CWE-434

Medium likelihood

Unrestricted Upload of File with Dangerous Type

Parent: CWE-669 - Incorrect Resource Transfer Between Spheres

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

4,102 vulnerabilities with CWE-434
CVE-2026-2164 HIGH
detronetdip E-commerce 1.0.0 - Unrestricted Upload
CVSS 7.3
CVE-2026-2146 MEDIUM
guchengwuyue yshopmall <1.9.1 - Unrestricted Upload
CVSS 6.3
CVE-2026-2133 HIGH
Online Music Site 1.0 - Unrestricted File Upload via AdminUpdateCategory.php txtimage Argument
CVSS 7.3
CVE-2026-2113 HIGH
yuan1994 tpadmin <1.3.12 - Deserialization
CVSS 7.3
CVE-2026-25056 HIGH
n8n < 1.118.0 - Authenticated Arbitrary File Write and Remote Code Execution via Merge Node SQL Query Mode
CVSS 8.8
CVE-2026-20098 HIGH
Cisco Meeting Management < 3.12.1 - Authenticated Arbitrary File Upload and Remote Code Execution
CVSS 8.8
CVE-2026-23704 MEDIUM
Movable Type 7-9.0.5 - Unauthenticated Arbitrary File Upload and Stored Cross-Site Scripting
CVSS 6.5
CVE-2026-1756 HIGH
WP FOFT Loader <= 2.1.39 - Authenticated Arbitrary File Upload via Incorrect File Type Validation
CVSS 8.8
CVE-2026-1791 LOW
Hillstone Networks Operation and Maintenance Security Gateway <V5.5...
CVSS 2.7
CVE-2026-1813 MEDIUM
bolo-blog bolo-solo <2.6.4 - Unrestricted Upload
CVSS 6.3
CVE-2026-25510 CRITICAL
Ci4-cms-erp Ci4ms < 0.28.5.0 - Code Injection
CVSS 9.9
CVE-2026-24673 MEDIUM
Open eClass <4.2 - File Upload Validation Bypass
CVSS 4.3
CVE-2026-1730 HIGH
OS DataHub Maps <1.8.3 - File Upload
CVSS 8.8
CVE-2026-1065 HIGH
The Form Maker by 10Web - WordPress <1.15.35 - XSS
CVSS 7.2
CVE-2026-25201 HIGH
MagicINFO 9 Server <21.1090.1 - RCE
CVSS 8.8
CVE-2026-25200 CRITICAL
MagicINFO 9 Server <21.1090.1 - XSS
CVSS 9.8
CVE-2026-1742 MEDIUM
EFM ipTIME A8004T <14.18.2 - Unrestricted Upload
CVSS 4.7
CVE-2026-24729 CRITICAL
Interinfo DreamMaker <2025/10/22 - RCE
CVE-2026-24897 CRITICAL
erugo <= 0.2.14 - Authenticated Path Traversal and Remote Code Execution via Share Creation
CVSS 10.0
CVE-2026-24769 CRITICAL
NocoDB < 0.301.0 - Authenticated Stored Cross-Site Scripting via SVG Attachment Upload
CVSS 9.0
CVE-2026-1400 HIGH
AI Engine WordPress <= 3.3.2 - Authenticated Arbitrary File Upload
CVSS 7.2
CVE-2026-24815 CRITICAL
datavane tis <4.3.0 - Deserialization
CVE-2026-1445 MEDIUM
iJason-Liu Books_Manager <298ba736387ca37810466349af13a0fdf828e99c ...
CVSS 4.7
CVE-2026-1424 MEDIUM
PHPGurukul News Portal 1.0 - Unrestricted File Upload in Profile Pic Handler
CVSS 4.7
CVE-2026-1423 MEDIUM
Online Examination System 1.0 - Unauthenticated Arbitrary File Upload via /admin_pic.php
CVSS 6.3
Details
Vulnerabilities 4,102
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits