Total
3479 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11398 | 2 Nikhil-bhalerao, Sourcecodester | 2 Hotel And Lodge Management System, Hotel And Lodge Management System | 2025-10-09 | 6.3 Medium |
| A weakness has been identified in SourceCodester Hotel and Lodge Management System 1.0. The impacted element is an unknown function of the file /profile.php of the component Profile Page. Executing manipulation of the argument image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-11417 | 1 Campcodes | 1 Advanced Online Voting System | 2025-10-09 | 6.3 Medium |
| A weakness has been identified in Campcodes Advanced Online Voting Management System 1.0. This vulnerability affects unknown code of the file /admin/voters_add.php. Executing manipulation of the argument photo can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-11426 | 1 Projectworlds | 1 Advanced Library Management System | 2025-10-09 | 6.3 Medium |
| A security flaw has been discovered in projectworlds Advanced Library Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit_book.php. The manipulation of the argument image results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-11436 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 6.3 Medium |
| A vulnerability was detected in JhumanJ OpnForm up to 1.9.3. Affected by this issue is some unknown functionality of the file /answer. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. The patch is identified as 95c3e23856465d202e6aec10bdb6ee0688b5305a. It is advisable to implement a patch to correct this issue. | ||||
| CVE-2025-2978 | 1 Wcms | 1 Wcms | 2025-10-09 | 6.3 Medium |
| A vulnerability was found in WCMS 11. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?articleadmin/upload/?&CKEditor=container&CKEditorFuncNum=1 of the component Article Publishing Page. The manipulation of the argument Upload leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11470 | 2 Nikhil-bhalerao, Sourcecodester | 2 Hotel And Lodge Management System, Hotel And Lodge Management System | 2025-10-09 | 4.7 Medium |
| A security vulnerability has been detected in SourceCodester Hotel and Lodge Management System up to 1.0. The impacted element is an unknown function of the file /manage_website.php. The manipulation of the argument website_image/back_login_image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-61768 | 1 Kuno | 1 Kuno Cms | 2025-10-08 | N/A |
| KUNO CMS is a fully deployable full-stack blog application. In versions prior to 1.3.15, an SSRF (Server-Side Request Forgery) vulnerability exists in the Media module of the Kuno CMS administrative panel. A logged-in administrator can upload a specially crafted SVG file containing an external image reference, causing the server to initiate an outgoing connection to an arbitrary external URL. This can lead to information disclosure or internal network probing. Version 1.3.15 contains a fix for the issue. | ||||
| CVE-2024-46479 | 1 Venki | 1 Supravizio Bpm | 2025-10-07 | 9.9 Critical |
| Venki Supravizio BPM through 18.0.1 was discovered to contain an arbitrary file upload vulnerability. An authenticated attacker may upload a malicious file, leading to remote code execution. | ||||
| CVE-2025-11318 | 1 Tipray | 1 Data Leakage Prevention System | 2025-10-06 | 7.3 High |
| A security flaw has been discovered in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. This vulnerability affects unknown code of the file uploadWxFile.do. The manipulation of the argument File results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11320 | 1 Zhuimengshaonian | 1 Wisdom-education | 2025-10-06 | 6.3 Medium |
| A security vulnerability has been detected in zhuimengshaonian wisdom-education up to 1.0.4. Impacted is the function uploadFile of the file src/main/java/com/education/core/controller/UploadController.java. Such manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-61681 | 1 Kuno | 1 Kuno Cms | 2025-10-06 | 5.4 Medium |
| KUNO CMS is a fully deployable full-stack blog application. Versions 1.3.13 and below contain validation flaws in its file upload functionality that can be exploited for stored XSS. The upload endpoint only validates file types based on Content-Type headers, lacks file content analysis and extension whitelist restrictions, allowing attackers to upload SVG files containing malicious scripts (disguised as images). When users access the uploaded resource pages, arbitrary JavaScript executes in their browsers. This issue is fixed in version 1.3.14. | ||||
| CVE-2024-56508 | 1 Linkace | 1 Linkace | 2025-10-06 | 7.6 High |
| LinkAce is a self-hosted archive to collect links of your favorite websites. Prior to 1.15.6, a file upload vulnerability exists in the LinkAce. This issue occurs in the "Import Bookmarks" functionality, where malicious HTML files can be uploaded containing JavaScript payloads. These payloads execute when the uploaded links are accessed, leading to potential reflected or persistent XSS scenarios. This vulnerability is fixed in 1.15.6. | ||||
| CVE-2025-59835 | 1 Langbot | 1 Langbot | 2025-10-06 | N/A |
| LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5. | ||||
| CVE-2025-9561 | 1 Wordpress | 1 Wordpress | 2025-10-06 | 8.8 High |
| The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-9212 | 1 Wordpress | 1 Wordpress | 2025-10-06 | 7.5 High |
| The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wp_dispatcher_process_upload() function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The directory does have an .htaccess file which limits the ability to achieve remote code execution. | ||||
| CVE-2025-1862 | 1 Wso2 | 4 Enterprise Integrator, Identity Server, Identity Server As Key Manager and 1 more | 2025-10-06 | 6.7 Medium |
| An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. A malicious actor with administrative privileges can upload arbitrary files to a user-controlled location on the server. By leveraging this vulnerability, an attacker can upload a specially crafted payload and achieve remote code execution (RCE), potentially compromising the server and its data. | ||||
| CVE-2025-11078 | 2 Angeljudesuarez, Itsourcecode | 2 Open Source Job Portal, Open Source Job Portal | 2025-10-03 | 6.3 Medium |
| A vulnerability was identified in itsourcecode Open Source Job Portal 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/user/controller.php?action=photos. The manipulation of the argument photo leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | ||||
| CVE-2025-4291 | 1 Ideacms | 1 Ideacms | 2025-10-03 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in IdeaCMS up to 1.6. Affected is the function saveUpload. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-11103 | 1 Projectworlds | 1 Online Tours And Travels | 2025-10-03 | 4.7 Medium |
| A security vulnerability has been detected in Projectworlds Online Tours and Travels 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/change-image.php. The manipulation of the argument packageimage leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-11221 | 1 Gtone | 1 Changeflow | 2025-10-03 | 8.8 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type vulnerability in GTONE ChangeFlow allows Path Traversal, Accessing Functionality Not Properly Constrained by ACLs.This issue affects ChangeFlow: from All versions through v9.0.1.1. | ||||