CWE-434
Unrestricted Upload of File with Dangerous Type
MITRENo catalog description on file. The MITRE CWE site has the canonical reference.
Recent CVEs
showing 45 of 45- CVE-2026-53724—EPSS 0%18 h ago
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a
- CVE-2024-7399High· 8.8KEVEXPLOITEPSS 73%20 h ago
Samsung MagicINFO 9 Server Path Traversal Vulnerability
- CVE-2024-7694High· 7.2KEVEPSS 1%20 h ago
TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability
- CVE-2021-26828High· 8.8KEVEPSS 80%20 h ago
OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability
- CVE-2024-57968Critical· 9.9KEVEPSS 41%20 h ago
Advantive VeraCore Unrestricted File Upload Vulnerability
- CVE-2017-12617High· 8.1KEVEXPLOITEPSS 94%20 h ago
Apache Tomcat Remote Code Execution Vulnerability
- CVE-2018-15961Critical· 9.8KEVEXPLOITEPSS 94%20 h ago
Adobe ColdFusion Unrestricted File Upload Vulnerability
- CVE-2025-2749High· 7.2KEVEPSS 5%20 h ago
Kentico Xperience Path Traversal Vulnerability
- CVE-2018-4063High· 8.8KEVEPSS 2%20 h ago
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
- CVE-2024-50623Critical· 9.8KEVEPSS 94%20 h ago
Cleo Multiple Products Unrestricted File Upload Vulnerability
- CVE-2017-12615High· 8.1KEVEXPLOITEPSS 94%20 h ago
Apache Tomcat on Windows Remote Code Execution Vulnerability
- CVE-2024-39717High· 7.2KEVEPSS 5%20 h ago
Versa Director Dangerous File Type Upload Vulnerability
- CVE-2020-8260High· 7.2KEVEXPLOITEPSS 73%20 h ago
Ivanti Pulse Connect Secure Code Execution Vulnerability
- CVE-2020-25213Critical· 10.0KEVEXPLOITEPSS 94%20 h ago
WordPress File Manager Plugin Remote Code Execution Vulnerability
- CVE-2021-27860Critical· 9.8KEVEPSS 40%20 h ago
FatPipe WARP, IPVPN, and MPVPN Configuration Upload exploit
- CVE-2025-52691Critical· 10.0KEVEXPLOITEPSS 89%20 h ago
SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
- CVE-2025-31324Critical· 10.0KEVEPSS 44%20 h ago
SAP NetWeaver Unrestricted File Upload Vulnerability
- CVE-2021-20022High· 7.2KEVEPSS 33%20 h ago
SonicWall Email Security Unrestricted Upload of File Vulnerability
- CVE-2020-13671High· 8.8KEVEPSS 3%20 h ago
Drupal core Un-restricted Upload of File
- CVE-2021-31207Medium· 6.6KEVEXPLOITEPSS 94%20 h ago
Microsoft Exchange Server Security Feature Bypass Vulnerability
- CVE-2019-8394Medium· 6.5KEVEXPLOITEPSS 88%20 h ago
Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability
- CVE-2026-53787Critical· 9.821 h ago
Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of
- CVE-2026-6211High· 8.721 h ago
Unrestricted upload of file with dangerous type vulnerability in Global IT Informatics Services Inc. WEOLL allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WEOLL: from 2.0.9 before 3.2.45.33.
- CVE-2026-46489High· 8.1EPSS 0%1 d ago
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This
- CVE-2026-11839Critical· 9.9EPSS 0%1 d ago
Unrestricted upload of file with dangerous type vulnerability in Başarsoft Information Technologies Inc. Rotaban allows Upload a Web Shell to a Web Server. This issue affects Rotaban: from V2026.06.002 before V2026.06.003.
- CVE-2026-7852Critical· 9.8EPSS 0%1 d ago
Unrestricted upload of file with dangerous type vulnerability in Limatek System Inc. LimRAD NAC allows Remote Code Inclusion. This issue affects LimRAD NAC: before 5.5.7.3.9.
- CVE-2025-13462Low· 3.3EPSS 0%1 d ago
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpre
- CVE-2026-9067Critical· 9.1EPSS 0%2 d ago
The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended med
- CVE-2026-36722Medium· 5.4EPSS 0%2 d ago
An authenticated arbitrary file upload vulnerability in the /api/create-car-image component of bookcars v8.3 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2026-33582Medium· 6.5EPSS 0%3 d ago
Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. A crafted TIFF image could trigger excessive memory allocation during image decoding, allowing an authenticat
- CVE-2026-34031Medium· 6.5EPSS 0%3 d ago
Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The server did not sufficiently validate user-supplied image URLs, allowing arbitrary external content to be
- CVE-2025-40808Medium· 6.1EPSS 0%3 d ago
A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions), SIPROTEC 5 6MD86 (CP200) (All versions), SIPROTEC 5 6MD86 (CP300) (All version
- CVE-2026-11621Medium· 4.7EPSS 0%4 d ago
A weakness has been identified in Dcat-Admin up to 2.2.3-beta. This impacts the function editorMDUpload of the file /admin/dcat-api/editor-md/upload of the component User Setting Page. This manipulation of the argument editormd-image-file c
- CVE-2026-46400—EPSS 0%4 d ago
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 11.0.6 and prior to version 25.0.0, the file upload functionality in HAXCMS PHP only validates file extensions using a regex pattern without checking t
- CVE-2024-58349Critical· 9.8EPSS 0%4 d ago
WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's upload functionality. Attackers can uploa
- CVE-2024-58348Critical· 9.8EPSS 0%4 d ago
WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file
- CVE-2026-7537High· 7.2EPSS 0%4 d ago
The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being
- CVE-2026-11474High· 7.3EPSS 0%4 d ago
A security flaw has been discovered in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected is an unknown function of the file service/RegisterService.php of the component Registration Endpoint. Perfor
- CVE-2025-2155High· 8.8EPSS 0%7 d ago
Unrestricted Upload of File with Dangerous Type vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Remote Code Inclusion. This issue affects Specto CM: before 17032025.
- CVE-2025-0984High· 8.2EPSS 0%7 d ago
Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netoloji Software E-Flow allows Accessing Functionality Not Properly Constrained b
- CVE-2025-0645High· 7.2EPSS 0%7 d ago
Unrestricted Upload of File with Dangerous Type vulnerability in Narkom Communication and Software Technologies Trade Ltd. Co. Pyxis Signage allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Pyxis Signage:
- CVE-2026-11419—EPSS 0%7 d ago
A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController due to improper validation of a user-controlled path component in image upload requests. An authenticated user can supply a crafted absolut
- CVE-2026-46392High· 8.7EPSS 0%7 d ago
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess
- CVE-2026-42538Medium· 6.3EPSS 0%7 d ago
IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 do not properly validate uploaded files. The application can therefore be misused to host phishing p
- CVE-2026-5411High· 8.8EPSS 0%7 d ago
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 5.38. This is due to a capability ch
CWE catalog data sourced from MITRE. CVE associations come from NVD weakness mappings; some CVEs carry multiple CWEs.