Total
3652 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-66074 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8. | ||||
| CVE-2023-53876 | 1 Creativeitem | 1 Academy Lms | 2025-12-18 | 5.4 Medium |
| Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable JavaScript code. | ||||
| CVE-2023-53868 | 2 Coppermine, Coppermine-gallery | 3 Coppermine Photo Gallery, Gallery, Coppermine Photo Gallery | 2025-12-18 | 8.8 High |
| Coppermine Gallery 1.6.25 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the plugin manager. Attackers can upload a zipped PHP file with system commands to the plugin directory and execute arbitrary code by accessing the uploaded plugin script. | ||||
| CVE-2023-53885 | 1 Webutler | 1 Webutler | 2025-12-18 | 7.2 High |
| Webutler v3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload PHP files with system command execution. Attackers can upload a PHAR file with embedded system commands to the media browser and execute arbitrary commands by accessing the uploaded file. | ||||
| CVE-2023-53889 | 2 Edgeofmyseat, Perch | 2 Perch, Perch Cms | 2025-12-18 | 7.2 High |
| Perch CMS 3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload arbitrary PHP files through the assets management interface. Attackers can upload a malicious .phar file with embedded system command execution capabilities to execute arbitrary commands on the server. | ||||
| CVE-2025-65471 | 1 Easyimages2.0 Project | 1 Easyimages2.0 | 2025-12-18 | 8.8 High |
| An arbitrary file upload vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via uploading a crafted PHP file. | ||||
| CVE-2023-53924 | 1 Ulicms | 1 Ulicms | 2025-12-18 | 8.8 High |
| UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously crafted avatar uploads. | ||||
| CVE-2023-53933 | 1 S9y | 1 Serendipity | 2025-12-18 | 8.8 High |
| Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbitrary commands on the server. | ||||
| CVE-2023-53922 | 1 Tinywebgallery | 1 Tinywebgallery | 2025-12-18 | 9.8 Critical |
| TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL. | ||||
| CVE-2025-68109 | 1 Churchcrm | 1 Churchcrm | 2025-12-18 | 9.1 Critical |
| ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue. | ||||
| CVE-2023-3417 | 3 Debian, Mozilla, Redhat | 7 Debian Linux, Thunderbird, Enterprise Linux and 4 more | 2025-12-18 | 7.5 High |
| Thunderbird allowed the Text Direction Override Unicode Character in filenames. An email attachment could be incorrectly shown as being a document file, while in fact it was an executable file. Newer versions of Thunderbird will strip the character and show the correct file extension. This vulnerability affects Thunderbird < 115.0.1 and Thunderbird < 102.13.1. | ||||
| CVE-2023-53921 | 1 Sitemagic | 1 Sitemagic Cms | 2025-12-18 | 9.8 Critical |
| SitemagicCMS 4.4.3 contains a remote code execution vulnerability that allows attackers to upload malicious PHP files to the files/images directory. Attackers can upload a .phar file with system command execution payload to compromise the web application and execute arbitrary system commands. | ||||
| CVE-2025-67164 | 1 Pagekit | 1 Pagekit | 2025-12-18 | 9.9 Critical |
| An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file. | ||||
| CVE-2025-43750 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-18 | 6.5 Medium |
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows remote unauthenticated users (guests) to upload files via the form attachment field without proper validation, enabling extension obfuscation and bypassing MIME type checks. | ||||
| CVE-2025-2749 | 1 Kentico | 1 Xperience | 2025-12-17 | 7.2 High |
| An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178. | ||||
| CVE-2025-2748 | 1 Kentico | 1 Xperience | 2025-12-17 | 6.5 Medium |
| The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178. | ||||
| CVE-2020-36897 | 2 Howfor, Qihang Media | 2 Qihang Media Web Digital Signage, Web Digital Signage | 2025-12-17 | 9.8 Critical |
| QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts. Attackers can exploit the file upload functionality by using the 'remotePath' and 'fileToUpload' parameters to write and execute arbitrary system commands on the server. | ||||
| CVE-2023-53892 | 1 Blackcat-cms | 1 Blackcat Cms | 2025-12-17 | 7.2 High |
| Blackcat CMS 1.4 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the jquery plugin manager. Attackers can upload a zip file with a PHP shell script and execute arbitrary system commands by accessing the uploaded plugin's PHP file with a 'code' parameter. | ||||
| CVE-2024-44598 | 1 Fntsoftware | 1 Fnt Command | 2025-12-16 | 8.8 High |
| FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module. | ||||
| CVE-2024-44599 | 1 Fntsoftware | 1 Fnt Command | 2025-12-16 | 8.3 High |
| FNT Command 13.4.0 is vulnerable to Directory Traversal. | ||||