Total
2997 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-27428 | 1 Ge | 38 Multilin B30, Multilin B30 Firmware, Multilin B90 and 35 more | 2025-04-16 | 9.8 Critical |
| GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without appropriate privileges. The weakness is assessed, and mitigation is implemented in firmware Version 8.10. | ||||
| CVE-2021-32961 | 1 Auvesy-mdt | 2 Autosave, Autosave For System Platform | 2025-04-16 | 7.5 High |
| A getfile function in MDT AutoSave versions prior to v6.02.06 enables a user to supply an optional parameter, resulting in the processing of a request in a special manner. This can result in the execution of an unzip command and place a malicious .exe file in one of the locations the function looks for and get execution capabilities. | ||||
| CVE-2021-43934 | 1 Smartptt | 1 Smartptt Scada | 2025-04-16 | 9.8 Critical |
| Elcomplus SmartPTT is vulnerable as the backup and restore system does not adequately validate upload requests, enabling a malicious user to potentially upload arbitrary files. | ||||
| CVE-2021-33009 | 1 Myscada | 1 Mypro | 2025-04-16 | 7.5 High |
| mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to the file system. | ||||
| CVE-2022-1519 | 1 Illumina | 8 Iseq 100, Local Run Manager, Miniseq and 5 more | 2025-04-16 | 10 Critical |
| LRM does not restrict the types of files that can be uploaded to the affected product. A malicious actor can upload any file type, including executable code that allows for a remote code exploit. | ||||
| CVE-2022-2102 | 1 Secheron | 2 Sepcos Control And Protection Relay, Sepcos Control And Protection Relay Firmware | 2025-04-16 | 9.4 Critical |
| Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker to intercept the initial file upload page response and modify the associated code. This modified code can be forwarded and used by a script loaded later in the sequence, allowing for arbitrary file upload into a location where PHP scripts may be executed. | ||||
| CVE-2022-0517 | 1 Mozilla | 1 Vpn | 2025-04-16 | 7.8 High |
| Mozilla VPN can load an OpenSSL configuration file from an unsecured directory. A user or attacker with limited privileges could leverage this to launch arbitrary code with SYSTEM privilege. This vulnerability affects Mozilla VPN < 2.7.1. | ||||
| CVE-2021-38397 | 1 Honeywell | 8 Application Control Environment, Application Control Environment Firmware, C200 and 5 more | 2025-04-16 | 10 Critical |
| Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition. | ||||
| CVE-2022-2791 | 1 Emerson | 1 Proficy | 2025-04-16 | 5.9 Medium |
| Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulnerable to CWE-434 Unrestricted Upload of File with Dangerous Type, and will upload any file written into the PLC logic folder to the connected PLC. | ||||
| CVE-2024-1986 | 2 Booster, Pluggabl | 2 Booster For Woocommerce, Booster Elite For Woocommerce | 2025-04-16 | 8.8 High |
| The Booster Elite for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wc_add_new_product() function in all versions up to, and including, 7.1.7. This makes it possible for customer-level attackers, and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable when the user product upload functionality is enabled. | ||||
| CVE-2023-42286 | 1 Eyoucms | 1 Eyoucms | 2025-04-16 | 9.8 Critical |
| There is a PHP file inclusion vulnerability in the template configuration of eyoucms v1.6.4, allowing attackers to execute code or system commands through a carefully crafted malicious payload. | ||||
| CVE-2020-29607 | 1 Pluck-cms | 1 Pluck | 2025-04-16 | 7.2 High |
| A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in remote code execution. | ||||
| CVE-2020-20969 | 1 Pluck-cms | 1 Pluck | 2025-04-16 | 7.2 High |
| File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file. | ||||
| CVE-2025-39557 | 2025-04-16 | 9.1 Critical | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Ben Ritner - Kadence WP Kadence WooCommerce Email Designer allows Upload a Web Shell to a Web Server. This issue affects Kadence WooCommerce Email Designer: from n/a through 1.5.14. | ||||
| CVE-2025-1980 | 2025-04-16 | N/A | ||
| The Ready_ application's Profile section allows users to upload files of any type and extension without restriction. If the server is misconfigured, as it was by default when installed at the turn of 2021 and 2022, it can result in Remote Code Execution. Refer to the Required Configuration for Exposure section for more information. | ||||
| CVE-2025-26927 | 2025-04-16 | 10 Critical | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in EPC AI Hub allows Upload a Web Shell to a Web Server. This issue affects AI Hub: from n/a through 1.3.3. | ||||
| CVE-2025-39538 | 2025-04-16 | 6.6 Medium | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Mathieu Chartier WP-Advanced-Search allows Upload a Web Shell to a Web Server. This issue affects WP-Advanced-Search: from n/a through 3.3.9.3. | ||||
| CVE-2025-0722 | 1 Needyamin | 1 Image Gallery Management System | 2025-04-16 | 4.7 Medium |
| A vulnerability classified as critical was found in needyamin image_gallery 1.0. This vulnerability affects unknown code of the file /admin/gallery.php of the component Cover Image Handler. The manipulation of the argument image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-27683 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-15 | 8.8 High |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 1.0.735 Application 20.0.1330 allows Driver Unrestricted Upload of File with Dangerous Type V-2022-006. | ||||
| CVE-2022-21809 | 1 Inhandnetworks | 2 Inrouter302, Inrouter302 Firmware | 2025-04-15 | 8.1 High |
| A file write vulnerability exists in the httpd upload.cgi functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can upload a malicious file to trigger this vulnerability. | ||||