Total
3620 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-51489 | 1 Moonshine | 1 Moonshine | 2025-08-21 | 4.5 Medium |
| A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.5, allowing remote attackers to upload a malicious SVG file when creating/updating an Article and correctly execute arbitrary JavaScript when the file link is opened. | ||||
| CVE-2025-48148 | 2 Woocommerce, Wordpress | 3 Storekeeper, Woocommerce, Wordpress | 2025-08-21 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Using Malicious Files. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4. | ||||
| CVE-2025-53213 | 2025-08-20 | 9.9 Critical | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ReachShip WooCommerce Multi-Carrier & Conditional Shipping allows Using Malicious Files. This issue affects ReachShip WooCommerce Multi-Carrier & Conditional Shipping: from n/a through 4.3.1. | ||||
| CVE-2025-7441 | 2 Storychief, Wordpress | 2 Storychief, Wordpress | 2025-08-18 | 9.8 Critical |
| The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-9099 | 2025-08-18 | 6.3 Medium | ||
| A vulnerability was identified in Acrel Environmental Monitoring Cloud Platform up to 20250804. This affects an unknown part of the file /NewsManage/UploadNewsImg. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-6079 | 2025-08-18 | 8.8 High | ||
| The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the homework.php file in all versions up to, and including, 93.2.0. This makes it possible for authenticated attackers, with Student-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-39752 | 1 Ibm | 1 Analytics Content Hub | 2025-08-18 | 6.8 Medium |
| IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 could be vulnerable to malicious file upload by not validating the type of file uploaded to Explore Content. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks. | ||||
| CVE-2025-55135 | 1 Agora Foundation | 1 Agora | 2025-08-16 | 6.4 Medium |
| In Agora Foundation Agora fall23-Alpha1 before 690ce56, there is XSS via a profile picture to server/controller/userController.js. Formats other than PNG, JPEG, and WEBP are permitted by server/routes/userRoutes.js; this includes SVG. | ||||
| CVE-2025-24775 | 2 Madeit, Wordpress | 2 Forms, Wordpress | 2025-08-16 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms allows Upload a Web Shell to a Web Server. This issue affects Forms: from n/a through 2.9.0. | ||||
| CVE-2025-54693 | 2 Epiph, Wordpress | 2 Form Block, Wordpress | 2025-08-16 | 9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in epiphyt Form Block allows Upload a Web Shell to a Web Server. This issue affects Form Block: from n/a through 1.5.5. | ||||
| CVE-2025-6679 | 2 Bitpressadmin, Wordpress | 2 Contact Form By Bit Form Multi Step Form, Wordpress | 2025-08-16 | 9.8 Critical |
| The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published. | ||||
| CVE-2025-54473 | 1 Joomla | 2 Joomla, Joomla! | 2025-08-16 | N/A |
| An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. The issue allows code execution via the unzip feature. | ||||
| CVE-2025-8297 | 1 Ivanti | 1 Avalanche | 2025-08-15 | 7.2 High |
| Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to achieve remote code execution | ||||
| CVE-2025-52239 | 2 Zkea, Zkeacms | 2 Zkeacms, Zkeacms | 2025-08-14 | 9.8 Critical |
| An arbitrary file upload vulnerability in ZKEACMS v4.1 allows attackers to execute arbitrary code via a crafted file. | ||||
| CVE-2012-10056 | 2025-08-14 | N/A | ||
| PHP Volunteer Management System v1.0.2 contains an arbitrary file upload vulnerability in its document upload functionality. Authenticated users can upload files to the mods/documents/uploads/ directory without any restriction on file type or extension. Because this directory is publicly accessible and lacks execution controls, attackers can upload a malicious PHP payload and execute it remotely. The application ships with default credentials, making exploitation trivial. Once authenticated, the attacker can upload a PHP shell and trigger it via a direct GET request. | ||||
| CVE-2025-5061 | 2 Vjinfotech, Wordpress | 2 Wp Import Export Lite, Wordpress | 2025-08-13 | 7.5 High |
| The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and including, 3.9.29. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 3.9.29. | ||||
| CVE-2025-44139 | 1 Emlog | 1 Emlog | 2025-08-13 | 7.2 High |
| Emlog Pro V2.5.7 is vulnerable to Unrestricted Upload of File with Dangerous Type via /emlog/admin/plugin.php?action=upload_zip | ||||
| CVE-2025-8859 | 2 Code-projects, Fabianros | 2 Eblog Site, Eblog Site | 2025-08-13 | 6.3 Medium |
| A vulnerability was identified in code-projects eBlog Site 1.0. Affected by this vulnerability is an unknown functionality of the file /native/admin/save-slider.php of the component File Upload Module. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-6206 | 1 Coderevolution | 1 Aiomatic | 2025-08-13 | 7.5 High |
| The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aiomatic_image_editor_ajax_submit' function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. In order to exploit the vulnerability, there must be a value entered for the Stability.AI API key. The value can be arbitrary. | ||||
| CVE-2025-33023 | 1 Siemens | 11 Ruggedcom Rox Mx5000, Ruggedcom Rox Mx5000re, Ruggedcom Rox Rx1400 and 8 more | 2025-08-12 | 4.1 Medium |
| A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions), RUGGEDCOM ROX MX5000RE (All versions), RUGGEDCOM ROX RX1400 (All versions), RUGGEDCOM ROX RX1500 (All versions), RUGGEDCOM ROX RX1501 (All versions), RUGGEDCOM ROX RX1510 (All versions), RUGGEDCOM ROX RX1511 (All versions), RUGGEDCOM ROX RX1512 (All versions), RUGGEDCOM ROX RX1524 (All versions), RUGGEDCOM ROX RX1536 (All versions), RUGGEDCOM ROX RX5000 (All versions). The affected devices do not properly enforce the restriction of files that can be uploaded from the web interface. This could allow an authenticated remote attacker with high privileges in the web interface to upload arbitrary files. | ||||