Common Weakness Enumeration

CWE-434

Allowed

Unrestricted Upload of File with Dangerous Type

Abstraction: Base · Status: Draft

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

5969 vulnerabilities reference this CWE, most recent first.

CVE-2025-58963 (GCVE-0-2025-58963)

Vulnerability from cvelistv5 – Published: 2025-10-22 14:32 – Updated: 2026-04-28 16:13
VLAI
Title
WordPress Medcity theme < 1.1.9 - Arbitrary File Upload vulnerability
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in 7oroof Medcity medcity allows Upload a Web Shell to a Web Server.This issue affects Medcity: from n/a through < 1.1.9.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
Vendor Product Version
7oroof Medcity Affected: 0 , ≤ 1.1.9 (custom)
Create a notification for this product.
Date Public
2026-04-22 14:25
Credits
Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58963",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-27T19:19:41.816334Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-27T19:19:44.463Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "medcity",
          "product": "Medcity",
          "vendor": "7oroof",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.1.9",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.1.9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-22T14:25:50.875Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Unrestricted Upload of File with Dangerous Type vulnerability in 7oroof Medcity medcity allows Upload a Web Shell to a Web Server.\u003cp\u003eThis issue affects Medcity: from n/a through \u003c 1.1.9.\u003c/p\u003e"
            }
          ],
          "value": "Unrestricted Upload of File with Dangerous Type vulnerability in 7oroof Medcity medcity allows Upload a Web Shell to a Web Server.This issue affects Medcity: from n/a through \u003c 1.1.9."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-650",
          "descriptions": [
            {
              "lang": "en",
              "value": "Upload a Web Shell to a Web Server"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:13:50.417Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Theme/medcity/vulnerability/wordpress-medcity-theme-1-1-9-arbitrary-file-upload-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Medcity theme \u003c 1.1.9 - Arbitrary File Upload vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-58963",
    "datePublished": "2025-10-22T14:32:35.581Z",
    "dateReserved": "2025-09-06T04:45:10.578Z",
    "dateUpdated": "2026-04-28T16:13:50.417Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58819 (GCVE-0-2025-58819)

Vulnerability from cvelistv5 – Published: 2025-09-05 13:45 – Updated: 2026-05-12 00:51
VLAI
Title
WordPress Bulk Featured Image plugin <= 1.2.4 - Arbitrary File Upload vulnerability
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.This issue affects Bulk Featured Image: from n/a through <= 1.2.4.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
Vendor Product Version
CreedAlly Bulk Featured Image Affected: 0 , ≤ 1.2.4 (custom)
Create a notification for this product.
Date Public
2026-04-01 16:43
Credits
Nabil Irawan | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58819",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-05T15:47:16.784099Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T00:51:33.490Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "bulk-featured-image",
          "product": "Bulk Featured Image",
          "vendor": "CreedAlly",
          "versions": [
            {
              "lessThanOrEqual": "1.2.4",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nabil Irawan | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:43:24.826Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.\u003cp\u003eThis issue affects Bulk Featured Image: from n/a through \u003c= 1.2.4.\u003c/p\u003e"
            }
          ],
          "value": "Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.This issue affects Bulk Featured Image: from n/a through \u003c= 1.2.4."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-650",
          "descriptions": [
            {
              "lang": "en",
              "value": "Upload a Web Shell to a Web Server"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:13:47.713Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/bulk-featured-image/vulnerability/wordpress-bulk-featured-image-plugin-1-2-2-arbitrary-file-upload-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Bulk Featured Image plugin \u003c= 1.2.4 - Arbitrary File Upload vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-58819",
    "datePublished": "2025-09-05T13:45:18.000Z",
    "dateReserved": "2025-09-05T10:49:25.892Z",
    "dateUpdated": "2026-05-12T00:51:33.490Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58745 (GCVE-0-2025-58745)

Vulnerability from cvelistv5 – Published: 2025-09-08 22:40 – Updated: 2025-09-09 13:29
VLAI
Title
WeGIA has a bypass for the fix for CVE-2025-22133 - Arbitrary File Upload leads to Remote Code Execution (RCE)
Summary
WeGIA is a Web manager for charitable institutions. The fix for CVE-2025-22133 was not enough to remediate the arbitrary file upload vulnerability. The WeGIA only check MIME types for Excel files at endpoint `/html/socio/sistema/controller/controla_xlsx.php`, which can be bypassed by using magic bytes of Excel file in a PHP file. As a result, attacker can upload webshell to the server for remote code execution. Version 3.4.11 contains an updated fix.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
Vendor Product Version
LabRedesCefetRJ WeGIA Affected: < 3.4.11
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58745",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-09T13:14:35.292623Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-09T13:29:48.697Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-hq96-gvmx-qrwp"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WeGIA",
          "vendor": "LabRedesCefetRJ",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.4.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WeGIA is a Web manager for charitable institutions. The fix for CVE-2025-22133 was not enough to remediate the arbitrary file upload vulnerability. The WeGIA only check MIME types for Excel files at endpoint `/html/socio/sistema/controller/controla_xlsx.php`, which can be bypassed by using magic bytes of Excel file in a PHP file. As a result, attacker can upload webshell to the server for remote code execution. Version 3.4.11 contains an updated fix."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-08T22:40:56.389Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-hq96-gvmx-qrwp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-hq96-gvmx-qrwp"
        }
      ],
      "source": {
        "advisory": "GHSA-hq96-gvmx-qrwp",
        "discovery": "UNKNOWN"
      },
      "title": "WeGIA has a bypass for the fix for CVE-2025-22133 - Arbitrary File Upload leads to Remote Code Execution (RCE)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-58745",
    "datePublished": "2025-09-08T22:40:56.389Z",
    "dateReserved": "2025-09-04T19:18:09.498Z",
    "dateUpdated": "2025-09-09T13:29:48.697Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-58159 (GCVE-0-2025-58159)

Vulnerability from cvelistv5 – Published: 2025-08-29 22:15 – Updated: 2025-09-02 19:24
VLAI
Title
WeGIA Authenticated Arbitrary File Upload Leading To Remote Code Execution (RCE)
Summary
WeGIA is a Web manager for charitable institutions. Prior to version 3.4.11, a remote code execution vulnerability was identified, caused by improper validation of uploaded files. The application allows an attacker to upload files with arbitrary filenames, including those with a .php extension. Because the uploaded file is written directly to disk without adequate sanitization or extension restrictions, a spreadsheet file followed by PHP code can be uploaded and executed on the server, leading to arbitrary code execution. This is due to insufficient mitigation of CVE-2025-22133. This issue has been patched in version 3.4.11.
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
Vendor Product Version
LabRedesCefetRJ WeGIA Affected: < 3.4.11
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58159",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-02T19:24:14.670326Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-02T19:24:25.237Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WeGIA",
          "vendor": "LabRedesCefetRJ",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.4.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WeGIA is a Web manager for charitable institutions. Prior to version 3.4.11, a remote code execution vulnerability was identified, caused by improper validation of uploaded files. The application allows an attacker to upload files with arbitrary filenames, including those with a .php extension. Because the uploaded file is written directly to disk without adequate sanitization or extension restrictions, a spreadsheet file followed by PHP code can be uploaded and executed on the server, leading to arbitrary code execution. This is due to insufficient mitigation of CVE-2025-22133. This issue has been patched in version 3.4.11."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-29T22:15:32.127Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-wj2c-237g-cgqp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-wj2c-237g-cgqp"
        }
      ],
      "source": {
        "advisory": "GHSA-wj2c-237g-cgqp",
        "discovery": "UNKNOWN"
      },
      "title": "WeGIA Authenticated Arbitrary File Upload Leading To Remote Code Execution (RCE)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-58159",
    "datePublished": "2025-08-29T22:15:12.472Z",
    "dateReserved": "2025-08-27T13:34:56.186Z",
    "dateUpdated": "2025-09-02T19:24:25.237Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-58048 (GCVE-0-2025-58048)

