Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-54448

Summary
Assigner-samsung.tv_appliance
Assigner Org ID-ca193ba2-0cff-4e34-b04e-1ea07103c6fe
Published At-23 Jul, 2025 | 05:31
Updated At-26 Feb, 2026 | 17:50
Rejected At-
Credits

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:samsung.tv_appliance
Assigner Org ID:ca193ba2-0cff-4e34-b04e-1ea07103c6fe
Published At:23 Jul, 2025 | 05:31
Updated At:26 Feb, 2026 | 17:50
Rejected At:
▼CVE Numbering Authority (CNA)

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Affected Products
Vendor
Samsung ElectronicsSamsung Electronics
Product
MagicINFO 9 Server
Default Status
unaffected
Versions
Affected
  • 21.1080.0
Problem Types
TypeCWE IDDescription
CWECWE-434CWE-434 Unrestricted Upload of File with Dangerous Type
Type: CWE
CWE ID: CWE-434
Description: CWE-434 Unrestricted Upload of File with Dangerous Type
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-242CAPEC-242 Code Injection
CAPEC ID: CAPEC-242
Description: CAPEC-242 Code Injection
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://security.samsungtv.com/securityUpdates
N/A
Hyperlink: https://security.samsungtv.com/securityUpdates
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:PSIRT@samsung.com
Published At:23 Jul, 2025 | 06:15
Updated At:23 Jul, 2025 | 06:15

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-434SecondaryPSIRT@samsung.com
CWE ID: CWE-434
Type: Secondary
Source: PSIRT@samsung.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://security.samsungtv.com/securityUpdatesPSIRT@samsung.com
N/A
Hyperlink: https://security.samsungtv.com/securityUpdates
Source: PSIRT@samsung.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1218Records found

CVE-2025-54444
Matching Score-10
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-10
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-0.60% / 44.24%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:35
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-54449
Matching Score-10
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-10
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-0.61% / 44.82%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:27
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-54442
Matching Score-10
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-10
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 37.48%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:34
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-25200
Matching Score-10
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-10
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-0.49% / 38.80%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 04:49
Updated-10 Mar, 2026 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9 Server: less than 21.1090.1.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-54440
Matching Score-10
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-10
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 39.22%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:33
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-7399
Matching Score-10
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-10
Assigner-Samsung TV & Appliance
CVSS Score-8.8||HIGH
EPSS-91.94% / 99.81%
||
7 Day CHG~0.00%
Published-09 Aug, 2024 | 04:43
Updated-25 Apr, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2026-05-08||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-magicinfo_9_serverMagicINFO 9 ServerMagicINFO 9 Server
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-54454
Matching Score-8
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-8
Assigner-Samsung TV & Appliance
CVSS Score-9.1||CRITICAL
EPSS-0.54% / 41.58%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:26
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Use of Hard-coded Credentials vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2025-54445
Matching Score-8
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-8
Assigner-Samsung TV & Appliance
CVSS Score-8.2||HIGH
EPSS-9.22% / 94.73%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:31
Updated-15 Aug, 2025 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Restriction of XML External Entity Reference vulnerability in Samsung Electronics MagicINFO 9 Server allows Server Side Request Forgery.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-54446
Matching Score-8
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-8
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-0.62% / 45.16%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:32
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0

Action-Not Available
Vendor-Samsung Electronics
Product-MagicINFO 9 Server
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-54451
Matching Score-8
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-8
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-0.65% / 46.44%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:29
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Control of Generation of Code ('Code Injection') vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-Samsung Electronics
Product-MagicINFO 9 Server
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-53078
Matching Score-8
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-8
Assigner-Samsung TV & Appliance
CVSS Score-8||HIGH
EPSS-0.38% / 30.41%
||
7 Day CHG+0.02%
Published-29 Jul, 2025 | 05:04
Updated-11 Aug, 2025 | 19:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of Untrusted Data in Samsung DMS(Data Management Server) allows attackers to execute arbitrary code via write file to system

