CVEbaza.plCWE DictionaryCWE-434
Common Weakness Enumeration

CWE-434

Unrestricted Upload of File with Dangerous Type

Category: BaseCVE: 4,987
Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVE vulnerabilities with CWE-434 (4,987)
10.0
CVSS
CRITICAL
CVE-2026-48276

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

pub. 2026-06-30
10.0
CVSS
CRITICAL
CVE-2026-48283

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

pub. 2026-06-30
10.0
CVSS
CRITICAL
CVE-2026-56290

The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

pub. 2026-06-29
10.0
CVSS
CRITICAL
CVE-2026-57700

Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This issue affects OMGF Pro: from n/a through 5.2.6.

pub. 2026-06-25
10.0
CVSS
CRITICAL
CVE-2026-48908

A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.

pub. 2026-06-20
10.0
CVSS
CRITICAL
CVE-2026-48939

A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.

pub. 2026-06-20
10.0
CVSS
CRITICAL
CVE-2026-40772

Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.

pub. 2026-06-15
10.0
CVSS
CRITICAL
CVE-2026-40412

Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code over a network.

pub. 2026-05-22
10.0
CVSS
CRITICAL
CVE-2026-45444

Unrestricted Upload of File with Dangerous Type vulnerability in WP Swings Gift Cards For WooCommerce Pro allows Using Malicious Files. This issue affects Gift Cards For WooCommerce Pro: from n/a through 4.2.6.

pub. 2026-05-20
10.0
CVSS
CRITICAL
CVE-2026-21628

A improperly secured file management feature allows uploads of dangerous data types for unauthenticated users, leading to remote code execution.

pub. 2026-03-05
10.0
CVSS
CRITICAL
CVE-2026-2743

Arbitrary File Write via Path Traversal upload to Remote Code Execution in SeppMail User Web Interface. The affected feature is the large file transfer (LFT). This issue affects SeppMail: 15.0.2.1 and before

pub. 2026-03-05
10.0
CVSS
CRITICAL
CVE-2026-28289

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.

pub. 2026-03-03
10.0
CVSS
CRITICAL
CVE-2026-24729

An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file.

pub. 2026-01-30
10.0
CVSS
CRITICAL
CVE-2026-24897

Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.

pub. 2026-01-28
10.0
CVSS
CRITICAL
CVE-2026-24815

Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability is associated with program files XmlFile.Java. This issue affects tis: before v4.3.0.

pub. 2026-01-27
10.0
CVSS
CRITICAL
CVE-2025-50002

Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server.This issue affects Energia: from n/a through <= 1.1.2.

pub. 2026-01-22
10.0
CVSS
CRITICAL
CVE-2025-68001

Unrestricted Upload of File with Dangerous Type vulnerability in garidium g-FFL Checkout g-ffl-checkout allows Upload a Web Shell to a Web Server.This issue affects g-FFL Checkout: from n/a through <= 2.1.0.

pub. 2026-01-22
10.0
CVSS
CRITICAL
CVE-2025-69828

File Upload vulnerability in TMS Global Software TMS Management Console v.6.3.7.27386.20250818 allows a remote attacker to execute arbitrary code via the Logo upload in /Customer/AddEdit

pub. 2026-01-22
10.0
CVSS
CRITICAL
CVE-2025-52691

Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.

pub. 2025-12-29🚩 CISA KEV⚡ EXPLOIT
10.0
CVSS
CRITICAL
CVE-2025-67288

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself, a related issue to CVE-2023-49279.

pub. 2025-12-22
Showing 20 of 4,987 vulnerabilities
Information
ID: CWE-434
Type: Base
Vulnerabilities: 4,987
MITRE CWE ↗
← CWE Dictionary