerouxyxchire, Sourcecodester | 2 Client Database Management System, Client Database Management System | 2025-12-24 | 6.3 Medium |
| A flaw has been found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /user_leads.php of the component Leads Generation Module. Executing manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | ||||
| CVE-2024-44598 | 1 Fntsoftware | 1 Fnt Command | 2025-12-23 | 8.8 High |
| FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module. | ||||