CWE-434

Medium likelihood

Unrestricted Upload of File with Dangerous Type

Parent: CWE-669 - Incorrect Resource Transfer Between Spheres

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

4,103 vulnerabilities with CWE-434
CVE-2025-14632 MEDIUM
Filr - Secure document library <= 1.2.11 - Authenticated Stored Cross-Site Scripting via Unrestricted File Upload
CVSS 4.4
CVE-2025-14894 CRITICAL
livewire-filemanager/filemanager < 1.0.0 - Unauthenticated Remote Code Execution via Unrestricted File Upload
CVSS 9.8
CVE-2025-12957 HIGH
All-in-One Video Gallery <4.5.7 - RCE
CVSS 8.8
CVE-2025-67079 CRITICAL
agora-project < 25.10 - Remote Code Execution via Crafted PDF Upload to Imagick MSL Engine
CVSS 9.8
CVE-2025-67077 HIGH
agora-project < 25.10 - Unrestricted File Upload via UploadTmpFile Action
CVSS 8.8
CVE-2025-13062 HIGH
Supreme Modules Lite < 2.5.62 - Authenticated Arbitrary File Upload via Double Extension Bypass
CVSS 8.8
CVE-2025-37175 HIGH
Mobility Conductor - Privilege Escalation
CVSS 7.2
CVE-2025-62182 MEDIUM
Pega Customer Service Framework <25.1.0 - File Upload
CVE-2025-65783 CRITICAL
Hubert Imoveis e Administracao Ltda Hub v2.0-1.27.3 - RCE
CVSS 9.8
CVE-2025-66802 CRITICAL
Sourcecodester Covid-19 Contact Tracing System 1.0 - RCE
CVSS 9.8
CVE-2025-46068 HIGH
Automai Director 25.2.0 - Remote Code Execution via Update Mechanism
CVSS 8.8
CVE-2025-15503 HIGH
Sangfor O&M Security Management System <=3.0.8 - Unrestricted File Upload via common.jsp
CVSS 7.3
CVE-2025-15495 MEDIUM
BiggiDroid Simple PHP CMS 1.0 - Unrestricted File Upload via Image Parameter in /admin/editsite.php
CVSS 4.7
CVE-2025-67325 CRITICAL
QloApps < 1.7.0 - Unauthenticated Remote Code Execution via Hotel Review File Upload
CVSS 9.8
CVE-2025-67924 CRITICAL
zozothemes Corpkit <= 2.0 - Unrestricted Upload of File with Dangerous Type
CVSS 9.9
CVE-2025-67910 CRITICAL
Contentstudio <= 1.3.7 - Unauthenticated Arbitrary File Upload
CVSS 9.1
CVE-2025-66837 MEDIUM
ARIS < 10.0.23.0.3587512 - Remote Code Execution via Crafted PDF Upload
CVSS 6.8
CVE-2025-15158 HIGH
WP Enable WebP <= 1.0 - Authenticated Arbitrary File Upload via wpse_file_and_ext_webp Function
CVSS 8.8
CVE-2025-14842 MEDIUM
Contact Form 7 <= 1.3.9.2 - Unauthenticated Arbitrary File Upload
CVSS 6.1
CVE-2025-30996 CRITICAL
Themify WordPress Themes - Arbitrary File Upload
CVSS 9.9
CVE-2025-31048 CRITICAL
Themify Shopo <= 1.1.4 - Arbitrary File Upload
CVSS 9.9
CVE-2025-15240 HIGH
QOCA aim < 2.7.6 - Authenticated Arbitrary File Upload and Remote Code Execution
CVSS 8.8
CVE-2025-15448 MEDIUM
cld378632668 JavaMall <994f1e2b019378ec9444cdf3fce2d5b5f72d28f0 - U...
CVSS 6.3
CVE-2025-15426 HIGH
H-ui.admin <3.1 - Unrestricted Upload
CVSS 7.3
CVE-2025-15423 MEDIUM
EmpireCMS < 8.0 - Unrestricted File Upload via CheckSaveTranFiletype Function
CVSS 6.3
Details
Vulnerabilities 4,103
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits