CWE-434

Medium likelihood

Unrestricted Upload of File with Dangerous Type

Parent: CWE-669 - Incorrect Resource Transfer Between Spheres

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

4,104 vulnerabilities with CWE-434
CVE-2025-66255 CRITICAL
DB Electronica Telecomunicazioni Mozart FM Transmitter - Unauthenticated Arbitrary File Upload via upgrade_contents.php
CVSS 9.8
CVE-2025-66250 CRITICAL
DB Electronica Telecomunicazioni Mozart FM Transmitter - Unauthenticated Arbitrary File Upload via status_contents.php
CVSS 9.8
CVE-2025-13597 CRITICAL
AI Feeds <= 1.0.11 - Unauthenticated Arbitrary File Upload via actualizador_git.php
CVSS 9.8
CVE-2025-13595 CRITICAL
CIBELES AI <= 1.10.8 - Unauthenticated Arbitrary File Upload via actualizador_git.php
CVSS 9.8
CVE-2025-13376 HIGH
ProjectList plugin <0.3.0 - File Upload
CVSS 7.2
CVE-2025-13574 MEDIUM
Online Bidding System 1.0 - Unrestricted File Upload via catimage Parameter in categoryadd Function
CVSS 4.7
CVE-2025-13573 MEDIUM
projectworlds advanced_library_management_system 1.0 - Unrestricted File Upload via /add_book.php Image Parameter
CVSS 6.3
CVE-2025-13544 MEDIUM
ashraf-kabir travel-agency < 2025-07-05 - Unrestricted File Upload via /customer_register.php
CVSS 6.3
CVE-2025-12973 HIGH
S2B AI Assistant for WordPress - Arbitrary File Upload
CVSS 7.2
CVE-2025-13156 HIGH
Vitepos - Point of Sale (POS) for WooCommerce plugin <= 3.3.0 - Arbitrary File Upload
CVSS 8.8
CVE-2025-12138 HIGH
URL Image Importer plugin <1.0.6 - File Upload
CVSS 8.8
CVE-2025-11456 CRITICAL
Elula Wsdesk < 3.3.2 - Unrestricted File Upload
CVSS 9.8
CVE-2025-0645 HIGH
Pyxis Signage <31012025 - Unrestricted Upload of File with Dangerou...
CVSS 7.2
CVE-2025-13423 MEDIUM
Campcodes Retro Basketball Shoes Online Store 1.0 - Unrestricted File Upload via product_image Argument
CVSS 4.7
CVE-2025-13411 MEDIUM
Campcodes Retro Basketball Shoes Online Store 1.0 - Unrestricted File Upload via product_image Argument
CVSS 4.7
CVE-2025-64759 HIGH
homarr < 1.43.3 - Stored Cross-Site Scripting via Malicious SVG File Upload
CVSS 8.1
CVE-2025-34336 MEDIUM
egovframe-common-components <4.3.1 - Unauthenticated File Upload
CVE-2025-34330 MEDIUM
AudioCodes Fax Server and Auto-Attendant IVR <= 2.6.23 - Unauthenticated File Upload
CVSS 5.3
CVE-2025-34329 CRITICAL
AudioCodes Fax Server and Auto-Attendant IVR <= 2.6.23 - Unauthenticated Remote Code Execution via Backup Upload
CVSS 9.8
CVE-2025-34328 CRITICAL
AudioCodes Fax Server and Auto-Attendant IVR <= 2.6.23 - Unauthenticated Arbitrary File Write via ajaxScript.php
CVSS 9.8
CVE-2025-12057 CRITICAL
WavePlayer WP <3.8.0 - Unauthenticated RCE
CVSS 9.8
CVE-2025-63228 CRITICAL
DB Broadcast Mozart FM Transmitter WEBMOZZI-00287 - Unauthenticated File Upload Code Execution
CVSS 9.8
CVE-2025-63227 HIGH
DB Broadcast Mozart FM Transmitter WEBMOZZI-00287 - Authenticated Patch File Upload Code Execution
CVSS 7.2
CVE-2025-63994 CRITICAL
RichFilemanager 2.7.6 - Arbitrary File Upload via UploadHandler.php
CVSS 9.8
CVE-2025-63695 CRITICAL
dzzoffice < 2.3.7 - Arbitrary File Upload via UEditor Controller
CVSS 9.8
Details
Vulnerabilities 4,104
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits