CWE-434

Medium likelihood

Unrestricted Upload of File with Dangerous Type

Parent: CWE-669 - Incorrect Resource Transfer Between Spheres

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

4,100 vulnerabilities with CWE-434

CVE-2026-40772 CRITICAL

WordPress GeekyBot plugin <= 1.2.2 - Arbitrary File Upload vulnerability

CVSS 10.0

CVE-2026-39591 CRITICAL

WordPress WP-BusinessDirectory plugin <= 4.0.0 - Arbitrary File Upload vulnerability

CVSS 9.9

CVE-2026-39527 MEDIUM

WordPress WpStream plugin < 4.11.2 - Arbitrary File Upload vulnerability

CVSS 5.4

CVE-2026-5482 CRITICAL

Remote Code Execution via Unrestricted File Upload in Responsive FileManager

CVE-2026-34027 MEDIUM

Wertheim SafeController 6.15.8328.28014 - Authenticated Arbitrary File Upload

CVE-2026-53724 LOW

Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

CVE-2026-6211 HIGH

Arbitrary File Upload in Global IT's WEOLL

CVSS 8.7

CVE-2026-53787 CRITICAL

Amasty Order Attributes for Magento 2 < 4.0.0 Unauthenticated Arbitrary File Upload

CVSS 9.8

CVE-2026-46489 HIGH

SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo

CVSS 8.1

CVE-2026-11839 CRITICAL

Arbitrary File Upload in Basarsoft's Rotaban

CVSS 9.9

CVE-2026-7852 CRITICAL

Unrestricted File Upload in Limatek's LimRAD NAC

CVSS 9.8

CVE-2026-9067 CRITICAL

Schema & Structured Data for WP & AMP < 1.60 - Unauthenticated Arbitrary Media Upload

CVSS 9.1

CVE-2026-36722 MEDIUM

bookcars 8.3 - Authenticated Arbitrary File Upload and Remote Code Execution via /api/create-car-image

CVSS 5.4

CVE-2026-34031 MEDIUM

Apache Answer: The custom avatar was not properly validated

CVSS 6.5

CVE-2026-33582 MEDIUM

Apache Answer: Uploading specially crafted TIFF files causes an Out-of-Memory error

CVSS 6.5

CVE-2026-11621 MEDIUM

Dcat-Admin User Setting upload editorMDUpload unrestricted upload

CVSS 4.7

CVE-2026-11474 HIGH

Kushan2k student-management-system Registration Endpoint RegisterService.php unrestricted upload

CVSS 7.3

CVE-2026-7537 HIGH

MDJM Event Management <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via 'mdjm_email_upload_file' Parameter

CVSS 7.2

CVE-2026-46400 HIGH

HAX CMS PHP 11.0.6-24.x File Upload - Validation Bypass

CVE-2026-11419 CRITICAL

Path Traversal in Altium Enterprise Server Vault UploadController Allows Arbitrary File Write

CVE-2026-5411 HIGH

WP Captcha PRO <= 5.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload

CVSS 8.8

CVE-2026-46392 HIGH

HAX CMS PHP <26.0.0 HTML Upload Validation - Stored Cross-Site Scripting

CVSS 8.7

CVE-2026-11344 HIGH

code-projects Vehicle Management System New Driver Registration Form newdriver.php unrestricted upload

CVSS 7.3

CVE-2026-11333 MEDIUM

tittuvarghese CollegeManagementSystem Student Data Upload Endpoint upload_student_data.php unrestricted upload

CVSS 6.3

CVE-2026-42538 MEDIUM

IRIS <2.4.28 - Insecure File Upload

CVSS 6.3

Details

Vulnerabilities 4,100

Exploit Likelihood Medium

Links