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-data_management_server_firmwaredata_management_serverData Management Server
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-4632
Matching Score-8
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-8
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-23.95% / 97.56%
||
7 Day CHG~0.00%
Published-13 May, 2025 | 05:19
Updated-26 Feb, 2026 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-06-12||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-magicinfo_9_serverMagicINFO 9 ServerMagicINFO 9 Server
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-25202
Matching Score-8
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-8
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-0.44% / 35.12%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 04:49
Updated-10 Mar, 2026 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server.This issue affects MagicINFO 9 Server: less than 21.1090.1.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2025-54450
Matching Score-8
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-8
Assigner-Samsung TV & Appliance
CVSS Score-7.2||HIGH
EPSS-0.59% / 43.85%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:28
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-54455
Matching Score-8
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-8
Assigner-Samsung TV & Appliance
CVSS Score-9.1||CRITICAL
EPSS-0.55% / 42.18%
||
7 Day CHG-0.01%
Published-23 Jul, 2025 | 05:27
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Use of Hard-coded Credentials vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2025-54438
Matching Score-8
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-8
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-0.61% / 44.88%
||
7 Day CHG-0.01%
Published-23 Jul, 2025 | 05:36
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-54443
Matching Score-8
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-8
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-0.57% / 43.21%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:34
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-25201
Matching Score-6
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-6
Assigner-Samsung TV & Appliance
CVSS Score-8.8||HIGH
EPSS-0.40% / 31.75%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 04:49
Updated-10 Mar, 2026 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-54439
Matching Score-6
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-6
Assigner-Samsung TV & Appliance
CVSS Score-8.8||HIGH
EPSS-6.86% / 93.27%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:36
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-54447
Matching Score-6
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-6
Assigner-Samsung TV & Appliance
CVSS Score-8.1||HIGH
EPSS-0.46% / 36.94%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:32
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-Samsung Electronics
Product-MagicINFO 9 Server
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-54441
Matching Score-6
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-6
Assigner-Samsung TV & Appliance
CVSS Score-8.8||HIGH
EPSS-7.39% / 93.67%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:33
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-29974
Matching Score-4
Assigner-Zyxel Corporation
ShareView Details
Matching Score-4
Assigner-Zyxel Corporation
CVSS Score-9.8||CRITICAL
EPSS-22.78% / 97.45%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 01:34
Updated-22 Jan, 2025 | 22:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.

Action-Not Available
Vendor-Zyxel Networks Corporation
Product-nas542nas326_firmwarenas326nas542_firmwareNAS542 firmwareNAS326 firmwarenas542_firmwarenas326_firmware
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2016-10954
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.23% / 80.56%
||
7 Day CHG~0.00%
Published-13 Sep, 2019 | 12:16
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Neosense theme before 1.8 for WordPress has qquploader unrestricted file upload.

Action-Not Available
Vendor-dynamicpressn/a
Product-neosensen/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-31012
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.16% / 63.20%
||
7 Day CHG~0.00%
Published-03 Apr, 2024 | 00:00
Updated-04 Apr, 2025 | 15:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in SEMCMS v.4.8, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the upload.php file.

Action-Not Available
Vendor-sem-cmsn/asem-cms
Product-semcmsn/asemcms
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2016-10955
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.43% / 82.26%
||
7 Day CHG~0.00%
Published-13 Sep, 2019 | 12:17
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The cysteme-finder plugin before 1.4 for WordPress has unrestricted file upload because of incorrect session tracking.

Action-Not Available
Vendor-cystemen/a
Product-cysteme-findern/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-29661
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.67% / 47.63%
||
7 Day CHG~0.00%
Published-22 Apr, 2024 | 00:00
Updated-01 Apr, 2025 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A File Upload vulnerability in DedeCMS v5.7 allows a local attacker to execute arbitrary code via a crafted payload.

Action-Not Available
Vendor-n/aDedeCMS
Product-dedecmsn/adedecms
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-28441
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.23% / 65.39%
||
7 Day CHG~0.00%
Published-22 Mar, 2024 | 00:00
Updated-17 Jun, 2025 | 14:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

File Upload vulnerability in magicflue v.7.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the messageid parameter of the mail/mailupdate.jsp endpoint.

Action-Not Available
Vendor-magicfluen/amagicflu
Product-magicfluen/amagicflu
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-29859
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.82% / 52.62%
||
7 Day CHG~0.00%
Published-21 Mar, 2024 | 00:00
Updated-22 Jun, 2026 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.

Action-Not Available
Vendor-misp-projectn/amisp
Product-mispn/amisp
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2016-11020
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.88% / 85.16%
||
7 Day CHG~0.00%
Published-24 Feb, 2020 | 17:04
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution.