Vulnerability from cvelistv5 – Published: 2025-08-28 17:31 – Updated: 2025-08-28 18:16
VLAI
Title
Paymenter Vulnerable to Remote Code Execution via Public File Uploads
Summary
Paymenter is a free and open-source webshop solution for hostings. Prior to version 1.2.11, the ticket attachments functionality in Paymenter allows a malicious authenticated user to upload arbitrary files. This could result in sensitive data extraction from the database, credentials being read from configuration files, and arbitrary system commands being run under the web server user context. This vulnerability was patched by commit 87c3db4 and was released under the version 1.2.11 tag without any other code modifications compared to version 1.2.10. If upgrading is not immediately possible, administrators can mitigate this vulnerability with one or more of the following measures: updating nginx config to download attachments instead of executing them or disallowing access to /storage/ fully using a WAF such as Cloudflare.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
Impacted products
Vendor Product Version
Paymenter Paymenter Affected: < 1.2.11
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58048",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-28T18:16:29.223115Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-28T18:16:36.144Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Paymenter",
          "vendor": "Paymenter",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Paymenter is a free and open-source webshop solution for hostings. Prior to version 1.2.11, the ticket attachments functionality in Paymenter allows a malicious authenticated user to upload arbitrary files. This could result in sensitive data extraction from the database, credentials being read from configuration files, and arbitrary system commands being run under the web server user context. This vulnerability was patched by commit 87c3db4 and was released under the version 1.2.11 tag without any other code modifications compared to version 1.2.10. If upgrading is not immediately possible, administrators can mitigate this vulnerability with one or more of the following measures: updating nginx config to download attachments instead of executing them or disallowing access to /storage/ fully using a WAF such as Cloudflare."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T17:31:19.732Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Paymenter/Paymenter/security/advisories/GHSA-5pm9-r2m8-rcmj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Paymenter/Paymenter/security/advisories/GHSA-5pm9-r2m8-rcmj"
        },
        {
          "name": "https://github.com/Paymenter/Paymenter/commit/87c3db42282ada1e3cda54b9a01f846926c0669b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Paymenter/Paymenter/commit/87c3db42282ada1e3cda54b9a01f846926c0669b"
        },
        {
          "name": "https://github.com/Paymenter/Paymenter/releases/tag/v1.2.11",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Paymenter/Paymenter/releases/tag/v1.2.11"
        }
      ],
      "source": {
        "advisory": "GHSA-5pm9-r2m8-rcmj",
        "discovery": "UNKNOWN"
      },
      "title": "Paymenter Vulnerable to Remote Code Execution via Public File Uploads"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-58048",
    "datePublished": "2025-08-28T17:31:19.732Z",
    "dateReserved": "2025-08-22T14:30:32.221Z",
    "dateUpdated": "2025-08-28T18:16:36.144Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-57795 (GCVE-0-2025-57795)

Vulnerability from cvelistv5 – Published: 2026-01-28 17:43 – Updated: 2026-01-28 18:21
VLAI
Title
Unauthenticated Remote File Download in Explorance Blue
Summary
Explorance Blue versions prior to 8.14.13 contain an authenticated remote file download vulnerability in a web service component. In default configurations, this flaw can be leveraged to achieve remote code execution.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
Impacted products
Vendor Product Version
Explorance Blue Affected: 0 , < 8.14.13 (custom)
Create a notification for this product.
Credits
Abdulrahman Nour, Mandiant Abdulrahman Nour, Mandiant
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.9,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-57795",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-28T18:21:34.734945Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-28T18:21:45.332Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Blue",
          "vendor": "Explorance",
          "versions": [
            {
              "lessThan": "8.14.13",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Abdulrahman Nour, Mandiant"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Abdulrahman Nour, Mandiant"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Explorance Blue versions prior to 8.14.13 contain an authenticated remote file download vulnerability in a web service component. In default configurations, this flaw can be leveraged to achieve remote code execution.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "Explorance Blue versions prior to 8.14.13 contain an authenticated remote file download vulnerability in a web service component. In default configurations, this flaw can be leveraged to achieve remote code execution."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-165",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-165 File Manipulation"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T17:49:34.782Z",
        "orgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484",
        "shortName": "Mandiant"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.explorance.com/products/blue"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://online-help.explorance.com/blue/articles/security-advisories-(january-2026)"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57795"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0004.md"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unauthenticated Remote File Download in Explorance Blue",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484",
    "assignerShortName": "Mandiant",
    "cveId": "CVE-2025-57795",
    "datePublished": "2026-01-28T17:43:08.529Z",
    "dateReserved": "2025-08-19T19:08:41.742Z",
    "dateUpdated": "2026-01-28T18:21:45.332Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-57794 (GCVE-0-2025-57794)

