By weakness (CWE)
CWE-434: related vulnerabilities
CVEs classified under CWE-434. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
10 published vulnerabilities
- CVE-2018-25388HIGH 8.8
HaPe PKH 1.1 has a file upload security flaw that lets authenticated users upload and execute malicious files on servers running the software. An attacker with valid login credentials can bypass the application's file type checks and upload PHP scripts through several administrative interfaces, leading to arbitrary code execution. This is a post-authentication vulnerability, meaning the attacker must already have system access, but once inside, they can take full control of the affected server.
- CVE-2018-25409HIGH 8.8
SIM-PKH version 2.4.1 contains a file upload vulnerability that allows authenticated users to upload and execute malicious PHP code on the server. An attacker with valid credentials can exploit the file upload functionality to place executable scripts in a web-accessible directory, leading to complete compromise of the affected system. This is a post-authentication attack, meaning the attacker must first obtain legitimate access to the application.
- CVE-2026-30761HIGH 7.3
SourceBans Material Admin v1.1.6 contains a critical weakness in its image upload functionality that allows unauthenticated attackers to upload malicious files and execute arbitrary code on affected servers. An attacker can craft a specially designed image file that bypasses upload validation, leading to remote code execution without needing valid credentials or user interaction. This is a direct pathway to full system compromise.
- CVE-2026-39292HIGH 7.3
Falco Solutions PHPPageBuilder version 0.31.0 has a file upload vulnerability that lets attackers upload malicious files without proper checks. An attacker can exploit this to upload executable code and run commands on the affected server, potentially taking complete control of the web application.
- CVE-2026-10072HIGH 7.2
DreamMaker, a product developed by Interinfo, contains a vulnerability that allows attackers with privileged access to upload arbitrary files to the server. An attacker exploiting this flaw could upload malicious web shells, gaining the ability to execute code and maintain persistent access to the affected system. The vulnerability requires the attacker to have elevated credentials, but once leveraged, it provides complete control over server operations.
- CVE-2026-10172MEDIUM 6.3
Bdtask Multi-Store Inventory Management System version 1.0 contains a file upload vulnerability that allows authenticated users to upload arbitrary files to the server without validation. An attacker with valid login credentials can exploit this flaw to upload malicious files, potentially leading to remote code execution or other attacks. Public exploit code is available, increasing the risk of widespread exploitation.
- CVE-2026-10205MEDIUM 6.3
Metasoft MetaCRM version 6.4.0 contains an unrestricted file upload vulnerability in its logo upload functionality. An authenticated attacker can upload arbitrary files to the server, potentially leading to code execution or system compromise. The vulnerability affects a JSP file handling logo uploads and requires valid user credentials to exploit. Public exploit code exists for this issue.
- CVE-2026-10806MEDIUM 6.3
CVE-2026-10806 is a medium-severity file upload vulnerability in mjperpinosa stumasy affecting the add_post.php component. An authenticated attacker can manipulate the up_file_to_post parameter to upload files without proper restrictions, potentially allowing arbitrary file placement on the server. The vulnerability requires valid login credentials but can be exploited over the network. Exploit code has been publicly disclosed, increasing practical risk.
- CVE-2026-10807MEDIUM 6.3
A file upload vulnerability exists in mjperpinosa stumasy that allows authenticated users to upload files without proper validation. By manipulating the profile image upload parameter in the application's profile management component, an attacker with login credentials can bypass upload restrictions and place arbitrary files on the server. The vulnerability requires authentication but poses meaningful risk to confidentiality, integrity, and availability of the affected system.
- CVE-2026-42538MEDIUM 6.3
IRIS is a collaborative platform designed to help incident responders coordinate during security investigations by sharing technical findings. A file validation flaw in versions before 2.4.28 allows authenticated users to upload files without proper checks. This can enable attackers to host malicious content—such as phishing pages—directly within the platform, and also introduces a Cross-Site Scripting (XSS) vulnerability that could compromise other users' sessions or steal credentials when they interact with uploaded files.