ReportizFlow
Filtered by vendor
Subscriptions
Total
3574 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34511 | 1 Sitecore | 4 Experience Commerce, Experience Manager, Experience Platform and 1 more | 2025-11-29 | 8.8 High |
| Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an unrestricted file upload issue. A remote, authenticated attacker can upload arbitrary files to the server using crafted HTTP requests, resulting in remote code execution. | ||||
| CVE-2025-66250 | 1 Dbbroadcast | 1 Mozart Fm Transmitter | 2025-11-29 | N/A |
| Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary file upload via /var/tdf/status_contents.php. | ||||
| CVE-2025-66256 | 1 Dbbroadcast | 1 Mozart Fm Transmitter | 2025-11-29 | N/A |
| Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files. The `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files. | ||||
| CVE-2013-10044 | 2 Open-emr, Openemr | 2 Openemr, Openemr | 2025-11-29 | 8.8 High |
| An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and subsequently escalate privileges. Once elevated, the attacker can exploit an unrestricted file upload flaw to achieve remote code execution, resulting in full compromise of the application and its host system. | ||||
| CVE-2025-34111 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2025-11-28 | 9.8 Critical |
| An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/. | ||||
| CVE-2025-51736 | 2025-11-28 | 6.3 Medium | ||
| File upload vulnerability in HCL Technologies Ltd. Unica 12.0.0. | ||||
| CVE-2025-13536 | 2 Blubrry, Wordpress | 3 Powerpress, Powerpress Podcasting, Wordpress | 2025-11-28 | 8.8 High |
| The Blubrry PowerPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 11.15.2. This is due to the plugin validating file extensions but not halting execution when validation fails in the 'powerpress_edit_post' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-13595 | 1 Wordpress | 1 Wordpress | 2025-11-27 | 9.8 Critical |
| The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.10.8. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-13597 | 1 Wordpress | 1 Wordpress | 2025-11-27 | 9.8 Critical |
| The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-11456 | 3 Elextensions, Elula, Wordpress | 4 Elex Wordpress Plugin, Wsdesk, Wordpress and 1 more | 2025-11-26 | 9.8 Critical |
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the eh_crm_new_ticket_post() function in all versions up to, and including, 3.3.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-63748 | 2 Qatraq, Testmanagement | 2 Qatraq, Qatraq | 2025-11-26 | 8.8 High |
| QaTraq 6.9.2 allows authenticated users to upload arbitrary files via the "Add Attachment" feature in the "Test Script" module. The application fails to restrict file types, enabling the upload of executable PHP files. Once uploaded, the file can be accessed through the "View Attachment" option, which executes the PHP payload on the server. | ||||
| CVE-2025-24862 | 1 Intel | 2 Cip Software, Computing Improvement Program | 2025-11-26 | 2 Low |
| Unrestricted upload of file with dangerous type for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with a privileged user combined with a high complexity attack may enable data manipulation. This result may potentially occur via network access when attack requirements are present with special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | ||||
| CVE-2025-58963 | 1 Wordpress | 1 Wordpress | 2025-11-26 | 9.8 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in 7oroof Medcity medcity allows Upload a Web Shell to a Web Server.This issue affects Medcity: from n/a through < 1.1.9. | ||||
| CVE-2025-7063 | 2 Pad, Widzialni | 2 Pad Cms, Pad Cms | 2025-11-26 | 9.8 Critical |
| Due to client-controlled permission check parameter, PAD CMS's file upload functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution. This issue affects all 3 templates: www, bip and ww+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability. | ||||
| CVE-2025-7065 | 2 Pad, Widzialni | 2 Pad Cms, Pad Cms | 2025-11-26 | 9.8 Critical |
| Due to client-controlled permission check parameter, PAD CMS's photo upload functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution. This issue affects all 3 templates: www, bip and ww+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability. | ||||
| CVE-2025-8120 | 2 Pad, Widzialni | 2 Pad Cms, Pad Cms | 2025-11-26 | 9.8 Critical |
| Due to client-controlled permission check parameter, PAD CMS's upload photo functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution.This issue affects all 3 templates: www, bip and ww+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability. | ||||
| CVE-2025-13376 | 1 Wordpress | 1 Wordpress | 2025-11-26 | 7.2 High |
| The ProjectList plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.0. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-13573 | 1 Projectworlds | 1 Can Pass Malicious Payloads | 2025-11-26 | 6.3 Medium |
| A security flaw has been discovered in projectworlds can pass malicious payloads up to 1.0. This vulnerability affects unknown code of the file /add_book.php. The manipulation of the argument image results in unrestricted upload. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-13544 | 1 Ashraf-kabir | 1 Travel-agency | 2025-11-26 | 6.3 Medium |
| A weakness has been identified in ashraf-kabir travel-agency up to 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3. Affected is an unknown function of the file /customer_register.php. Executing manipulation can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12973 | 2 Oc3dots, Wordpress | 2 S2b Ai Assistant, Wordpress | 2025-11-26 | 7.2 High |
| The S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeFile() function in all versions up to, and including, 1.7.8. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||