Vulnerability from cvelistv5 – Published: 2026-01-28 17:33 – Updated: 2026-01-28 18:25
VLAI
Title
Unrestricted File Upload Vulnerability in Explorance Blue
Summary
Explorance Blue versions prior to 8.14.9 contain an authenticated unrestricted file upload vulnerability in the administrative interface. The application does not adequately restrict uploaded file types, allowing malicious files to be uploaded and executed by the server. This condition enables remote code execution under default configurations.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
Impacted products
Vendor Product Version
Explorance Blue Affected: 0 , < 8.14.9 (custom)
Create a notification for this product.
Credits
Abdulrahman Nour, Mandiant Abdulrahman Nour, Mandiant
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-57794",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-28T18:24:24.323564Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-28T18:25:06.258Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Blue",
          "vendor": "Explorance",
          "versions": [
            {
              "lessThan": "8.14.9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Abdulrahman Nour, Mandiant"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Abdulrahman Nour, Mandiant"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Explorance Blue versions prior to 8.14.9 contain an authenticated unrestricted file upload vulnerability in the administrative interface. The application does not adequately restrict uploaded file types, allowing malicious files to be uploaded and executed by the server. This condition enables remote code execution under default configurations."
            }
          ],
          "value": "Explorance Blue versions prior to 8.14.9 contain an authenticated unrestricted file upload vulnerability in the administrative interface. The application does not adequately restrict uploaded file types, allowing malicious files to be uploaded and executed by the server. This condition enables remote code execution under default configurations."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-165",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-165 File Manipulation"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T17:33:43.151Z",
        "orgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484",
        "shortName": "Mandiant"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.explorance.com/products/blue"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://online-help.explorance.com/blue/articles/security-advisories-(january-2026)"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57794"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0003.md"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unrestricted File Upload Vulnerability in Explorance Blue",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484",
    "assignerShortName": "Mandiant",
    "cveId": "CVE-2025-57794",
    "datePublished": "2026-01-28T17:33:43.151Z",
    "dateReserved": "2025-08-19T19:08:41.742Z",
    "dateUpdated": "2026-01-28T18:25:06.258Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-57176 (GCVE-0-2025-57176)

