CWE-434

Medium likelihood

Unrestricted Upload of File with Dangerous Type

Parent: CWE-669 - Incorrect Resource Transfer Between Spheres

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

4,009 vulnerabilities with CWE-434
CVE-2026-5472 MEDIUM
ProjectsAndPrograms School Management System Profile Picture settings.php unrestricted upload
CVSS 6.3
CVE-2026-34735 HIGH
Hytale Modding Vulnerable to Remote Code Execution via File Upload Bypass in `FileController`
CVE-2026-2701 CRITICAL
RCE vulnerability in Progress ShareFile Storage Zones Controller (SZC)
CVSS 9.1
CVE-2026-1879 MEDIUM
Harvard University IQSS Dataverse Theme Customization ThemeAndWidgets.xhtml unrestricted upload
CVSS 6.3
CVE-2026-5261 HIGH
Shandong Hoteam InforCenter PLM BaseHandler.ashx uploadFileToIIS unrestricted upload
CVSS 7.3
CVE-2026-30280 MEDIUM
RAREPROB SOLUTIONS PRIVATE LIMITED Video player Play All Videos 1.0.135 - Arbitrary File Overwrite
CVSS 5.3
CVE-2026-5181 MEDIUM
SourceCodester Simple Doctors Appointment System ajax.php unrestricted upload
CVSS 6.3
CVE-2026-5001 HIGH
PromtEngineer localGPT server.py do_POST unrestricted upload
CVSS 7.3
CVE-2026-25099 HIGH
Remote Code Execution via Unrestricted File Upload in Bludit
CVSS 8.8
CVE-2026-33687 HIGH
Sharp has Unrestricted File Upload via Client-Controlled Validation Rules
CVSS 8.8
CVE-2026-4875 MEDIUM
itsourcecode Free Hotel Reservation System index.php unrestricted upload
CVSS 4.7
CVE-2026-4809 CRITICAL
Unsafe Client MIME Type Handling Can Enable Arbitrary File Upload in plank/laravel-mediable
CVSS 9.8
CVE-2026-4830 MEDIUM
kalcaddle kodbox Public Share userShare.class.php add privilege escalation
CVSS 5.6
CVE-2026-33809 MEDIUM
OOM from malicious IFD offset in golang.org/x/image/tiff
CVSS 5.3
CVE-2026-32536 CRITICAL
WordPress Green Downloads plugin <= 2.08 - Arbitrary File Upload vulnerability
CVSS 9.9
CVE-2026-32524 CRITICAL
WordPress Photo Engine plugin <= 6.4.9 - Arbitrary File Upload vulnerability
CVSS 9.1
CVE-2026-32523 CRITICAL
WordPress WPJAM Basic plugin <= 6.9.2 - Arbitrary File Upload vulnerability
CVSS 9.9
CVE-2026-32482 CRITICAL
WordPress Ona theme < 1.24 - Arbitrary File Upload vulnerability
CVSS 9.9
CVE-2026-25413 CRITICAL
WordPress WPBookit Pro plugin <= 1.6.18 - Arbitrary File Upload vulnerability
CVSS 9.9
CVE-2026-23636 MEDIUM
Kiteworks Secure Data Forms is vulnerable to an Unrestricted Upload of File with Dangerous Type
CVSS 5.5
CVE-2026-3533 HIGH
Jupiter X Core Plugin for WordPress <=4.14.1 - RCE
CVSS 8.8
CVE-2026-32278 HIGH
Connect-CMS 1.x-1.41.0/2.x-2.41.0 - Stored XSS
CVSS 8.2
CVE-2026-33717 HIGH
AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downloadURL with Resolution Validation Abort
CVSS 8.8
CVE-2026-33647 HIGH
AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload
CVSS 8.8
CVE-2026-4586 MEDIUM
CodePhiliaX Chat2DB JDBC Driver Upload JdbcDriverController.java upload unrestricted upload
CVSS 6.3
Details
Vulnerabilities 4,009
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits