CVE-2021-29641

Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain...

CVE-2020-28871

Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload...

CVE-2020-19138

Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute arbitrary code via the component "/src/main/java/com/dotmarketing/filters/CMSFilter.java"...

CVE-2019-13028

An incorrect implementation of a local web server in eID client Windows version before 3.1.2, Linux version before 3.0.3 allows remote attackers to execute arbitrary code .cgi, .pl, or .php or delete arbitrary files via a crafted HTML page. This is a product from the Ministry of Interior of the...

CVE-2011-5292

The EaseWeFtp.FtpLibrary ActiveX control in EaseWeFtp.ocx in Easewe FTP OCX 4.5.0.9 does not restrict access to certain methods, which allows remote attackers to execute arbitrary files via a pathname in the first argument to the 1 Execute or 2 Run method, 3 write to arbitrary files via a pathnam...

CVE-2019-9617

An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider for example file.jsp::$DATA to the admin/ueditor/uploadFile URI...

CVE-2019-18288

A vulnerability has been identified in SPPA-T3000 Application Server All versions Service Pack R8.2 SP2. An attacker with valid authentication at the RMI interface could be able to gain remote code execution through an unsecured file upload. Please note that an attacker needs to have access to th...

CVE-2017-9069

In MODX Revolution before 2.5.7, a user with file upload permissions is able to execute arbitrary code by uploading a file with the name .htaccess...

CVE-2013-7392

Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/...

CVE-2015-2201

Aruba AirWave before 7.7.14.2 and 8.x before 8.0.7 allows VisualRF remote OS command execution and file disclosure by administrative users...

PT-2025-26301

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.5.x through 10.5.5 Mattermost versions 9.11.x through 9.11.15 Mattermost versions 10.8.x through 10.8.0 Mattermost versions 10.7.x through 10.7.2 Mattermost versions 10.6.x through 10.6.5 Description Mattermost fails to...

CVE-2025-46193

SourceCodester Client Database Management System 1.0 is vulnerable to Remote code execution via Arbitrary file upload in userproposalupdateorder.php...

CVE-2025-46193

Summary: CVE-2025-46193 affects SourceCodester Client Database Management System 1.0 and enables remote code execution via an arbitrary file upload in the vulnerable file path user_proposal_update_order.php. The CVSS v3.1 score is 9.8 (CRITICAL) with network attack vector, no privileges required,...

CVE-2025-46571

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, low privileged users can upload HTML files which contain JavaScript code via the /api/v1/files/ backend endpoint. This endpoint returns a file id, which can be used to open t...

CVE-2025-4279

CVE-2025-4279 concerns the WordPress plugin “External image replace” (affected versions ≤ 1.0.8). The issue is an arbitrary file upload vulnerability caused by missing file-type validation in external_image_replace_get_posts::replace_post, allowing authenticated attackers with contributor-level p...

CVE-2024-56156

CVE-2024-56156 affects Halo prior to 2.20.13. The vulnerability arises from a file type validation bypass in the upload mechanism, allowing malicious files (including executables and HTML) which can lead to stored XSS and, under certain circumstances, remote code execution. A fixed version, 2.20....

CVE-2025-46616

CVE-2025-46616 affects Quantum StorNext Web GUI API and StorNext components (StorNext RYO, StorNext Xcellis Workflow Director, and ActiveScale Cold Storage) prior to version 7.2.4. The vulnerability stems from a file upload path that could enable Arbitrary Remote Code Execution (RCE). Impact is d...

CVE-2025-43946

The CVE-2025-43946 entry concerns TCPWave DDI 11.34P1C2. The issue is Remote Code Execution caused by Unrestricted File Upload combined with Path Traversal, enabling an attacker to upload files and traverse directories to execute arbitrary code. CVSSv3.1 metrics indicate a NETWORK-vector, exploit...

CVE-2020-20969

File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcanrestoreitem.php file...

CVE-2025-32118 WordPress CMP – Coming Soon & Maintenance plugin <= 4.1.14 - Remote Code Execution (RCE) vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in NiteoThemes CMP – Coming Soon & Maintenance cmp-coming-soon-maintenance allows Using Malicious Files.This issue affects CMP – Coming Soon & Maintenance: from n/a through = 4.1.14...