Action-Not Available
Vendor-kunenan/a
Product-kunenan/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-27903
Matching Score-4
Assigner-OpenVPN Inc.
ShareView Details
Matching Score-4
Assigner-OpenVPN Inc.
CVSS Score-7.2||HIGH
EPSS-8.92% / 94.61%
||
7 Day CHG~0.00%
Published-08 Jul, 2024 | 10:27
Updated-23 Aug, 2024 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.

Action-Not Available
Vendor-openvpnOpenVPNopenvpn
Product-openvpnOpenVPN 2openvpn2
CWE ID-CWE-283
Unverified Ownership
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2019-20451
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-7.72% / 93.89%
||
7 Day CHG+0.19%
Published-10 Feb, 2020 | 14:39
Updated-05 Aug, 2024 | 02:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The HTTP API in Prismview System 9 11.10.17.00 and Prismview Player 11 13.09.1100 allows remote code execution by uploading RebootSystem.lnk and requesting /REBOOTSYSTEM or /RESTARTVNC. (Authentication is required but an XML file containing credentials can be downloaded.)

Action-Not Available
Vendor-n/aSamsung
Product-prismview_system_9prismview_player_11n/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-21787
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.85% / 76.46%
||
7 Day CHG~0.00%
Published-24 Jun, 2021 | 14:51
Updated-04 Aug, 2024 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CRMEB 3.1.0+ is vulnerable to File Upload Getshell via /crmeb/crmeb/services/UploadService.php.

Action-Not Available
Vendor-crmebn/a
Product-crmebn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2018-1000544
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.50% / 90.33%
||
7 Day CHG~0.00%
Published-26 Jun, 2018 | 16:00
Updated-05 Aug, 2024 | 12:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem..

Action-Not Available
Vendor-rubyzip_projectn/aDebian GNU/LinuxRed Hat, Inc.
Product-rubyzipdebian_linuxcloudformsn/a
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-27480
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.33% / 25.29%
||
7 Day CHG~0.00%
Published-29 Dec, 2025 | 00:00
Updated-02 Jan, 2026 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

givanz VvvebJs 1.7.2 is vulnerable to Insecure File Upload.

Action-Not Available
Vendor-vvvebn/a
Product-vvvebjsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-25020
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.27% / 19.28%
||
7 Day CHG+0.01%
Published-03 Dec, 2024 | 17:12
Updated-11 Dec, 2024 | 03:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Cognos Controller file upload

IBM Cognos Controller 11.0.0 and 11.0.1 is vulnerable to malicious file upload by allowing unrestricted filetype attachments in the Journal entry page. Attackers can make use of this weakness and upload malicious executable files into the system and can be sent to victims for performing further attacks.

Action-Not Available
Vendor-IBM Corporation
Product-cognos_controllerCognos Controller
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-25802
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.56% / 42.58%
||
7 Day CHG~0.00%
Published-22 Feb, 2024 | 00:00
Updated-14 Feb, 2025 | 16:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SKINsoft S-Museum 7.02.3 allows Unrestricted File Upload via the Add Media function. Unlike in CVE-2024-25801, the attack payload is the file content.

Action-Not Available
Vendor-skinsoftn/askinsoft
Product-s-museumn/as-museum
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-25925
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-10||CRITICAL
EPSS-0.63% / 45.76%
||
7 Day CHG~0.00%
Published-26 Feb, 2024 | 15:09
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Easy Checkout Field Editor, Fees & Discounts Plugin <= 3.5.12 is vulnerable to Arbitrary File Upload

Unrestricted Upload of File with Dangerous Type vulnerability in SYSBASICS WooCommerce Easy Checkout Field Editor, Fees & Discounts.This issue affects WooCommerce Easy Checkout Field Editor, Fees & Discounts: from n/a through 3.5.12.

Action-Not Available
Vendor-sysbasicsSYSBASICSsysbasics
Product-easy_checkout_field_editorWooCommerce Easy Checkout Field Editor, Fees & Discountswoocommerce_easy_checkout_field_editor
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-25414
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.61% / 72.96%
||
7 Day CHG~0.00%
Published-16 Feb, 2024 | 00:00
Updated-14 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file upload vulnerability in /admin/upgrade of CSZ CMS v1.3.0 allows attackers to execute arbitrary code via uploading a crafted Zip file.

