Total
3787 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-35945 | 1 Elegantthemes | 3 Divi, Divi Builder, Divi Extra | 2026-02-03 | 6.5 MEDIUM | 9.9 CRITICAL |
| An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress. Authenticated attackers, with contributor-level or above capabilities, can upload arbitrary files, including .php files. This occurs because the check for file extensions is on the client side. | |||||
| CVE-2022-50912 | 1 Impresscms | 1 Impresscms | 2026-02-03 | N/A | 9.8 CRITICAL |
| ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server. | |||||
| CVE-2026-24673 | 2026-02-03 | N/A | 4.3 MEDIUM | ||
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a file upload validation bypass vulnerability allows attackers to upload files with prohibited extensions by embedding them inside ZIP archives and extracting them using the application’s built-in decompression functionality. This issue has been patched in version 4.2. | |||||
| CVE-2020-37113 | 2026-02-03 | N/A | 8.8 HIGH | ||
| GUnet OpenEclass 1.7.3 allows authenticated users to bypass file extension restrictions when uploading files. By renaming a PHP file to .php3 or .PhP, an attacker can upload a web shell and execute arbitrary code on the server. This vulnerability enables remote code execution by bypassing the intended file type checks in the exercise submission feature. | |||||
| CVE-2021-47758 | 1 Chikitsa | 1 Patient Management System | 2026-02-03 | N/A | 8.8 HIGH |
| Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious PHP plugins through the module upload functionality. Authenticated attackers can generate and upload a ZIP plugin with a PHP backdoor that enables arbitrary command execution on the server through a weaponized PHP script. | |||||
| CVE-2026-25200 | 2026-02-03 | N/A | 9.8 CRITICAL | ||
| A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9 Server: less than 21.1090.1. | |||||
| CVE-2026-25201 | 2026-02-03 | N/A | 8.8 HIGH | ||
| An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1. | |||||
| CVE-2026-1742 | 2026-02-03 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A vulnerability was identified in EFM ipTIME A8004T 14.18.2. Affected by this vulnerability is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi of the component VPN Service. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-1730 | 2026-02-03 | N/A | 8.8 HIGH | ||
| The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2026-1065 | 2026-02-03 | N/A | 7.2 HIGH | ||
| The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms. | |||||
| CVE-2025-66480 | 2026-02-03 | N/A | 9.8 CRITICAL | ||
| Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint (/fs) that handles multipart file uploads but fails to properly sanitize the filename provided by the user. Specifically, the writeFileUploadData method directly concatenates the configured storage directory with the filename extracted from the upload request without stripping directory traversal sequences (e.g., ../../). This vulnerability allows an attacker to write arbitrary files to any location on the server's filesystem where the application process has write permissions. By uploading malicious files (such as scripts, executables, or overwriting configuration files like authorized_keys or cron jobs), an attacker can achieve Remote Code Execution (RCE) and completely compromise the server. This vulnerability is fixed in 1.4.3. | |||||
| CVE-2025-69565 | 1 Fabian | 1 Mobile Shop Management System | 2026-02-03 | N/A | 9.8 CRITICAL |
| code-projects Mobile Shop Management System 1.0 is vulnerable to File Upload in /ExAddProduct.php. | |||||
| CVE-2025-69559 | 1 Carmelo | 1 Computer Book Store | 2026-02-03 | N/A | 9.8 CRITICAL |
| code-projects Computer Book Store 1.0 is vulnerable to File Upload in admin_add.php. | |||||
| CVE-2025-36519 | 2026-02-03 | N/A | 4.3 MEDIUM | ||
| Unrestricted upload of file with dangerous type issue exists in WRC-2533GST2, WRC-1167GST2, WRC-2533GST2, WRC-2533GS2V-B,WRC-2533GS2-B v1.69 and earlier, WRC-2533GS2-W, WRC-1167GST2, WRC-1167GS2-B, and WRC-1167GS2H-B. If a specially crafted file is uploaded by a remote authenticated attacker, arbitrary code may be executed on the product. | |||||
| CVE-2020-37023 | 2026-01-30 | N/A | 8.8 HIGH | ||
| Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. Attackers can upload PHP files with system command execution capabilities by manipulating the file upload request through a web proxy and changing the file extension. | |||||
| CVE-2024-5911 | 1 Paloaltonetworks | 1 Pan-os | 2026-01-30 | N/A | 4.9 MEDIUM |
| An arbitrary file upload vulnerability in Palo Alto Networks Panorama software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and crash the Panorama. Repeated attacks eventually cause the Panorama to enter maintenance mode, which requires manual intervention to bring the Panorama back online. | |||||
| CVE-2025-8889 | 1 Eliehanna | 1 Compress And Upload Plugin | 2026-01-30 | N/A | 3.8 LOW |
| The Compress & Upload WordPress plugin before 1.0.5 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup) | |||||
| CVE-2026-21625 | 1 Stackideas | 1 Easydiscuss | 2026-01-30 | N/A | 8.8 HIGH |
| User provided uploads to the Easy Discuss component for Joomla aren't properly validated. Uploads are purely checked by file extensions, no mime type checks are happening. | |||||
| CVE-2025-70457 | 1 Remyandrade | 1 Modern Image Gallery App | 2026-01-30 | N/A | 9.8 CRITICAL |
| A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise. | |||||
| CVE-2025-55251 | 1 Hcltech | 1 Aion | 2026-01-30 | N/A | 3.1 LOW |
| HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. | |||||