Total
3701 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-53922 | 1 Tinywebgallery | 1 Tinywebgallery | 2025-12-24 | 9.8 Critical |
| TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL. | ||||
| CVE-2025-14885 | 2 Lerouxyxchire, Sourcecodester | 2 Client Database Management System, Client Database Management System | 2025-12-24 | 6.3 Medium |
| A flaw has been found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /user_leads.php of the component Leads Generation Module. Executing manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | ||||
| CVE-2024-44598 | 1 Fntsoftware | 1 Fnt Command | 2025-12-23 | 8.8 High |
| FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module. | ||||
| CVE-2024-44599 | 1 Fntsoftware | 1 Fnt Command | 2025-12-23 | 8.3 High |
| FNT Command 13.4.0 is vulnerable to Directory Traversal. | ||||
| CVE-2025-14583 | 1 Campcodes | 1 Online Student Enrollment System | 2025-12-23 | 7.3 High |
| A flaw has been found in campcodes Online Student Enrollment System 1.0. This impacts an unknown function of the file /admin/register.php. Executing manipulation of the argument photo can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | ||||
| CVE-2020-36849 | 2 Ait-themes, Wordpress | 2 Ait Cvs Import Export, Wordpress | 2025-12-23 | 9.8 Critical |
| The AIT CSV import/export plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-content/plugins/ait-csv-import-export/admin/upload-handler.php file in versions up to, and including, 3.0.3. This makes it possible for unauthorized attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2023-53950 | 1 Innovastudio | 1 Wysiwyg Editor | 2025-12-23 | 9.8 Critical |
| InnovaStudio WYSIWYG Editor 5.4 contains an unrestricted file upload vulnerability that allows attackers to bypass file extension restrictions through filename manipulation. Attackers can upload malicious ASP shells by using null byte techniques and alternate file extensions to circumvent upload controls in the asset manager. | ||||
| CVE-2023-53956 | 1 Flatnux | 1 Flatnux | 2025-12-23 | 8.8 High |
| Flatnux 2021-03.25 contains an authenticated file upload vulnerability that allows administrative users to upload arbitrary PHP files through the file manager. Attackers with admin credentials can upload malicious PHP scripts to the web root directory, enabling remote code execution on the server. | ||||
| CVE-2025-14800 | 2 Themeisle, Wordpress | 2 Redirection For Contact Form 7, Wordpress | 2025-12-23 | 8.1 High |
| The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_file_to_upload' function in all versions up to, and including, 3.2.7. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server. If 'allow_url_fopen' is set to 'On', it is possible to upload a remote file to the server. | ||||
| CVE-2025-13329 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2025-12-23 | 9.8 Critical |
| The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-6085 | 2 Celonis, Wordpress | 2 Make Connector, Wordpress | 2025-12-22 | 7.2 High |
| The Make Connector plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'upload_media' function in all versions up to, and including, 1.5.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-14582 | 1 Campcodes | 1 Online Student Enrollment System | 2025-12-22 | 4.7 Medium |
| A vulnerability was detected in campcodes Online Student Enrollment System 1.0. This affects an unknown function of the file /admin/index.php?page=user-profile. Performing manipulation of the argument userphoto results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. | ||||
| CVE-2023-52324 | 1 Trendmicro | 1 Apex Central | 2025-12-22 | 8.8 High |
| An unrestricted file upload vulnerability in Trend Micro Apex Central could allow a remote attacker to create arbitrary files on affected installations. Please note: although authentication is required to exploit this vulnerability, this vulnerability could be exploited when the attacker has any valid set of credentials. Also, this vulnerability could be potentially used in combination with another vulnerability to execute arbitrary code. | ||||
| CVE-2018-19453 | 1 Kentico | 1 Xperience | 2025-12-19 | 8.8 High |
| Kentico CMS before 11.0.45 allows unrestricted upload of a file with a dangerous type. | ||||
| CVE-2019-19493 | 1 Kentico | 1 Xperience | 2025-12-19 | 5.4 Medium |
| Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS. | ||||
| CVE-2025-65474 | 1 Easyimages2.0 Project | 1 Easyimages2.0 | 2025-12-19 | 8.8 High |
| An arbitrary file rename vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via renaming a PHP file to a SVG format. | ||||
| CVE-2012-10019 | 2 Scribu, Wordpress | 2 Front-end Editor, Wordpress | 2025-12-19 | 9.8 Critical |
| The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions before 2.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2024-58279 | 1 Apprain | 1 Apprain | 2025-12-19 | 8.8 High |
| appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through the filemanager upload endpoint. Attackers can leverage authenticated access to generate a web shell with command execution capabilities by uploading a crafted PHP file to the site's uploads directory. | ||||
| CVE-2024-58281 | 1 Dotclear | 1 Dotclear | 2025-12-19 | 8.8 High |
| Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload process by crafting a PHP shell with a command execution form to gain system access through the uploaded file. | ||||
| CVE-2024-58282 | 2 S9y, Serendipity | 2 Serendipity, Serendipity | 2025-12-19 | 7.2 High |
| Serendipity 2.5.0 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload mechanism by creating a PHP shell with a command execution form that enables arbitrary system command execution on the web server. | ||||