Total
3796 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-2977 | 1 Fastapiadmin | 1 Fastapiadmin | 2026-03-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in FastApiAdmin up to 2.2.0. This affects the function upload_controller of the file /backend/app/api/v1/module_common/file/controller.py of the component Scheduled Task API. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2026-2976 | 1 Fastapiadmin | 1 Fastapiadmin | 2026-03-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function download_controller of the file /backend/app/api/v1/module_common/file/controller.py of the component Download Endpoint. This manipulation of the argument file_path causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-2979 | 1 Fastapiadmin | 1 Fastapiadmin | 2026-03-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function user_avatar_upload_controller of the file /backend/app/api/v1/module_system/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | |||||
| CVE-2026-2978 | 1 Fastapiadmin | 1 Fastapiadmin | 2026-03-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in FastApiAdmin up to 2.2.0. This vulnerability affects the function upload_file_controller of the file /backend/app/api/v1/module_system/params/controller.py of the component Scheduled Task API. Performing a manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. | |||||
| CVE-2026-21628 | 2026-03-05 | N/A | N/A | ||
| A improperly secured file management feature allows uploads of dangerous data types for unauthenticated users, leading to remote code execution. | |||||
| CVE-2026-2743 | 2026-03-05 | N/A | N/A | ||
| Arbitrary File Write via Path Traversal upload to Remote Code Execution in SeppMail User Web Interface. The affected feature is the large file transfer (LFT). This issue affects SeppMail: 15.0.2.1 and before | |||||
| CVE-2026-28133 | 2026-03-05 | N/A | N/A | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue affects Filr: from n/a through <= 1.2.12. | |||||
| CVE-2026-28114 | 2026-03-05 | N/A | N/A | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in firassaidi WooCommerce License Manager fs-license-manager allows Upload a Web Shell to a Web Server.This issue affects WooCommerce License Manager: from n/a through <= 7.0.6. | |||||
| CVE-2026-24960 | 2026-03-05 | N/A | N/A | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Charety charety allows Using Malicious Files.This issue affects Charety: from n/a through < 2.0.2. | |||||
| CVE-2026-23802 | 2026-03-05 | N/A | N/A | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through <= 3.3.2. | |||||
| CVE-2025-68555 | 2026-03-05 | N/A | N/A | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Nutrie nutrie allows Upload a Web Shell to a Web Server.This issue affects Nutrie: from n/a through < 2.0.1. | |||||
| CVE-2025-68554 | 2026-03-05 | N/A | N/A | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Keenarch keenarch allows Using Malicious Files.This issue affects Keenarch: from n/a through < 2.0.1. | |||||
| CVE-2025-68553 | 2026-03-05 | N/A | N/A | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Lendiz lendiz allows Upload a Web Shell to a Web Server.This issue affects Lendiz: from n/a through < 2.0.1. | |||||
| CVE-2026-28270 | 1 Accellion | 1 Kiteworks | 2026-03-04 | N/A | 4.9 MEDIUM |
| Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks configuration allows uploading of arbitrary files without proper validation. Malicious administrators could exploit this to upload unauthorized file types to the system. Version 9.2.0 contains a patch for the issue. | |||||
| CVE-2026-28289 | 2026-03-04 | N/A | 10.0 CRITICAL | ||
| FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207. | |||||
| CVE-2020-36849 | 1 Ait-themes | 1 Csv Import \/ Export | 2026-03-04 | N/A | 9.8 CRITICAL |
| The AIT CSV import/export plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-content/plugins/ait-csv-import-export/admin/upload-handler.php file in versions up to, and including, 3.0.3. This makes it possible for unauthorized attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | |||||
| CVE-2021-35485 | 2026-03-04 | N/A | 8.0 HIGH | ||
| The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload server-side executable files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an existing one. | |||||
| CVE-2026-27947 | 1 Intermesh | 1 Group-office | 2026-03-04 | N/A | 8.8 HIGH |
| Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue. | |||||
| CVE-2026-2269 | 2026-03-03 | N/A | 7.2 HIGH | ||
| The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.0.0.3 via the download_url() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Additionally, the plugin stores the contents of the remote files on the server, which can be leveraged to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2026-1358 | 2026-03-03 | N/A | 9.8 CRITICAL | ||
| Airleader Master versions 6.381 and prior allow for file uploads without restriction to multiple webpages running maximum privileges. This could allow an unauthenticated user to potentially obtain remote code execution on the server. | |||||