Total
3476 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9099 | 2025-08-18 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was identified in Acrel Environmental Monitoring Cloud Platform up to 20250804. This affects an unknown part of the file /NewsManage/UploadNewsImg. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-7441 | 2025-08-18 | N/A | 9.8 CRITICAL | ||
| The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-6079 | 2025-08-18 | N/A | 8.8 HIGH | ||
| The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the homework.php file in all versions up to, and including, 93.2.0. This makes it possible for authenticated attackers, with Student-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-8297 | 1 Ivanti | 1 Avalanche | 2025-08-15 | N/A | 7.2 HIGH |
| Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to achieve remote code execution | |||||
| CVE-2025-6679 | 2025-08-15 | N/A | 9.8 CRITICAL | ||
| The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published. | |||||
| CVE-2025-54473 | 2025-08-15 | N/A | N/A | ||
| An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. The issue allows code execution via the unzip feature. | |||||
| CVE-2025-52239 | 1 Zkea | 1 Zkeacms | 2025-08-14 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in ZKEACMS v4.1 allows attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2025-54693 | 2025-08-14 | N/A | 9.0 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in epiphyt Form Block allows Upload a Web Shell to a Web Server. This issue affects Form Block: from n/a through 1.5.5. | |||||
| CVE-2012-10056 | 2025-08-14 | N/A | N/A | ||
| PHP Volunteer Management System v1.0.2 contains an arbitrary file upload vulnerability in its document upload functionality. Authenticated users can upload files to the mods/documents/uploads/ directory without any restriction on file type or extension. Because this directory is publicly accessible and lacks execution controls, attackers can upload a malicious PHP payload and execute it remotely. The application ships with default credentials, making exploitation trivial. Once authenticated, the attacker can upload a PHP shell and trigger it via a direct GET request. | |||||
| CVE-2025-24775 | 2025-08-14 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms allows Upload a Web Shell to a Web Server. This issue affects Forms: from n/a through 2.9.0. | |||||
| CVE-2025-5061 | 1 Vjinfotech | 1 Wp Import Export Lite | 2025-08-13 | N/A | 7.5 HIGH |
| The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and including, 3.9.29. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 3.9.29. | |||||
| CVE-2025-44139 | 1 Emlog | 1 Emlog | 2025-08-13 | N/A | 7.2 HIGH |
| Emlog Pro V2.5.7 is vulnerable to Unrestricted Upload of File with Dangerous Type via /emlog/admin/plugin.php?action=upload_zip | |||||
| CVE-2025-6206 | 1 Coderevolution | 1 Aiomatic | 2025-08-13 | N/A | 7.5 HIGH |
| The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aiomatic_image_editor_ajax_submit' function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. In order to exploit the vulnerability, there must be a value entered for the Stability.AI API key. The value can be arbitrary. | |||||
| CVE-2025-2005 | 1 Etoilewebdesign | 1 Front End Users | 2025-08-12 | N/A | 9.8 CRITICAL |
| The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-6207 | 1 Vjinfotech | 1 Wp Import Export Lite | 2025-08-12 | N/A | 7.5 HIGH |
| The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_tempalte_import' function in all versions up to, and including, 3.9.28. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-33023 | 2025-08-12 | N/A | 4.1 MEDIUM | ||
| A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions), RUGGEDCOM ROX MX5000RE (All versions), RUGGEDCOM ROX RX1400 (All versions), RUGGEDCOM ROX RX1500 (All versions), RUGGEDCOM ROX RX1501 (All versions), RUGGEDCOM ROX RX1510 (All versions), RUGGEDCOM ROX RX1511 (All versions), RUGGEDCOM ROX RX1512 (All versions), RUGGEDCOM ROX RX1524 (All versions), RUGGEDCOM ROX RX1536 (All versions), RUGGEDCOM ROX RX5000 (All versions). The affected devices do not properly enforce the restriction of files that can be uploaded from the web interface. This could allow an authenticated remote attacker with high privileges in the web interface to upload arbitrary files. | |||||
| CVE-2025-27127 | 2025-08-12 | N/A | 4.3 MEDIUM | ||
| A vulnerability has been identified in TIA Project-Server (All versions < V2.1.1), TIA Project-Server V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions), Totally Integrated Automation Portal (TIA Portal) V19 (All versions < V19 Update 4), Totally Integrated Automation Portal (TIA Portal) V20 (All versions < V20 Update 3). The affected application improperly handles uploaded projects in the document root. This could allow an attacker with contributor privileges to cause denial of service by uploading a malicious project. | |||||
| CVE-2025-3515 | 1 Codedropz | 1 Drag And Drop Multiple File Upload - Contact Form 7 | 2025-08-11 | N/A | 8.1 HIGH |
| The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter. | |||||
| CVE-2012-10038 | 2025-08-11 | N/A | N/A | ||
| Auxilium RateMyPet contains an unauthenticated arbitrary file upload vulnerability in upload_banners.php. The banner upload feature fails to validate file types or enforce authentication, allowing remote attackers to upload malicious PHP files. These files are stored in a web-accessible /banners/ directory and can be executed directly, resulting in remote code execution. | |||||
| CVE-2025-2512 | 1 File Away Project | 1 File Away | 2025-08-11 | N/A | 9.8 CRITICAL |
| The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||