Total
3927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-7694 | 1 Teamt5 | 1 Threatsonar Anti-ransomware | 2026-02-18 | N/A | 7.2 HIGH |
| ThreatSonar Anti-Ransomware from TeamT5 does not properly validate the content of uploaded files. Remote attackers with administrator privileges on the product platform can upload malicious files, which can be used to execute arbitrary system command on the server. | |||||
| CVE-2026-1331 | 1 Hamastar | 1 Meetinghub Paperless Meetings | 2026-02-17 | N/A | 9.8 CRITICAL |
| MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | |||||
| CVE-2026-2146 | 1 Guchengwuyue | 1 Yshopmall | 2026-02-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2023-33498 | 1 Alistgo | 1 Alist | 2026-02-13 | N/A | 8.8 HIGH |
| alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privilege accounts can upload any file. | |||||
| CVE-2022-45968 | 1 Alistgo | 1 Alist | 2026-02-13 | N/A | 8.8 HIGH |
| Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one). | |||||
| CVE-2026-2097 | 1 Flowring | 1 Agentflow | 2026-02-13 | N/A | 8.8 HIGH |
| Agentflow developed by Flowring has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | |||||
| CVE-2025-14014 | 2026-02-13 | N/A | 9.8 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in NTN Information Processing Services Computer Software Hardware Industry and Trade Ltd. Co. Smart Panel allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Smart Panel: before 20251215. | |||||
| CVE-2026-1458 | 1 Gitlab | 1 Gitlab | 2026-02-12 | N/A | 6.5 MEDIUM |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files. | |||||
| CVE-2020-37113 | 1 Gunet | 1 Open Eclass Platform | 2026-02-12 | N/A | 8.8 HIGH |
| GUnet OpenEclass 1.7.3 allows authenticated users to bypass file extension restrictions when uploading files. By renaming a PHP file to .php3 or .PhP, an attacker can upload a web shell and execute arbitrary code on the server. This vulnerability enables remote code execution by bypassing the intended file type checks in the exercise submission feature. | |||||
| CVE-2025-61506 | 1 Mediacrush | 1 Mediacrush | 2026-02-11 | N/A | 9.8 CRITICAL |
| An issue was discovered in MediaCrush thru 1.0.1 allowing remote unauthenticated attackers to upload arbitrary files of any size to the /upload endpoint. | |||||
| CVE-2025-65875 | 1 Fpdf | 1 Fpdf | 2026-02-11 | N/A | 8.8 HIGH |
| An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file. | |||||
| CVE-2025-69906 | 1 Monstra | 1 Monstra Cms | 2026-02-11 | N/A | 8.8 HIGH |
| Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution. | |||||
| CVE-2025-69981 | 1 Frangoteam | 1 Fuxa | 2026-02-11 | N/A | 9.8 CRITICAL |
| FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code. | |||||
| CVE-2025-70849 | 1 Stefanprodan | 1 Podinfo | 2026-02-11 | N/A | 6.1 MEDIUM |
| Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS). | |||||
| CVE-2026-1357 | 2026-02-11 | N/A | 9.8 CRITICAL | ||
| The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter. | |||||
| CVE-2026-25510 | 1 Ci4-cms-erp | 1 Ci4ms | 2026-02-10 | N/A | 9.9 CRITICAL |
| CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0. | |||||
| CVE-2026-24673 | 1 Gunet | 1 Open Eclass Platform | 2026-02-10 | N/A | 4.3 MEDIUM |
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a file upload validation bypass vulnerability allows attackers to upload files with prohibited extensions by embedding them inside ZIP archives and extracting them using the application’s built-in decompression functionality. This issue has been patched in version 4.2. | |||||
| CVE-2020-37090 | 1 Arox | 1 School Erp Pro | 2026-02-10 | N/A | 9.8 CRITICAL |
| School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server. | |||||
| CVE-2020-37084 | 1 Arox | 1 School Erp Pro | 2026-02-10 | N/A | 7.2 HIGH |
| School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code on the server. | |||||
| CVE-2026-2213 | 1 Fabian | 1 Online Music Site | 2026-02-10 | 5.8 MEDIUM | 4.7 MEDIUM |
| A security flaw has been discovered in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /Administrator/PHP/AdminAddAlbum.php. The manipulation of the argument txtimage results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. | |||||