Action-Not Available
Vendor-cszcmsn/acszcms
Product-csz_cmsn/acszcms
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2015-9499
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-14.77% / 96.27%
||
7 Day CHG~0.00%
Published-22 Oct, 2019 | 20:45
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive.

Action-Not Available
Vendor-themepunchn/a
Product-showbiz_pron/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2015-9479
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.77% / 84.59%
||
7 Day CHG~0.00%
Published-10 Oct, 2019 | 16:20
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ACF-Frontend-Display plugin through 2015-07-03 for WordPress has arbitrary file upload via an action=upload request to js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php.

Action-Not Available
Vendor-advancedcustomfieldsn/a
Product-acf_fronted_displayn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-7852
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 27.79%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 11:36
Updated-11 Jun, 2026 | 15:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unrestricted File Upload in Limatek's LimRAD NAC

Unrestricted upload of file with dangerous type vulnerability in Limatek System Inc. LimRAD NAC allows Remote Code Inclusion. This issue affects LimRAD NAC: before 5.5.7.3.9.

Action-Not Available
Vendor-Limatek System Inc.
Product-LimRAD NAC
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-20287
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.83% / 84.87%
||
7 Day CHG~0.00%
Published-01 Feb, 2021 | 17:38
Updated-04 Aug, 2024 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted file upload vulnerability in the yccms 3.3 project. The xhUp function's improper judgment of the request parameters, triggers remote code execution.

Action-Not Available
Vendor-yccmsn/a
Product-yccmsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-2406
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.4||MEDIUM
EPSS-0.62% / 45.34%
||
7 Day CHG~0.00%
Published-12 Mar, 2024 | 20:31
Updated-22 Jan, 2025 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gacjie Server Upload.php index unrestricted upload

A vulnerability, which was classified as critical, was found in Gacjie Server up to 1.0. This affects the function index of the file /app/admin/controller/Upload.php. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256503.

Action-Not Available
Vendor-gacjie_server_projectGacjie
Product-gacjie_serverServer
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-6885
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.50% / 39.01%
||
7 Day CHG~0.00%
Published-23 Apr, 2026 | 09:05
Updated-19 May, 2026 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BorG Technology Corporation|Borg SPM 2007 - Arbitrary File Upload

Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Action-Not Available
Vendor-BorG Technology Corporation
Product-Borg SPM 2007
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-6960
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.67% / 47.54%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 21:27
Updated-22 May, 2026 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BookingPress Pro <= 5.6 - Unauthenticated Arbitrary File Upload via Signature Custom Field

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form.

Action-Not Available
Vendor-Repute Infosystems
Product-BookingPress Appointment Booking Pro
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-6555
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.98% / 57.85%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 01:25
Updated-23 Jun, 2026 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ProSolution WP Client <= 2.0.0 - Unauthenticated Arbitrary File Upload via 'files'

The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and uploaded to a web-accessible directory. This makes it possible for unauthenticated attackers to upload malicious PHP files and achieve remote code execution by sending a valid first file followed by a malicious file.

Action-Not Available
Vendor-prosolution
Product-ProSolution WP Client
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-6271
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.66% / 47.25%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 06:44
Updated-14 May, 2026 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Career Section <= 1.7 - Unauthenticated Arbitrary File Upload

The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible.

Action-Not Available
Vendor-shahinurislam
Product-Career Section
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2019-19634
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.15% / 89.62%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 17:11
Updated-26 Jun, 2026 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.

Action-Not Available
Vendor-verot_projectjoomlaworksn/a
Product-verotk2n/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2019-18952
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-45.36% / 98.64%
||
7 Day CHG~0.00%
Published-13 Nov, 2019 | 22:38
Updated-05 Aug, 2024 | 02:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SibSoft Xfilesharing through 2.5.1 allows cgi-bin/up.cgi arbitrary file upload. This can be combined with CVE-2019-18951 to achieve remote code execution via a .html file, containing short codes, that is served over HTTP.

Action-Not Available
Vendor-sibsoftn/a
Product-xfilesharingn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2019-19576
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-26.18% / 97.74%
||
7 Day CHG~0.00%
Published-04 Dec, 2019 | 17:33
Updated-26 Jun, 2026 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.

Action-Not Available
Vendor-verot_projectjoomlaworksn/a
Product-verotk2n/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 24
  • 25
  • Next
Details not found