Total
3479 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-36741 | 2 Microsoft, Trendmicro | 5 Windows, Apex One, Officescan and 2 more | 2025-10-22 | 8.8 High |
| An improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1 allows a remote attached to upload arbitrary files on affected installations. Please note: an attacker must first obtain the ability to logon to the product�s management console in order to exploit this vulnerability. | ||||
| CVE-2021-31207 | 1 Microsoft | 1 Exchange Server | 2025-10-22 | 6.6 Medium |
| Microsoft Exchange Server Security Feature Bypass Vulnerability | ||||
| CVE-2021-20022 | 1 Sonicwall | 2 Email Security, Hosted Email Security | 2025-10-22 | 7.2 High |
| SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host. | ||||
| CVE-2020-8260 | 1 Ivanti | 1 Connect Secure | 2025-10-22 | 7.2 High |
| A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. | ||||
| CVE-2020-25213 | 1 Webdesi9 | 1 File Manager | 2025-10-22 | 10 Critical |
| The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020. | ||||
| CVE-2020-13671 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2025-10-22 | 8.8 High |
| Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. | ||||
| CVE-2019-8394 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2025-10-22 | 7.5 High |
| Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. | ||||
| CVE-2017-12617 | 6 Apache, Canonical, Debian and 3 more | 60 Tomcat, Ubuntu Linux, Debian Linux and 57 more | 2025-10-22 | 8.1 High |
| When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. | ||||
| CVE-2017-12615 | 4 Apache, Microsoft, Netapp and 1 more | 24 Tomcat, Windows, 7-mode Transition Tool and 21 more | 2025-10-22 | 8.1 High |
| When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. | ||||
| CVE-2017-11357 | 1 Telerik | 1 Ui For Asp.net Ajax | 2025-10-22 | 9.8 Critical |
| Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. | ||||
| CVE-2016-3088 | 2 Apache, Redhat | 3 Activemq, Jboss Amq, Jboss Fuse | 2025-10-22 | 9.8 Critical |
| The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. | ||||
| CVE-2025-31324 | 1 Sap | 1 Netweaver | 2025-10-21 | 10 Critical |
| SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. | ||||
| CVE-2024-57968 | 1 Advantive | 1 Veracore | 2025-10-21 | 9.9 Critical |
| Advantive VeraCore before 2024.4.2.1 allows remote authenticated users to upload files to unintended folders (e.g., ones that are accessible during web browsing by other users). upload.aspx can be used for this. | ||||
| CVE-2024-50623 | 1 Cleo | 4 Harmomy, Harmony, Lexicom and 1 more | 2025-10-21 | 9.8 Critical |
| In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution. | ||||
| CVE-2024-39717 | 1 Versa-networks | 1 Versa Director | 2025-10-21 | 7.2 High |
| The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in. | ||||
| CVE-2025-11908 | 1 Shenzhen Ruiming Technology | 1 Streamax Crocus | 2025-10-21 | 6.3 Medium |
| A security flaw has been discovered in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. The affected element is the function uploadFile of the file /FileDir.do?Action=Upload. Performing manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-28814 | 1 Hikvision | 1 Isecure Center | 2025-10-21 | 9.8 Critical |
| Some versions of Hikvision's iSecure Center Product have an improper file upload control vulnerability. Due to the improper verification of file to be uploaded, attackers may upload malicious files to the server. iSecure Center is software released for China's domestic market only, with no overseas release. | ||||
| CVE-2025-56218 | 1 Ascertia | 1 Signinghub | 2025-10-21 | 9.8 Critical |
| An arbitrary file upload vulnerability in SigningHub v8.6.8 allows attackers to execute arbitrary code via uploading a crafted PDF file. | ||||
| CVE-2025-61417 | 1 Tastyigniter | 1 Tastyigniter | 2025-10-21 | 8.8 High |
| Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicious SVG file containing JavaScript code. When an administrator previews the file, the code executes in their browser context, allowing the attacker to perform unauthorized actions such as modifying the admin account credentials. | ||||
| CVE-2025-11948 | 1 Excellent Infotek | 1 Document Management System | 2025-10-21 | 9.8 Critical |
| Document Management System developed by Excellent Infotek has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | ||||