CWE-434

Medium likelihood

Unrestricted Upload of File with Dangerous Type

Parent: CWE-669 - Incorrect Resource Transfer Between Spheres

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

4,009 vulnerabilities with CWE-434
CVE-2026-40484 CRITICAL
ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function
CVSS 9.1
CVE-2026-5718 HIGH
Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass
CVSS 8.1
CVE-2026-6489 MEDIUM
QueryMine sms Background Management addteacher.php unrestricted upload
CVSS 6.3
CVE-2026-40262 HIGH
Note Mark has Stored XSS via Unrestricted Asset Upload
CVSS 8.7
CVE-2026-33435 HIGH
Weblate: Remote code execution during backup restoration
CVSS 8.0
CVE-2026-1555 CRITICAL
WebStack <= 1.2024 - Unauthenticated Arbitrary File Upload
CVSS 9.8
CVE-2026-38526 CRITICAL
Webkul Krayin CRM 2.2.x - Authenticated RCE
CVSS 9.9
CVE-2026-40040 HIGH
Pachno 1.0.6 Unrestricted File Upload Remote Code Execution
CVSS 8.8
CVE-2026-30804 HIGH
Unrestricted File Upload in Extension Uploader leads to Remote Code Execution
CVSS 7.2
CVE-2026-33704 HIGH
Chamilo LMS Affected by Authenticated Arbitrary File Write via BigUpload endpoint
CVSS 7.1
CVE-2026-32931 HIGH
Chamilo LMS has Arbitrary File Upload via MIME-Only Validation in Exercise Sound Upload Leads to RCE
CVSS 7.5
CVE-2026-2942 CRITICAL
ProSolution WP Client <= 1.9.9 - Unauthenticated Arbitrary File Upload via proSol_fileUploadProcess
CVSS 9.8
CVE-2026-4808 HIGH
Gerador de Certificados – DevApps <= 1.3.6 - Authenticated (Administrator+) Arbitrary File Upload
CVSS 7.2
CVE-2026-3535 CRITICAL
DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter
CVSS 9.8
CVE-2026-33273 HIGH
ICZ Corporation Matcha Invoice < 2.6.6 and earlier - Unrestricted File Upload
CVSS 7.2
CVE-2026-35573 CRITICAL
ChurchCRM has a Path traversal leads to RCE
CVSS 9.1
CVE-2026-0740 CRITICAL
Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload
CVSS 9.8
CVE-2026-35174 CRITICAL
Chyrp Lite has a Path Traversal to Remote Code Execution
CVSS 9.1
CVE-2026-35164 HIGH
Brave CMS Sffected by Unrestricted File Upload via CKEditor Endpoint
CVSS 8.8
CVE-2026-35047 CRITICAL
Brave CMS has Unrestricted File Upload in BraveCMS via CKEditor Endpoint
CVSS 9.8
CVE-2026-5670 MEDIUM
Cyber-III Student-Management-System upload.php move_uploaded_file unrestricted upload
CVSS 6.3
CVE-2026-5704 MEDIUM
Tar: tar: hidden file injection via crafted archives
CVSS 5.0
CVE-2026-5576 MEDIUM
SourceCodester/jkev Record Management System Add Employee save_emp.php unrestricted upload
CVSS 4.7
CVE-2026-5573 HIGH
Technostrobe HI-LED-WR120-G2 fs unrestricted upload
CVSS 7.3
CVE-2026-5546 MEDIUM
Campcodes Complete Online Learning Management System Crud_model.php add_lesson unrestricted upload
CVSS 6.3
Details
Vulnerabilities 4,009
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits