CVE-2015-10138

The Work The Flow File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary...

CVE-2025-6423

The BeeTeam368 Extensions plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handlesubmituploadfile function in all versions up to, and including, 2.3.5. This makes it possible for authenticated attackers with Subscriber-level access or higher ...

CVE-2025-34097 ProcessMaker < 3.5.4 Authenticated Plugin Upload RCE

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install...

CVE-2025-34085

...

CVE-2025-7124

A vulnerability classified as critical has been found in code-projects Online Note Sharing 1.0. Affected is an unknown function of the file /dashboard/userprofile.php of the component Profile Image Handler. The manipulation of the argument image leads to unrestricted upload. It is possible to...

PT-2025-27351 · Code Projects · Code-Projects Simple Forum

Name of the Vulnerable Software and Affected Versions: code-projects Simple Forum version 1.0 Description: A critical issue has been found in the processing of the file /forum1.php, allowing unrestricted upload through the manipulation of the File argument. This can be initiated remotely. The...

CVE-2025-6776

CVE-2025-6776 affects xiaoyunjie openvpn-cms-flask (

CVE-2025-52921

In Innoshop through 0.4.1, an authenticated attacker could exploit the File Manager functions in the admin panel to achieve code execution on the server, by uploading a crafted file and then renaming it to have a .php extension by using the Rename Function. This bypasses the initial check that...

CVE-2025-52921

In Innoshop through 0.4.1, an authenticated attacker could exploit the File Manager functions in the admin panel to achieve code execution on the server, by uploading a crafted file and then renaming it to have a .php extension by using the Rename Function. This bypasses the initial check that...

Exploit for Allocation of Resources Without Limits or Throttling in Apache Commons_Fileupload

CVE-2025-48988 & CVE-2025-48976 About This project runs a s...

PT-2025-25858 · WordPress · Csv Me

Name of the Vulnerable Software and Affected Versions: CSV Me plugin for WordPress versions up to, and including, 2.0 Description: The issue is related to insufficient file type validation in the csv me options page function, allowing authenticated attackers with Administrator-level access and...

CVE-2025-6092 comfyanonymous comfyui Incomplete Fix CVE-2024-10099 image cross site scripting

A vulnerability was found in comfyanonymous comfyui up to 0.3.39. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /upload/image of the component Incomplete Fix CVE-2024-10099. The manipulation of the argument image leads to cross site...

CVE-2025-6001 VirtueMart - Cross Site Request Forgery (CSRF)

A Cross-Site Request Forgery CSRF vulnerability exists in the product image upload function of VirtueMart that bypasses the CSRF protection token. An attacker is able to craft a special CSRF request which will allow unrestricted file upload into the VirtueMart media manager...

CVE-2025-5395

CVE-2025-5395 : WordPress Automatic Plugin for WordPress (WordPress Automatic Plugin

PT-2025-23818 · Cisco · Cisco Identity Services Engine +1

Name of the Vulnerable Software and Affected Versions: Cisco Identity Services Engine ISE and Cisco ISE Passive Identity Connector ISE-PIC affected versions not specified Description: A vulnerability in the API of Cisco Identity Services Engine ISE and Cisco ISE Passive Identity Connector ISE-PIC...

GHSA-95RC-WC32-GM53 Gokapi vulnerable to stored XSS via uploading file with malicious file name

Impact When using end-to-end encryption, a stored XSS vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every time someone opens the upload list, the script is then parsed. With the affected versions v2.0, there was no user permissi...

Gokapi vulnerable to stored XSS via uploading file with malicious file name

Impact When using end-to-end encryption, a stored XSS vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every time someone opens the upload list, the script is then parsed. With the affected versions v2.0, there was no user permissi...

CVE-2025-46080

HuoCMS V3.5.1 has a File Upload Vulnerability. An attacker can exploit this flaw to bypass whitelist restrictions and craft malicious files with specific suffixes, thereby gaining control of the server...

CVE-2024-52787

An issue in the uploaddocuments method of libre-chat v0.0.6 allows attackers to execute a path traversal via supplying a crafted filename in an uploaded file...

CVE-2024-52597

2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Versions prior to 5.4.1 are vulnerable to stored cross-site scripting due to improper headers in direct access to uploaded SVGs. The application allows uploading images in several places. One o...