CWE-434: Unrestricted Upload of File with Dangerous Type
Also known as: Unrestricted File Upload
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Last updated
Overview
CWE-434 (Unrestricted Upload of File with Dangerous Type) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
2,643 recorded CVEs are caused by CWE-434 (Unrestricted Upload of File with Dangerous Type), including 27 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 412 new CWE-434 CVEs have been recorded so far in 2026 (799 in 2025).
- CVE-2026-56291CISA KEV
Joomla Extension - balbooa.com - Unauthenticated file upload in Balbooa Forms extension < 2.4.1
Critical · CVSS 10.0 · EPSS 54th2026-07-09 - CVE-2026-56290CISA KEV
Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension < 3.6.0
Critical · CVSS 10.0 · EPSS 85th2026-06-29