Vulnerability from cvelistv5 – Published: 2025-09-15 00:00 – Updated: 2026-03-11 03:47
VLAI
Summary
On Ceragon Networks / Siklu Communication EtherHaul and MultiHaul Series microwave antennas before 2026-03-10, the rfpiped service on TCP port 555 allows unauthenticated file uploads to any writable location on the device. File upload packets use weak encryption (metadata only) with file contents transmitted in cleartext. No authentication or path validation is performed.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
Impacted products
Vendor Product Version
Ceragon Networks / Siklu Communication EtherHaul and MultiHaul Series microwave antennas Affected: Ceragon MultiHaul MH-B100-CCS , < R2.4.0 (custom)
Affected: Ceragon MultiHaul MH-T200-CCC , < R2.4.0 (custom)
Affected: Ceragon MultiHaul MH-T200-CNN , < R2.4.0 (custom)
Affected: Ceragon MultiHaul MH-T201-CNN , < R2.4.0 (custom)
Affected: Ceragon EtherHaul EH-8010FX , < R10.8.1 (custom)
Affected: Ceragon EtherHaul EH-500TX , < R7.7.12 (custom)
Affected: Ceragon EtherHaul EH-600TX , < R7.7.12 (custom)
Affected: Ceragon EtherHaul EH-614TX , < R7.7.12 (custom)
Affected: Ceragon EtherHaul EH-700TX , < R7.7.12 (custom)
Affected: Ceragon EtherHaul EH-710TX , < R7.7.12 (custom)
Affected: Ceragon EtherHaul EH-1200TX , < R7.7.12 (custom)
Affected: Ceragon EtherHaul EH-1200FX , < R7.7.12 (custom)
Affected: Ceragon EtherHaul EH-2200FX , < R7.7.12 (custom)
Affected: Ceragon EtherHaul EH-2500FX , < R7.7.12 (custom)
Affected: Ceragon EtherHaul EH-5500FD , < R7.7.12 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-57176",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-15T18:09:50.455819Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-434",
                "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-15T19:14:02.731Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "EtherHaul and MultiHaul Series microwave antennas",
          "vendor": "Ceragon Networks / Siklu Communication",
          "versions": [
            {
              "lessThan": "R2.4.0",
              "status": "affected",
              "version": "Ceragon MultiHaul MH-B100-CCS",
              "versionType": "custom"
            },
            {
              "lessThan": "R2.4.0",
              "status": "affected",
              "version": "Ceragon MultiHaul MH-T200-CCC",
              "versionType": "custom"
            },
            {
              "lessThan": "R2.4.0",
              "status": "affected",
              "version": "Ceragon MultiHaul MH-T200-CNN",
              "versionType": "custom"
            },
            {
              "lessThan": "R2.4.0",
              "status": "affected",
              "version": "Ceragon MultiHaul MH-T201-CNN",
              "versionType": "custom"
            },
            {
              "lessThan": "R10.8.1",
              "status": "affected",
              "version": "Ceragon EtherHaul EH-8010FX",
              "versionType": "custom"
            },
            {
              "lessThan": "R7.7.12",
              "status": "affected",
              "version": "Ceragon EtherHaul EH-500TX",
              "versionType": "custom"
            },
            {
              "lessThan": "R7.7.12",
              "status": "affected",
              "version": "Ceragon EtherHaul EH-600TX",
              "versionType": "custom"
            },
            {
              "lessThan": "R7.7.12",
              "status": "affected",
              "version": "Ceragon EtherHaul EH-614TX",
              "versionType": "custom"
            },
            {
              "lessThan": "R7.7.12",
              "status": "affected",
              "version": "Ceragon EtherHaul EH-700TX",
              "versionType": "custom"
            },
            {
              "lessThan": "R7.7.12",
              "status": "affected",
              "version": "Ceragon EtherHaul EH-710TX",
              "versionType": "custom"
            },
            {
              "lessThan": "R7.7.12",
              "status": "affected",
              "version": "Ceragon EtherHaul EH-1200TX",
              "versionType": "custom"
            },
            {
              "lessThan": "R7.7.12",
              "status": "affected",
              "version": "Ceragon EtherHaul EH-1200FX",
              "versionType": "custom"
            },
            {
              "lessThan": "R7.7.12",
              "status": "affected",
              "version": "Ceragon EtherHaul EH-2200FX",
              "versionType": "custom"
            },
            {
              "lessThan": "R7.7.12",
              "status": "affected",
              "version": "Ceragon EtherHaul EH-2500FX",
              "versionType": "custom"
            },
            {
              "lessThan": "R7.7.12",
              "status": "affected",
              "version": "Ceragon EtherHaul EH-5500FD",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "On Ceragon Networks / Siklu Communication EtherHaul and MultiHaul Series microwave antennas before 2026-03-10, the rfpiped service on TCP port 555 allows unauthenticated file uploads to any writable location on the device. File upload packets use weak encryption (metadata only) with file contents transmitted in cleartext. No authentication or path validation is performed."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-11T03:47:21.304Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-04"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-57176",
    "datePublished": "2025-09-15T00:00:00.000Z",
    "dateReserved": "2025-08-17T00:00:00.000Z",
    "dateUpdated": "2026-03-11T03:47:21.304Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-55746 (GCVE-0-2025-55746)

