CWE-434

Medium likelihood

Unrestricted Upload of File with Dangerous Type

Parent: CWE-669 - Incorrect Resource Transfer Between Spheres

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

4,104 vulnerabilities with CWE-434
CVE-2025-11426 MEDIUM
Advanced Library Management System 1.0 - Unrestricted Upload
CVSS 6.3
CVE-2025-11417 MEDIUM
Campcodes Advanced Online Voting Management System 1.0 - Unrestricted File Upload via Voters Add Photo Argument
CVSS 6.3
CVE-2025-11398 MEDIUM
Hotel and Lodge Management System 1.0 - Unrestricted File Upload via Profile Image Parameter
CVSS 6.3
CVE-2025-11354 MEDIUM
Online Hotel Reservation System 1.0 - Unrestricted File Upload via Image Parameter
CVSS 6.3
CVE-2025-11353 MEDIUM
Online Hotel Reservation System 1.0 - Unrestricted File Upload via Image Parameter
CVSS 6.3
CVE-2025-11352 MEDIUM
Online Hotel Reservation System 1.0 - Unrestricted File Upload via Image Argument
CVSS 6.3
CVE-2025-11351 MEDIUM
Online Hotel Reservation System 1.0 - Unrestricted File Upload via Image Parameter
CVSS 6.3
CVE-2025-11347 HIGH
code-projects Student Crud Operation <3.3 - Unrestricted Upload
CVSS 7.3
CVE-2025-61768 MEDIUM
KUNO CMS < 1.3.15 - Authenticated Server-Side Request Forgery via SVG File Upload
CVE-2025-61687 HIGH
Flowise 3.0.7 - Authenticated Arbitrary File Upload and Persistent Web Shell Storage
CVSS 8.3
CVE-2025-11320 MEDIUM
zhuimengshaonian wisdom-education <1.0.4 - Unrestricted Upload
CVSS 6.3
CVE-2025-11318 HIGH
Tipray Data Leakage Prevention System 1.0 - Unrestricted Upload
CVSS 7.3
CVE-2025-61681 MEDIUM
KUNO CMS < 1.3.14 - Stored Cross-Site Scripting via SVG File Upload
CVSS 5.4
CVE-2025-9561 HIGH
AP Background 3.8.1-3.8.2 - Authenticated Arbitrary File Upload via advParallaxBackAdminSaveSlider Handler
CVSS 8.8
CVE-2025-9212 HIGH
WP Dispatcher <= 1.2.0 - Authenticated Arbitrary File Upload via wp_dispatcher_process_upload()
CVSS 7.5
CVE-2025-59835 HIGH
LangBot <4.3.5 - Privilege Escalation
CVE-2025-11221 HIGH
GTONE ChangeFlow <9.0.1.1 - Path Traversal
CVSS 8.8
CVE-2025-11020 HIGH
MarkAny SafePC Enterprise <7.0.1 - SQL Injection
CVSS 8.8
CVE-2025-56515 HIGH
Fiora 1.0.0 - Stored Cross-Site Scripting via Malicious SVG Avatar Upload
CVSS 8.8
CVE-2025-8120 CRITICAL
widzialni pad_cms < 1.2.1 - Unauthenticated Remote Code Execution via Unrestricted File Upload
CVSS 9.8
CVE-2025-7065 CRITICAL
widzialni pad_cms < 1.2.1 - Unauthenticated Remote Code Execution via Photo Upload Permission Bypass
CVSS 9.8
CVE-2025-7063 CRITICAL
widzialni pad_cms < 1.2.1 - Unauthenticated Remote Code Execution via File Upload Permission Bypass
CVSS 9.8
CVE-2025-10000 MEDIUM
Qyrr WordPress Plugin <=2.0.7 - Contributor Arbitrary File Upload
CVSS 6.4
CVE-2025-34222 CRITICAL
Vasion Print Virtual Appliance Host < 22.0.1049 and Application < 20.0.2786 - Unauthenticated Admin API Access
CVSS 9.1
CVE-2025-35032 LOW
Medical Informatics Engineering Enterprise Health - Authenticated Unrestricted Upload of File with Dangerous Type
CVSS 3.4
Details
Vulnerabilities 4,104
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits