CWE-434

Medium likelihood

Unrestricted Upload of File with Dangerous Type

Parent: CWE-669 - Incorrect Resource Transfer Between Spheres

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

4,101 vulnerabilities with CWE-434
CVE-2026-45444 CRITICAL
WordPress Gift Cards For WooCommerce Pro plugin <= 4.2.6 - Arbitrary File Upload vulnerability
CVSS 10.0
CVE-2026-6555 CRITICAL
ProSolution WP Client <= 2.0.0 - Unauthenticated Arbitrary File Upload via 'files'
CVSS 9.8
CVE-2026-4883 CRITICAL
Piotnet Forms <= 2.1.40 - Unauthenticated Arbitrary File Upload via Form File Upload
CVSS 9.8
CVE-2026-4885 CRITICAL
Piotnet Addons for Elementor Pro <= 7.1.70 - Unauthenticated Arbitrary File Upload via Form File Upload
CVSS 9.8
CVE-2026-27891 HIGH
Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism
CVSS 7.2
CVE-2026-8758 HIGH
Metasoft 美特软件 MetaCRM upload3.jsp unrestricted upload
CVSS 7.3
CVE-2026-45315 HIGH
Open WebUI: Stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions
CVSS 8.7
CVE-2026-44566 HIGH
Open WebUI: Arbitrary File Upload and Path Traversal
CVSS 7.3
CVE-2026-44088 HIGH
Remote Code Execution in SzafirHost
CVE-2026-22707 MEDIUM
Strapi Upload Plugin MIME Validation Bypass via Content API
CVSS 5.4
CVE-2026-41937 HIGH
Vvveb < 1.0.8.3 Unrestricted File Upload RCE via Plugin Upload
CVSS 7.2
CVE-2026-6271 CRITICAL
Career Section <= 1.7 - Unauthenticated Arbitrary File Upload
CVSS 9.8
CVE-2026-45053 CRITICAL
CubeCart: Authenticated Arbitrary File Upload to RCE in REST Files API
CVSS 9.1
CVE-2026-37430 HIGH
qihang-wms 75c15a - Arbitrary File Upload
CVSS 7.3
CVE-2026-42844 HIGH
Grav: Low-privileged API users can create super-admin accounts via blueprint-upload
CVSS 8.8
CVE-2026-41517 NONE
Emlog: Remote Code Execution via Malicious Plugin Upload
CVE-2026-36387 MEDIUM
CODEASTRO Membership Management System 1.0 - Remote Code Execution
CVSS 6.5
CVE-2026-6692 HIGH
Slider Revolution 7.0.0 - 7.0.10 - Authenticated (Subscriber+) Arbitrary File Upload via _get_media_url
CVSS 8.8
CVE-2026-41587 HIGH
CI4MS: Unrestricted PHP File Upload via Theme Installation Leads to Authenticated Remote Code Execution
CVE-2026-41938 HIGH
Vvveb < 1.0.8.2 RCE via Media Upload Handler
CVSS 8.8
CVE-2026-6261 HIGH
Betheme <= 28.4 - Authenticated (Author+) Arbitrary File Upload to Remote Code Execution via Icon Pack Upload
CVSS 8.8
CVE-2026-38751 HIGH
OpenSTAManager <=2.10 - Arbitrary File Upload
CVSS 7.2
CVE-2026-7733 HIGH
funadmin Frontend Chunked Upload Endpoint UploadService.php chunkUpload unrestricted upload
CVSS 7.3
CVE-2026-7732 MEDIUM
code-projects BloodBank Managing System request_blood.php unrestricted upload
CVSS 6.3
CVE-2026-7711 HIGH
MindsDB Engine proc_wrapper.py exec unrestricted upload
CVSS 7.3
Details
Vulnerabilities 4,101
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits