Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-40425

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-16 Jul, 2024 | 00:00
Updated At-02 Aug, 2024 | 04:33
Rejected At-
Credits

File Upload vulnerability in Nanjin Xingyuantu Technology Co Sparkshop (Spark Mall B2C Mall v.1.1.6 and before allows a remote attacker to execute arbitrary code via the contorller/common.php component.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:16 Jul, 2024 | 00:00
Updated At:02 Aug, 2024 | 04:33
Rejected At:
▼CVE Numbering Authority (CNA)

File Upload vulnerability in Nanjin Xingyuantu Technology Co Sparkshop (Spark Mall B2C Mall v.1.1.6 and before allows a remote attacker to execute arbitrary code via the contorller/common.php component.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://gist.github.com/J1rrY-learn/26524d4714a81cf2d64583069e96f765
N/A
Hyperlink: https://gist.github.com/J1rrY-learn/26524d4714a81cf2d64583069e96f765
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
nanjing_xingyuantu_technology
Product
sparkshop
CPEs
  • cpe:2.3:a:nanjing_xingyuantu_technology:sparkshop:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 1.1.6 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-434CWE-434 Unrestricted Upload of File with Dangerous Type
Type: CWE
CWE ID: CWE-434
Description: CWE-434 Unrestricted Upload of File with Dangerous Type
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://gist.github.com/J1rrY-learn/26524d4714a81cf2d64583069e96f765
x_transferred
Hyperlink: https://gist.github.com/J1rrY-learn/26524d4714a81cf2d64583069e96f765
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:16 Jul, 2024 | 18:15
Updated At:28 Apr, 2025 | 14:46

File Upload vulnerability in Nanjin Xingyuantu Technology Co Sparkshop (Spark Mall B2C Mall v.1.1.6 and before allows a remote attacker to execute arbitrary code via the contorller/common.php component.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
sparkshop
sparkshop
>>sparkshop>>Versions before 1.1.7(exclusive)
cpe:2.3:a:sparkshop:sparkshop:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-434Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-434
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://gist.github.com/J1rrY-learn/26524d4714a81cf2d64583069e96f765cve@mitre.org
Broken Link
https://gist.github.com/J1rrY-learn/26524d4714a81cf2d64583069e96f765af854a3a-2127-422b-91ae-364da2661108
Broken Link
Hyperlink: https://gist.github.com/J1rrY-learn/26524d4714a81cf2d64583069e96f765
Source: cve@mitre.org
Resource:
Broken Link
Hyperlink: https://gist.github.com/J1rrY-learn/26524d4714a81cf2d64583069e96f765
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Broken Link

Change History

0
Information is not available yet

Similar CVEs

1189Records found
CVE-2022-44048
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 67.53%
||
7 Day CHG~0.00%
Published-07 Nov, 2022 | 00:00
Updated-05 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-domains package. The affected version of d8s-htm is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-urlsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-55926
Matching Score-4
Assigner-Xerox Corporation
ShareView Details
Matching Score-4
Assigner-Xerox Corporation
CVSS Score-7.6||HIGH
EPSS-0.55% / 68.15%
||
7 Day CHG~0.00%
Published-23 Jan, 2025 | 17:12
Updated-28 Feb, 2026 | 01:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary file upload, deletion and read through header manipulation

A vulnerability found in Xerox Workplace Suite allows arbitrary file read, upload, and deletion on the server through crafted header manipulation. By exploiting improper validation of headers, attackers can gain unauthorized access to data

Action-Not Available
Vendor-Xerox Corporation
Product-workplace_suiteXerox Workplace Suite
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-44401
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 61.57%
||
7 Day CHG~0.00%
Published-28 Nov, 2022 | 00:00
Updated-29 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Online Tours & Travels Management System v1.0 contains an arbitrary file upload vulnerability via /tour/admin/file.php.

Action-Not Available
Vendor-n/amayuri_k
Product-online_tours_\&_travels_management_systemn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-57169
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.33% / 56.14%
||
7 Day CHG~0.00%
Published-18 Mar, 2025 | 00:00
Updated-02 Apr, 2025 | 12:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A file upload bypass vulnerability exists in SOPlanning 1.53.00, specifically in /process/upload.php. This vulnerability allows remote attackers to bypass upload restrictions and potentially achieve remote code execution by uploading malicious files.

Action-Not Available
Vendor-soplanningn/a
Product-soplanningn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-56975
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.88% / 75.53%
||
7 Day CHG~0.00%
Published-28 Mar, 2025 | 00:00
Updated-14 Apr, 2025 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerability in the upload_file method of the Upload controller.

Action-Not Available
Vendor-invoiceplanen/a
Product-invoiceplanen/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2014-8516
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-82.70% / 99.25%
||
7 Day CHG~0.00%
Published-03 Jan, 2020 | 20:08
Updated-06 Aug, 2024 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted file upload vulnerability in Visual Mining NetCharts Server allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors.

Action-Not Available
Vendor-cloudfastpathn/a
Product-netcharts_servern/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-4273
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-7.3||HIGH
EPSS-0.36% / 58.09%
||
7 Day CHG~0.00%
Published-03 Dec, 2022 | 00:00
Updated-03 Aug, 2024 | 01:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Human Resource Management System Content-Type employee.php unrestricted upload

A vulnerability, which was classified as critical, has been found in SourceCodester Human Resource Management System 1.0. This issue affects some unknown processing of the file /hrm/controller/employee.php of the component Content-Type Handler. The manipulation of the argument pfimg leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-214769 was assigned to this vulnerability.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-human_resource_management_systemHuman Resource Management Systemhuman_resource_management_system
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2014-8337
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.14% / 88.77%
||
7 Day CHG~0.00%
Published-03 Jan, 2020 | 20:00
Updated-06 Aug, 2024 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted file upload vulnerability in includes/classes/uploadify-v2.1.4/uploadify.php in HelpDEZk 1.0.1 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the folder parameter.

Action-Not Available
Vendor-helpdezkn/a
Product-helpdezkn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-4276
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.23% / 45.81%
||
7 Day CHG~0.00%
Published-03 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 13:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
House Rental System POST Request tenant-engine.php unrestricted upload

A vulnerability was found in House Rental System and classified as critical. Affected by this issue is some unknown functionality of the file tenant-engine.php of the component POST Request Handler. The manipulation of the argument id_photo leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-214772.

Action-Not Available
Vendor-house_rental_system_projectunspecified
Product-house_rental_systemHouse Rental System
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-43265
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.87% / 75.49%
||
7 Day CHG~0.00%
Published-15 Nov, 2022 | 00:00
Updated-30 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file upload vulnerability in the component /pages/save_user.php of Canteen Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

Action-Not Available
Vendor-n/amayuri_k
Product-canteen_management_systemn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-4328
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-69.27% / 98.67%
||
7 Day CHG-10.04%
Published-06 Mar, 2023 | 13:34
Updated-04 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WooCommerce Checkout Field Manager < 18.0 - Unauthenticated Arbitrary File Upload

The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server

Action-Not Available
Vendor-najeebmediaUnknown
Product-woocommerce_checkout_field_managerWooCommerce Checkout Field Manager
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-43303
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 67.53%
||
7 Day CHG~0.00%
Published-07 Nov, 2022 | 00:00
Updated-05 May, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-strings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-uuids package. The affected version of d8s-htm is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-stringsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-4272
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.36% / 58.35%
||
7 Day CHG~0.00%
Published-03 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 13:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FeMiner wms unrestricted upload

A vulnerability, which was classified as critical, has been found in FeMiner wms. Affected by this issue is some unknown functionality of the file /product/savenewproduct.php?flag=1. The manipulation of the argument upfile leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-214760.

Action-Not Available
Vendor-warehouse_management_system_projectFeMiner
Product-warehouse_management_systemwms
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2019-15936
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 66.21%
||
7 Day CHG~0.00%
Published-12 Dec, 2019 | 13:42
Updated-05 Aug, 2024 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Intesync Solismed 3.3sp allows Insecure File Upload.

Action-Not Available
Vendor-intesyncn/a
Product-solismedn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-43305
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 67.53%
||
7 Day CHG~0.00%
Published-07 Nov, 2022 | 00:00
Updated-05 May, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-algorithms package. The affected version of d8s-htm is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-pythonn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-54918
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.17% / 90.00%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 00:00
Updated-14 Apr, 2025 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Kashipara E-learning Management System v1.0 is vulnerable to Remote Code Execution via File Upload in /teacher_avatar.php.

Action-Not Available
Vendor-lopalopan/a
Product-e-learning_management_systemn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-4232
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.7||MEDIUM
EPSS-0.32% / 54.70%
||
7 Day CHG~0.00%
Published-30 Nov, 2022 | 00:00
Updated-03 Aug, 2024 | 01:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Event Registration System unrestricted upload

A vulnerability, which was classified as critical, was found in SourceCodester Event Registration System 1.0. Affected is an unknown function. The manipulation of the argument cmd leads to unrestricted upload. It is possible to launch the attack remotely. VDB-214590 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-rinvizleSourceCodester
Product-event_registration_systemEvent Registration System
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-43304
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 67.53%
||
7 Day CHG~0.00%
Published-07 Nov, 2022 | 00:00
Updated-05 May, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-timer for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-uuids package. The affected version of d8s-htm is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-timern/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-42971
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-2.58% / 85.76%
||
7 Day CHG-0.77%
Published-01 Feb, 2023 | 00:00
Updated-05 Feb, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261)

Action-Not Available
Vendor-Microsoft CorporationSchneider Electric SE
Product-windows_server_2016apc_easy_ups_online_monitoring_softwareeasy_ups_online_monitoring_softwarewindows_7windows_11windows_10windows_server_2022windows_server_2019Schneider Electric Easy UPS Online Monitoring SoftwareAPC Easy UPS Online Monitoring Software
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-3891
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.08% / 23.96%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 07:23
Updated-22 Apr, 2026 | 21:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pix for WooCommerce <= 1.5.0 - Unauthenticated Arbitrary File Upload

The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Action-Not Available
Vendor-linknacional
Product-Pix for WooCommerce
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-42698
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.84% / 74.96%
||
7 Day CHG~0.00%
Published-18 Nov, 2022 | 22:15
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Api2Cart Bridge Connector plugin <= 1.1.0 - Arbitrary File Upload vulnerability

Unauth. Arbitrary File Upload vulnerability in WordPress Api2Cart Bridge Connector plugin <= 1.1.0 on WordPress.

Action-Not Available
Vendor-api2cartAPI2Cart
Product-api2cart_bridge_connectorApi2Cart Bridge Connector (WordPress plugin)
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-43234
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.80% / 74.29%
||
7 Day CHG~0.00%
Published-16 Nov, 2022 | 00:00
Updated-30 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file upload vulnerability in the /attachments component of Hoosk v1.8 allows attackers to execute arbitrary code via a crafted PHP file.

Action-Not Available
Vendor-hooskn/a
Product-hooskn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-42443
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-2.2||LOW
EPSS-0.06% / 19.37%
||
7 Day CHG~0.00%
Published-17 Feb, 2024 | 16:10
Updated-22 Jan, 2025 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Trusteer for mobile file upload

An undisclosed issue in Trusteer iOS SDK for mobile versions prior to 5.7 and Trusteer Android SDK for mobile versions prior to 5.7 may allow uploading of files. IBM X-Force ID: 238535.

Action-Not Available
Vendor-IBM Corporation
Product-trusteer_ios_sdk_for_mobiletrusteer_android_sdk_for_mobileTrusteer iOS SDKTrusteer Android SDK
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-2849
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.08% / 23.21%
||
7 Day CHG~0.00%
Published-23 Mar, 2024 | 17:31
Updated-18 Feb, 2025 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Simple File Manager unrestricted upload

A vulnerability classified as critical was found in SourceCodester Simple File Manager 1.0. This vulnerability affects unknown code. The manipulation of the argument photo leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257770 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-ganeshrktSourceCodester
Product-simple_file_manager_web_appSimple File Managersimple_file_manager
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-55078
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.14% / 34.26%
||
7 Day CHG~0.00%
Published-03 Jan, 2025 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file upload vulnerability in the component /adminUser/updateImg of WukongCRM-11.0-JAVA v11.3.3 allows attackers to execute arbitrary code via uploading a crafted file.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-43074
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.80% / 74.29%
||
7 Day CHG~0.00%
Published-10 Nov, 2022 | 00:00
Updated-01 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

AyaCMS v3.1.2 was discovered to contain an arbitrary file upload vulnerability via the component /admin/fst_upload.inc.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Action-Not Available
Vendor-ayacms_projectn/a
Product-ayacmsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-41711
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-9.8||CRITICAL
EPSS-10.00% / 93.15%
||
7 Day CHG~0.00%
Published-25 Oct, 2022 | 00:00
Updated-07 May, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.

Action-Not Available
Vendor-uatechn/a
Product-badasoBadaso
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-41380
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.87% / 75.46%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-20 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-yaml package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-yamln/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-41381
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.87% / 75.46%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-20 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-utility package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-utilityn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-42039
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 64.99%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-19 May, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-lists package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-dicts package. The affected version is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-listsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-41386
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 64.99%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-20 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-utility package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-utilityn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-42044
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 64.99%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-19 May, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-asns package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-html package. The affected version is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-asnsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-41705
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-9.8||CRITICAL
EPSS-5.95% / 90.75%
||
7 Day CHG~0.00%
Published-25 Nov, 2022 | 00:00
Updated-29 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.

