CWE-434

Medium likelihood

Unrestricted Upload of File with Dangerous Type

Parent: CWE-669 - Incorrect Resource Transfer Between Spheres

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

4,009 vulnerabilities with CWE-434
CVE-2026-1969 MEDIUM
ThemeREX Addons < 2.38.5 - Unauthenticated Arbitrary File Upload
CVSS 5.3
CVE-2026-4536 HIGH
Acrel Environmental Monitoring Cloud Platform unrestricted upload
CVSS 7.3
CVE-2026-4505 MEDIUM
eosphoros-ai DB-GPT FastAPI Endpoint controller.py module_plugin.refresh_plugins unrestricted upload
CVSS 6.3
CVE-2026-32989 HIGH
Precurio Intranet Portal 4.4: Cross-Site Request Forgery leading to arbitrary file upload
CVSS 8.8
CVE-2026-33071 MEDIUM
FileRise: WebDAV upload path bypasses filename validation enforced by regular uploads
CVSS 4.3
CVE-2026-32985 CRITICAL
Xerte Online Toolkits <= 3.14 Unauthenticated Template Import Arbitrary File Upload Leading to Remote Code Execution
CVSS 9.8
CVE-2026-32756 HIGH
Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module
CVSS 8.8
CVE-2026-29104 LOW
SuiteCRM Vulnerable to Authenticated Arbitrary File Upload via Configurator addfontresult View in SuiteCRM
CVSS 2.7
CVE-2026-27043 HIGH
WordPress Photography theme <= 7.7.5 - Arbitrary File Upload vulnerability
CVSS 7.2
CVE-2026-27067 CRITICAL
WordPress Mobile App Editor plugin <= 1.3.1 - Arbitrary File Upload vulnerability
CVSS 9.1
CVE-2026-27540 CRITICAL
WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Arbitrary File Upload vulnerability
CVSS 9.0
CVE-2026-29859 CRITICAL
aaPanel v7.57.0 - Arbitrary File Upload
CVSS 9.8
CVE-2026-28674 HIGH
xiaoheiFS Vulnerable to RCE via Arbitrary Payment Plugin Upload (Automatic Execution)
CVSS 7.2
CVE-2026-28673 HIGH
xiaoheiFS Vulnerable to RCE via Unrestricted Plugin Installation (Manifest Manipulation)
CVSS 7.2
CVE-2026-4221 HIGH
Tiandy Easy7 Integrated Management Platform Endpoint uploadLedImage unrestricted upload
CVSS 7.3
CVE-2026-4220 HIGH
Technologies Integrated Management Platform SetWebpagePic.jsp unrestricted upload
CVSS 7.3
CVE-2026-4201 HIGH
glowxq glowxq-oj SysFileController.java upload unrestricted upload
CVSS 7.3
CVE-2026-4191 HIGH
node-api-postgres up to 2.5 - Unrestricted Upload
CVSS 7.3
CVE-2026-3891 CRITICAL
Pix for WooCommerce <=1.5.0 - Arbitrary File Upload
CVSS 9.8
CVE-2026-3800 MEDIUM
janobe Resort Reservation System 1.0 - Unrestricted Upload
CVSS 6.3
CVE-2026-3797 MEDIUM
Tiandy Video Surveillance System 7.17.0 - Unrestricted Upload
CVSS 6.3
CVE-2026-3749 MEDIUM
Bytedesk <=1.3.9 - Unrestricted Upload
CVSS 6.3
CVE-2026-3748 MEDIUM
Bytedesk <=1.3.9 - Unrestricted Upload
CVSS 6.3
CVE-2026-29186 HIGH
Backstage <1.14.3 - Code Injection
CVSS 7.7
CVE-2026-30821 CRITICAL
Flowise <3.0.13 - Auth Bypass
CVSS 9.8
Details
Vulnerabilities 4,009
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits