ReportizFlow
Filtered by vendor
Subscriptions
Total
3884 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-15152 | 2025-12-29 | 6.3 Medium | ||
| A vulnerability was identified in h-moses moga-mall up to 392d631a5ef15962a9bddeeb9f1269b9085473fa. This vulnerability affects the function addProduct of the file src/main/java/com/ms/product/controller/PmsProductController.java. Such manipulation of the argument objectName leads to unrestricted upload. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. | ||||
| CVE-2025-2748 | 1 Kentico | 1 Xperience | 2025-12-27 | 6.1 Medium |
| The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178. | ||||
| CVE-2019-25229 | 1 Kentico | 1 Xperience | 2025-12-24 | 8.8 High |
| An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC form file uploader components. Attackers can manipulate file names and upload potentially malicious files to the system, enabling unauthorized file uploads. | ||||
| CVE-2023-53922 | 1 Tinywebgallery | 1 Tinywebgallery | 2025-12-24 | 9.8 Critical |
| TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL. | ||||
| CVE-2025-14885 | 2 Lerouxyxchire, Sourcecodester | 2 Client Database Management System, Client Database Management System | 2025-12-24 | 6.3 Medium |
| A flaw has been found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /user_leads.php of the component Leads Generation Module. Executing manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | ||||
| CVE-2024-44598 | 1 Fntsoftware | 1 Fnt Command | 2025-12-23 | 8.8 High |
| FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module. | ||||
| CVE-2024-44599 | 1 Fntsoftware | 1 Fnt Command | 2025-12-23 | 8.3 High |
| FNT Command 13.4.0 is vulnerable to Directory Traversal. | ||||
| CVE-2023-53950 | 1 Innovastudio | 1 Wysiwyg Editor | 2025-12-23 | 9.8 Critical |
| InnovaStudio WYSIWYG Editor 5.4 contains an unrestricted file upload vulnerability that allows attackers to bypass file extension restrictions through filename manipulation. Attackers can upload malicious ASP shells by using null byte techniques and alternate file extensions to circumvent upload controls in the asset manager. | ||||
| CVE-2025-14800 | 2 Themeisle, Wordpress | 2 Redirection For Contact Form 7, Wordpress | 2025-12-23 | 8.1 High |
| The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_file_to_upload' function in all versions up to, and including, 3.2.7. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server. If 'allow_url_fopen' is set to 'On', it is possible to upload a remote file to the server. | ||||
| CVE-2025-13329 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2025-12-23 | 9.8 Critical |
| The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-6085 | 2 Celonis, Wordpress | 2 Make Connector, Wordpress | 2025-12-22 | 7.2 High |
| The Make Connector plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'upload_media' function in all versions up to, and including, 1.5.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-52324 | 1 Trendmicro | 1 Apex Central | 2025-12-22 | 8.8 High |
| An unrestricted file upload vulnerability in Trend Micro Apex Central could allow a remote attacker to create arbitrary files on affected installations. Please note: although authentication is required to exploit this vulnerability, this vulnerability could be exploited when the attacker has any valid set of credentials. Also, this vulnerability could be potentially used in combination with another vulnerability to execute arbitrary code. | ||||
| CVE-2018-19453 | 1 Kentico | 1 Xperience | 2025-12-20 | 8.8 High |
| Kentico CMS before 11.0.45 allows unrestricted upload of a file with a dangerous type. | ||||
| CVE-2019-19493 | 1 Kentico | 1 Xperience | 2025-12-19 | 5.4 Medium |
| Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS. | ||||
| CVE-2025-65474 | 1 Easyimages2.0 Project | 1 Easyimages2.0 | 2025-12-19 | 8.8 High |
| An arbitrary file rename vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via renaming a PHP file to a SVG format. | ||||
| CVE-2012-10019 | 2 Scribu, Wordpress | 2 Front-end Editor, Wordpress | 2025-12-19 | 9.8 Critical |
| The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions before 2.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2024-58279 | 1 Apprain | 1 Apprain | 2025-12-19 | 8.8 High |
| appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through the filemanager upload endpoint. Attackers can leverage authenticated access to generate a web shell with command execution capabilities by uploading a crafted PHP file to the site's uploads directory. | ||||
| CVE-2023-53885 | 1 Webutler | 1 Webutler | 2025-12-19 | 7.2 High |
| Webutler v3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload PHP files with system command execution. Attackers can upload a PHAR file with embedded system commands to the media browser and execute arbitrary commands by accessing the uploaded file. | ||||
| CVE-2025-65471 | 1 Easyimages2.0 Project | 1 Easyimages2.0 | 2025-12-19 | 8.8 High |
| An arbitrary file upload vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via uploading a crafted PHP file. | ||||
| CVE-2025-68109 | 1 Churchcrm | 1 Churchcrm | 2025-12-18 | 9.1 Critical |
| ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue. | ||||