Vulnerability from cvelistv5 – Published: 2025-08-20 17:58 – Updated: 2025-08-20 18:20
VLAI
Title
Directus allows unauthenticated file upload and file modification due to lacking input sanitization
Summary
Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-73 - External Control of File Name or Path
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
Vendor Product Version
directus directus Affected: >= 10.8.0, < 11.9.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55746",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-20T18:19:49.537443Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-20T18:20:03.663Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "directus",
          "vendor": "directus",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 10.8.0, \u003c 11.9.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files\u0027 database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won\u0027t show up in the Directus UI. This vulnerability is fixed in 11.9.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73: External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-20T17:58:06.762Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc"
        },
        {
          "name": "https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b"
        }
      ],
      "source": {
        "advisory": "GHSA-mv33-9f6j-pfmc",
        "discovery": "UNKNOWN"
      },
      "title": "Directus allows unauthenticated file upload and file modification due to lacking input sanitization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-55746",
    "datePublished": "2025-08-20T17:58:06.762Z",
    "dateReserved": "2025-08-14T22:31:17.685Z",
    "dateUpdated": "2025-08-20T18:20:03.663Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-55743 (GCVE-0-2025-55743)

Vulnerability from cvelistv5 – Published: 2025-08-21 15:45 – Updated: 2025-08-21 20:00
VLAI
Title
UnoPim vulnerable to remote code execution through Arbitrary File upload
Summary
UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, the image upload at the user creation feature performs only client side file type validation. A user can capture the request by uploading an image, capture the request through a Proxy like Burp suite. Make changes to the file extension and content. The vulnerability is fixed in 0.2.1.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
Vendor Product Version
unopim unopim Affected: < 0.2.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55743",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-21T19:59:51.804239Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-21T20:00:06.996Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "unopim",
          "vendor": "unopim",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.2.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, the image upload at the user creation feature performs only client side file type validation. A user can capture the request by uploading an image, capture the request through a Proxy like Burp suite. Make changes to the file extension and content. The vulnerability is fixed in 0.2.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-21T15:45:32.296Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/unopim/unopim/security/advisories/GHSA-v22v-xwh7-2vrm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/unopim/unopim/security/advisories/GHSA-v22v-xwh7-2vrm"
        },
        {
          "name": "https://drive.proton.me/urls/PH1ESMKHMW#4Vxb2KNu3tmn",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://drive.proton.me/urls/PH1ESMKHMW#4Vxb2KNu3tmn"
        }
      ],
      "source": {
        "advisory": "GHSA-v22v-xwh7-2vrm",
        "discovery": "UNKNOWN"
      },
      "title": "UnoPim vulnerable to remote code execution through Arbitrary File upload"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-55743",
    "datePublished": "2025-08-21T15:45:32.296Z",
    "dateReserved": "2025-08-14T22:31:17.685Z",
    "dateUpdated": "2025-08-21T20:00:06.996Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design

Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]

Mitigation MIT-21
Architecture and Design

Strategy: Enforcement by Conversion

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Mitigation
Architecture and Design

Consider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. [REF-423]

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • For example, limiting filenames to alphanumeric characters can help to restrict the introduction of unintended file extensions.
Mitigation
Architecture and Design

Define a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types.

Mitigation
Implementation

Strategy: Input Validation

Ensure that only one extension is used in the filename. Some web servers, including some versions of Apache, may process files based on inner extensions so that "filename.php.gif" is fed to the PHP interpreter.[REF-422] [REF-423]

Mitigation
Implementation

When running on a web server that supports case-insensitive filenames, perform case-insensitive evaluations of the extensions that are provided.

Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation
Implementation

Do not rely exclusively on sanity checks of file contents to ensure that the file is of the expected type and size. It may be possible for an attacker to hide code in some file segments that will still be executed by the server. For example, GIF images may contain a free-form comments field.

Mitigation
Implementation

Do not rely exclusively on the MIME content type or filename attribute when determining how to render a file. Validating the MIME content type and ensuring that it matches the extension is only a partial solution.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Mitigation MIT-22
Architecture and Design Operation

Strategy: Sandbox or Jail

  • Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
  • OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.