Action-Not Available
Vendor-uatechn/a
Product-badasoBadaso
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-42043
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 64.99%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-19 May, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-xml package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-html package. The affected version is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-xmln/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-41384
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 64.99%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-20 May, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-domains package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-domainsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-41217
Matching Score-4
Assigner-Dutch Institute for Vulnerability Disclosure (DIVD)
ShareView Details
Matching Score-4
Assigner-Dutch Institute for Vulnerability Disclosure (DIVD)
CVSS Score-9.8||CRITICAL
EPSS-0.67% / 71.60%
||
7 Day CHG~0.00%
Published-22 Feb, 2023 | 14:42
Updated-01 Apr, 2025 | 04:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cloudflow - Unauthenticated file upload vulnerability

Cloudflow contains a unauthenticated file upload vulnerability, which makes it possible for an attacker to upload malicious files to the CLOUDFLOW PROOFSCOPE built-in storage.

Action-Not Available
Vendor-hybridsoftwareHybrid Software
Product-cloudflowCloudflow
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-42154
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.80% / 74.29%
||
7 Day CHG~0.00%
Published-17 Oct, 2022 | 00:00
Updated-14 May, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file upload vulnerability in the component /apiadmin/upload/attach of 74cmsSE v3.13.0 allows attackers to execute arbitrary code via a crafted PHP file.

Action-Not Available
Vendor-74cmsn/a
Product-74cmssen/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-42037
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 64.99%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-20 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-asns package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package. The affected version is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-asnsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-42040
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 64.99%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-19 May, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-algorithms package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-dicts package. The affected version is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-algorithmsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-41387
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 64.99%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-20 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-pdfs package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-pdfsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-41383
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 64.99%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-20 May, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-archives package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-archivesn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-35949
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-10||CRITICAL
EPSS-10.33% / 93.28%
||
7 Day CHG~0.00%
Published-01 Jan, 2021 | 03:27
Updated-04 Aug, 2024 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution. If a quiz question could be answered by uploading a file, only the Content-Type header was checked during the upload, and thus the attacker could use text/plain for a .php file.

Action-Not Available
Vendor-expresstechn/a
Product-quiz_and_survey_mastern/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-42036
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 64.99%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-03 Aug, 2024 | 12:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-urls package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package. The affected version is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-urlsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-35047
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-0.36% / 58.31%
||
7 Day CHG~0.00%
Published-06 Apr, 2026 | 17:25
Updated-10 Apr, 2026 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Brave CMS has Unrestricted File Upload in BraveCMS via CKEditor Endpoint

Brave CMS is an open-source CMS. Prior to 2.0.6, an Unrestricted File Upload vulnerability in the CKEditor endpoint allows attackers to upload arbitrary files, including executable scripts. This may lead to Remote Code Execution (RCE) on the server, potentially resulting in full system compromise, data exfiltration, or service disruption. All users running affected versions of BraveCMS are impacted. This vulnerability is fixed in 2.0.6.

Action-Not Available
Vendor-ajax30Ajax30
Product-bravecmsBraveCMS-2.0
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-3535
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.14% / 33.35%
||
7 Day CHG-0.23%
Published-08 Apr, 2026 | 06:43
Updated-27 Apr, 2026 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter

The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those files to a publicly accessible directory without validating the file type. This makes it possible for unauthenticated attackers to upload arbitrary files including PHP webshells, leading to remote code execution. The exploit requires the site to use one of a handful of specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely).

Action-Not Available
Vendor-mlfactory
Product-DSGVO Google Web Fonts GDPR
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-42038
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 64.99%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-19 May, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-ip-addresses package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package. The affected version is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-ip-addressesn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-41382
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.37% / 58.97%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-20 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-json package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0.

Action-Not Available
Vendor-democritusn/a
Product-d8s-jsonn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-41573
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-9.98% / 93.14%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Ovidentia 8.3. The file upload feature does not prevent the uploading of executable files. A user can upload a .png file containing PHP code and then rename it to have the .php extension. It will then be accessible at an images/common/ URI for remote code execution.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-40037
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.39% / 80.62%
||
7 Day CHG~0.00%
Published-24 Jan, 2023 | 00:00
Updated-02 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue discovered in Rawchen blog-ssm v1.0 allows remote attacker to escalate privileges and execute arbitrary commands via the component /upFile.

Action-Not Available
Vendor-javaweb_blog_projectn/a
Product-javaweb_blogn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-40432
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 62.91%
||
7 Day CHG~0.00%
Published-19 Sep, 2022 | 15:23
Updated-03 Aug, 2024 | 12:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The d8s-strings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0.

Action-Not Available
Vendor-d8s-strings_projectn/a
Product-d8s-stringsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 23
  • 24
  • Next
Details not found