Total
3111 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-47939 | 2025-05-21 | 5.4 Medium | ||
| TYPO3 is an open source, PHP based web content management system. By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This lack of restriction means it is possible to upload files that may be considered potentially harmful, such as executable binaries (e.g., `.exe` files), or files with inconsistent file extensions and MIME types (for example, a file incorrectly named with a `.png` extension but actually carrying the MIME type `application/zip`) starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS. Although such files are not directly executable through the web server, their presence can introduce indirect risks. For example, third-party services such as antivirus scanners or malware detection systems might flag or block access to the website for end users if suspicious files are found. This could negatively affect the availability or reputation of the site. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem. | ||||
| CVE-2025-3585 | 1 Westboy | 1 Cicadascms | 2025-05-21 | 6.3 Medium |
| A vulnerability classified as critical has been found in westboy CicadasCMS 1.0. This affects an unknown part of the file /upload/ of the component JSP Parser. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3565 | 1 Huanfenz | 1 Studentmanager | 2025-05-21 | 4.7 Medium |
| A vulnerability classified as critical was found in huanfenz/code-projects StudentManager 1.0. This vulnerability affects unknown code of the file /upload/uploadArticle.do of the component Announcement Management Section. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-40050 | 1 Zfile | 1 Zfile | 2025-05-21 | 9.8 Critical |
| ZFile v4.1.1 was discovered to contain an arbitrary file upload vulnerability via the component /file/upload/1. | ||||
| CVE-2022-37346 | 1 Ec-cube | 1 Product Image Bulk Upload | 2025-05-21 | 9.8 Critical |
| EC-CUBE plugin 'Product Image Bulk Upload Plugin' 1.0.0 and 4.1.0 contains an insufficient verification vulnerability when uploading files. Exploiting this vulnerability allows a remote unauthenticated attacker to upload arbitrary files other than image files. If a user with an administrative privilege of EC-CUBE where the vulnerable plugin is installed is led to upload a specially crafted file, an arbitrary script may be executed on the system. | ||||
| CVE-2024-0757 | 1 Elearningfreak | 1 Insert Or Embed Articulate Content | 2025-05-21 | 5.4 Medium |
| The Insert or Embed Articulate Content into WordPress plugin through 4.3000000023 is not properly filtering which file extensions are allowed to be imported on the server, allowing the uploading of malicious code within zip files | ||||
| CVE-2022-40925 | 1 Phpgurukul | 1 Zoo Management System | 2025-05-21 | 7.2 High |
| Zoo Management System v1.0 has an arbitrary file upload vulnerability in the picture upload point of the "save_event" file of the "Events" module in the background management system. | ||||
| CVE-2022-40924 | 1 Phpgurukul | 1 Zoo Management System | 2025-05-21 | 7.2 High |
| Zoo Management System v1.0 has an arbitrary file upload vulnerability in the picture upload point of the "save_animal" file of the "Animals" module in the background management system. | ||||
| CVE-2024-22641 | 1 Tcpdf Project | 1 Tcpdf | 2025-05-21 | 7.5 High |
| TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted SVG file. | ||||
| CVE-2022-40878 | 1 Exam Reviewer Management System Project | 1 Exam Reviewer Management System | 2025-05-21 | 8.8 High |
| In Exam Reviewer Management System 1.0, an authenticated attacker can upload a web-shell php file in profile page to achieve Remote Code Execution (RCE). | ||||
| CVE-2025-4926 | 1 Phpgurukul | 1 Car Rental Portal | 2025-05-21 | 4.7 Medium |
| A vulnerability was found in PHPGurukul Car Rental Project 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/post-avehical.php. The manipulation of the argument img1/img2/img3/img4/img5 leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-41437 | 1 Billing System Project Project | 1 Billing System Project | 2025-05-20 | 7.2 High |
| Billing System Project v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/createProduct.php. | ||||
| CVE-2022-40407 | 1 Chamilo | 1 Chamilo | 2025-05-20 | 8.8 High |
| A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file. | ||||
| CVE-2022-40048 | 1 Flatpress | 1 Flatpress | 2025-05-20 | 7.2 High |
| Flatpress v1.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the Upload File function. | ||||
| CVE-2025-22389 | 1 Optimizely | 1 Optimizely Cms | 2025-05-20 | 8 High |
| An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS, where the application does not properly validate uploaded files. This allows the upload of potentially malicious file types, including .docm .html. When accessed by application users, these files can be used to execute malicious actions or compromise users' systems. | ||||
| CVE-2022-41406 | 1 Church Management System Project | 1 Church Management System | 2025-05-20 | 7.2 High |
| An arbitrary file upload vulnerability in the /admin/admin_pic.php component of Church Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2022-40341 | 1 Mojoportal | 1 Mojoportal | 2025-05-20 | 8.8 High |
| mojoPortal v2.7 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted PNG file. | ||||
| CVE-2022-41385 | 1 Democritus | 1 D8s-html | 2025-05-20 | 9.8 Critical |
| The d8s-html package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0. | ||||
| CVE-2022-41384 | 1 Democritus | 1 D8s-domains | 2025-05-20 | 9.8 Critical |
| The d8s-domains package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0. | ||||
| CVE-2022-41383 | 1 Democritus | 1 D8s-archives | 2025-05-20 | 9.8 Critical |
| The d8s-archives package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0. | ||||