File-Upload

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability (CVE-2018-25409) that allows authenticated attackers to upload malicious PHP files via the fupload parameter through the aksi_pengurus.php endpoint, leading to remote code execution.

Delta Sql version 1.8.2 contains an arbitrary file upload vulnerability (CVE-2018-25412) that allows unauthenticated attackers to upload malicious files via crafted POST requests, potentially leading to remote code execution.

CVE-2026-40412 is a critical vulnerability in Azure Orbital Spatio that allows an unauthenticated attacker to execute arbitrary code over a network by uploading a file with a dangerous type.

Redaxo CMS Mediapool Addon version 5.5.1 and older contains an arbitrary file upload vulnerability (CVE-2018-25353) that allows authenticated users to bypass file extension blacklist restrictions, leading to arbitrary code execution.

The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file upload (CVE-2026-6555) due to a validation mismatch, allowing unauthenticated attackers to upload malicious PHP files leading to remote code execution.

Budibase is vulnerable to persistent stored XSS (CVE-2026-46426) due to unrestricted file upload of active content by authenticated users, leading to potential session cookie theft and account takeover.

WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability (CVE-2018-25335) that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint, leading to potential code execution.

HS Brand Logo Slider version 2.1 contains an unrestricted file upload vulnerability (CVE-2020-37227) allowing authenticated users to bypass client-side validation and upload arbitrary files, leading to remote code execution by intercepting upload requests and renaming files to executable extensions.

WordPress WP Super Edit plugin version 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component, allowing unauthenticated attackers to upload arbitrary files leading to remote code execution and complete system compromise.

Vvveb before 1.0.8.3 is vulnerable to unrestricted file upload, allowing super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file containing PHP code which is then accessible via HTTP requests.

Heym before 0.0.21 is vulnerable to path traversal, allowing authenticated users to write attacker-controlled files to arbitrary locations by exploiting the unvalidated filename parameter in the upload_file() handler (CVE-2026-45225).

WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability (CVE-2021-47940) that allows unauthenticated attackers to upload malicious files by exploiting the AJAX fileupload action.

WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability, allowing unauthenticated attackers to upload malicious files via POST requests to the REST API, leading to remote code execution.

Snipe-IT versions prior to 8.4.1 are vulnerable to remote code execution due to insecure permissions on file uploads, where an attacker can upload arbitrary files and execute code on the server.

The Slider Revolution plugin for WordPress is vulnerable to arbitrary file upload due to insufficient file type validation, allowing authenticated attackers with subscriber-level access or higher to upload executable files, potentially leading to remote code execution.

An authenticated attacker with agent privileges can upload malicious files to Cisco Enterprise Chat and Email (ECE) via the Lite Agent feature, leading to potential browser-based attacks against other users.

The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, allowing unauthenticated attackers to upload arbitrary files leading to potential remote code execution.

Xerte Online Toolkits 3.15 and earlier contain an incomplete input validation vulnerability allowing unauthenticated attackers to upload malicious PHP code with a '.php4' extension, leading to arbitrary operating system command execution on the server.

An unauthenticated remote attacker can exploit an arbitrary file upload vulnerability (CVE-2026-6885) in Borg SPM 2007 to upload and execute web shell backdoors, leading to arbitrary code execution on the server.

A file upload validation bypass vulnerability exists in FlowiseAI, where the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type, enabling an attacker to upload .js files, store malicious Node.js web shells on the server, and potentially achieve Remote Code Execution (RCE).

Goshs is vulnerable to an authorization bypass (CVE-2026-40189) due to inconsistent enforcement of .goshs ACLs on state-changing routes, allowing an unauthenticated attacker to manipulate files within protected directories and bypass authentication barriers.

The Gerador de Certificados – DevApps WordPress plugin is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.

The Ninja Forms File Uploads plugin for WordPress is vulnerable to unauthenticated arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.

Brave CMS versions prior to 2.0.6 contain an unrestricted file upload vulnerability within the CKEditor upload functionality in the ckupload method, allowing authenticated users to upload executable PHP scripts and achieve Remote Code Execution.

phpBB is vulnerable to arbitrary file upload (CVE-2019-25685) by exploiting the plupload functionality and phar:// stream wrapper, allowing authenticated attackers to upload crafted zip files containing serialized PHP objects that execute arbitrary code via the imagick parameter.

CVE-2026-5573 allows remote attackers to perform unrestricted file uploads on Technostrobe HI-LED-WR120-G2 devices by manipulating the 'cwd' argument when interacting with the /fs file.

Authenticated users can upload malicious files to a ShareFile Storage Zones Controller server and execute them, leading to remote code execution, due to improper neutralization of special elements, code generation, and unrestricted file upload.

The 'POST /api/v2/files' endpoint is vulnerable to path traversal due to improper sanitization of the 'filename' parameter, potentially allowing attackers to write files to arbitrary locations on the filesystem and achieve remote code execution.

The code16/sharp Laravel admin panel package contains a vulnerability in its file upload endpoint that allows authenticated users to bypass all file type restrictions by manipulating the validation_rule parameter, potentially leading to Remote Code Execution (RCE) if the storage disk is configured to be publicly accessible.

PhreeBooks ERP 5.2.3 is vulnerable to arbitrary file upload in the Image Manager component, allowing authenticated attackers to upload malicious PHP files leading to remote code execution.

A remote, authenticated attacker can exploit an arbitrary file upload vulnerability in Census CSWeb 8.0.1 (CVE-2025-60947) to upload malicious files, potentially leading to remote code execution.

Open WebUI version 0.1.105 is vulnerable to arbitrary file upload and path traversal, allowing attackers to upload files to arbitrary locations on the web server's filesystem by exploiting a lack of filename validation.

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.

An unrestricted file upload vulnerability in Vvveb versions before 1.0.8.2 allows authenticated users with media upload permissions to achieve remote code execution by uploading a .htaccess file to execute arbitrary PHP code via a .phtml file.

CVE-2026-7711 allows for remote, unrestricted file uploads in MindsDB up to version 26.01 due to insufficient validation in the `exec` function of `proc_wrapper.py`, potentially leading to code execution or data exfiltration.

Grav Form plugin versions before 9.1.0 allow unauthenticated users to overwrite page content by uploading a malicious markdown file, leading to potential privilege escalation by crafting a new super-admin user.

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to 1.1.3, allowing unauthenticated attackers to upload arbitrary PHP files by manipulating the file type parameter and exploiting extension sanitization vulnerabilities.

Weaver E-office versions prior to 10.0_20221201 are vulnerable to unauthenticated arbitrary file upload in the OfficeServer.php endpoint, allowing attackers to upload PHP webshells and achieve remote code execution.

CVE-2020-14008 is an unrestricted file upload vulnerability in Zoho ManageEngine Applications Manager that allows an authenticated attacker to upload a malicious JAR file containing a reverse shell to achieve remote code execution.