CWE-434

Medium likelihood

Unrestricted Upload of File with Dangerous Type

Parent: CWE-669 - Incorrect Resource Transfer Between Spheres

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

4,009 vulnerabilities with CWE-434
CVE-2026-7578 MEDIUM
MacCMS Pro Plugin Installation add.html install unrestricted upload
CVSS 4.7
CVE-2026-7393 MEDIUM
SourceCodester Pizzafy Ecommerce System File Extension admin_class_novo.php save_menu unrestricted upload
CVSS 4.7
CVE-2026-38991 HIGH
Cockpit <=2.13.5 - Authenticated RCE
CVSS 8.8
CVE-2026-7238 MEDIUM
code-projects Online Music Site AdminUpdateAlbum.php unrestricted upload
CVSS 4.7
CVE-2026-7134 MEDIUM
code-projects Online Lot Reservation System edithousepic.php unrestricted upload
CVSS 4.7
CVE-2026-7133 MEDIUM
code-projects Online Lot Reservation System activity.php unrestricted upload
CVSS 4.7
CVE-2026-7107 MEDIUM
code-projects Invoice System in Laravel company unrestricted upload
CVSS 6.3
CVE-2026-7044 MEDIUM
GreenCMS index.php themeadd unrestricted upload
CVSS 6.3
CVE-2026-7043 MEDIUM
GreenCMS index.php pluginAddLocal unrestricted upload
CVSS 6.3
CVE-2026-5364 HIGH
Drag and Drop File Upload for Contact Form 7 <= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass
CVSS 8.1
CVE-2026-41269 HIGH
Flowise: File Upload Validation Bypass in createAttachment
CVSS 7.1
CVE-2026-6885 CRITICAL
BorG Technology Corporation|Borg SPM 2007 - Arbitrary File Upload
CVSS 9.8
CVE-2026-3844 CRITICAL
Breeze Cache <= 2.4.4 - Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote
CVSS 9.8
CVE-2026-6835 MEDIUM
aEnrich|a+HCM - Arbitrary File Upload
CVSS 6.1
CVE-2026-37748 HIGH
Visitor Management System 1.0 - RCE
CVSS 7.2
CVE-2026-6257 CRITICAL
Vvveb CMS v1.0.8 Remote Code Execution via Media Management
CVSS 9.1
CVE-2026-6249 HIGH
Vvveb CMS 1.0.8 Remote Code Execution via Media Upload
CVSS 8.8
CVE-2026-40488 HIGH
OpenMage LTS has Customer File Upload Extension Blocklist Bypass that Leads to Remote Code Execution
CVSS 8.8
CVE-2026-6650 MEDIUM
Z-BlogPHP ZBA File app_upload.php UnPack unrestricted upload
CVSS 4.7
CVE-2026-3219 MEDIUM
pip doesn't reject concatenated ZIP and tar archives
CVE-2026-6602 HIGH
rickxy Hospital Management System his_admin_account.php unrestricted upload
CVSS 7.3
CVE-2026-6596 HIGH
langflow-ai langflow API Endpoint endpoints.py create_upload_file unrestricted upload
CVSS 7.3
CVE-2026-6561 MEDIUM
EyouCMS Index.php edit_adminlogo unrestricted upload
CVSS 4.7
CVE-2026-6518 HIGH
Cmp – Coming Soon & Maintenance Plugin BY NiteoThemes < 4.1.16 - Remote Code Execution
CVSS 8.8
CVE-2026-40487 HIGH
Postiz Has Unrestricted File Upload via MIME Type Spoofing that Leads to Stored XSS
CVSS 8.9
Details
Vulnerabilities 4,009
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits