Total
3620 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-53863 | 2 Element-hq, Matrix | 2 Synapse, Synapse | 2025-08-26 | 9.1 Critical |
| Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1. | ||||
| CVE-2025-6466 | 1 Ageerle | 1 Ruoyi-ai | 2025-08-26 | 6.3 Medium |
| A vulnerability was found in ageerle ruoyi-ai 2.0.0 and classified as critical. Affected by this issue is the function speechToTextTranscriptionsV2/upload of the file ruoyi-modules/ruoyi-system/src/main/java/org/ruoyi/system/service/impl/SseServiceImpl.java. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.1 is able to address this issue. The patch is identified as 4e93ac86d4891c59ecfcd27c051de9b3c5379315. It is recommended to upgrade the affected component. | ||||
| CVE-2025-9415 | 1 Greencms | 1 Greencms | 2025-08-26 | 6.3 Medium |
| A vulnerability was identified in GreenCMS up to 2.3.0603. This affects an unknown part of the file /index.php?m=admin&c=media&a=fileconnect. The manipulation of the argument upload[] leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-53119 | 1 Securden | 1 Unified Pam | 2025-08-26 | 7.5 High |
| An unauthenticated unrestricted file upload vulnerability allows an attacker to upload malicious binaries and scripts to the server. | ||||
| CVE-2025-53251 | 1 Wordpress | 1 Wordpress | 2025-08-23 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP allows Upload a Web Shell to a Web Server.This issue affects Pin WP: from n/a before 7.2. | ||||
| CVE-2025-55743 | 2 Unopim, Webkul | 2 Unopim, Unopim | 2025-08-23 | 8.8 High |
| UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, the image upload at the user creation feature performs only client side file type validation. A user can capture the request by uploading an image, capture the request through a Proxy like Burp suite. Make changes to the file extension and content. The vulnerability is fixed in 0.2.1. | ||||
| CVE-2024-13144 | 1 Zhenfeng13 | 1 My-blog | 2025-08-22 | 6.3 Medium |
| A vulnerability classified as critical has been found in zhenfeng13 My-Blog 1.0. Affected is the function uploadFileByEditomd of the file src/main/java/com/site/blog/my/core/controller/admin/BlogController.java. The manipulation of the argument editormd-image-file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-13145 | 1 Zhenfeng13 | 1 My-blog | 2025-08-22 | 6.3 Medium |
| A vulnerability classified as critical was found in zhenfeng13 My-Blog 1.0. Affected by this vulnerability is the function upload of the file src/main/java/com/site/blog/my/core/controller/admin/uploadController. java. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-13210 | 1 Donglight | 1 Bookstore | 2025-08-22 | 4.7 Medium |
| A vulnerability was found in donglight bookstore电商书城系统说明 1.0. It has been declared as critical. Affected by this vulnerability is the function uploadPicture of the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java. The manipulation of the argument pictureFile leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-49222 | 1 Mattermost | 1 Mattermost | 2025-08-22 | 6.8 Medium |
| Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories. | ||||
| CVE-2025-55383 | 2025-08-22 | 8.6 High | ||
| Moss before v0.15 has a file upload vulnerability. The "upload" function configuration allows attackers to upload files of any extension to any location on the target server. | ||||
| CVE-2025-55746 | 1 Directus | 1 Directus | 2025-08-22 | 9.3 Critical |
| Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3. | ||||
| CVE-2025-24489 | 2025-08-22 | 6.3 Medium | ||
| An attacker could exploit this vulnerability by uploading arbitrary files via a specific service, which could lead to system compromise. | ||||
| CVE-2025-27714 | 2025-08-22 | 6.3 Medium | ||
| An attacker could exploit this vulnerability by uploading arbitrary files via the a specific endpoint, leading to unauthorized remote code execution or system compromise. | ||||
| CVE-2025-54460 | 2025-08-22 | 7.1 High | ||
| The vulnerability, if exploited, could allow an authenticated miscreant (with privileges to create or access publication targets of type Text File or HDFS) to upload and persist files that could potentially be executed. | ||||
| CVE-2024-13201 | 1 Wander-chu | 1 Springboot-blog | 2025-08-22 | 4.7 Medium |
| A vulnerability has been found in wander-chu SpringBoot-Blog 1.0 and classified as critical. This vulnerability affects the function upload of the file src/main/java/com/my/blog/website/controller/admin/AttachtController.java of the component Admin Attachment Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-3863 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-08-22 | 9.8 Critical |
| The executable file warning was not presented when downloading .xrm-ms files. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. | ||||
| CVE-2025-9153 | 2 Itsourcecode, Mayurik | 2 Online Tour And Travel Management System, Online Tour \& Travel Management System | 2025-08-21 | 6.3 Medium |
| A vulnerability was detected in itsourcecode Online Tour and Travel Management System 1.0. This vulnerability affects unknown code of the file /admin/operations/travellers.php. The manipulation of the argument photo results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. | ||||
| CVE-2024-13022 | 1 Taisan | 1 Tarzan-cms | 2025-08-21 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in taisan tarzan-cms 1.0.0. This affects the function UploadResponse of the file src/main/java/com/tarzan/cms/modules/admin/controller/common/UploadController.java of the component Article Management. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-3736 | 1 Cym1102 | 1 Nginxwebui | 2025-08-21 | 4.3 Medium |
| A vulnerability was found in cym1102 nginxWebUI up to 3.9.9. It has been declared as problematic. Affected by this vulnerability is the function upload of the file /adminPage/main/upload. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-260575. | ||||