44025 matches found
CVE-2026-62237
CVE-2026-62237 affects Grav before 2.0.4. The vulnerability is a ReDoS in the regex_replace filter and function that are allowlisted in the Twig content sandbox. When Twig processing of page content is enabled (security.twig_content.process_enabled: true), an authenticated page editor can supply ...
CVE-2026-62234
Grav 2.x prior to 2.0.4 contains an SSRF vulnerability in webhook dispatch where authenticated users with api.webhooks.write can create webhooks using file://, dict://, or gopher:// protocols. This unrestricted protocol handling can be leveraged to read local files, access process information, or...
CVE-2026-44175
Kirby has a stored XSS vulnerability in the list field prior to versions 4.9.1 and 5.4.1 due to server-side sanitization on save not being applied (HTML in list field not escaped without breaking formatting). The content is stored as HTML and could be sent via Kirby’s API bypassing the Panel, the...
CVE-2026-44174
Kirby CMS (versions prior to 4.9.1 and 5.4.1) exposes REST API search and collection queries that did not validate model attributes, allowing authenticated users to invoke arbitrary model methods (e.g., password(), root(), loginPasswordless(), delete()) via collection endpoints. This can disclose...
IPeakCMS 3.5 - SQL Injection
ipeak Infosystems ibexwebCMS 3.5 contains an unauthenticated Boolean-based SQL injection caused by unsanitized 'id' parameter in /cms/print.php, letting attackers execute arbitrary SQL commands, exploit requires no authentication. id: CVE-2021-3018 info: name: IPeakCMS 3.5 - SQL Injection author:...
Clansphere CMS 2011.4 - Cross-Site Scripting
Clansphere CMS 2011.4 contains an unauthenticated reflected cross-site scripting vulnerability via the "module" parameter. id: CVE-2021-27309 info: name: Clansphere CMS 2011.4 - Cross-Site Scripting author: edoardottt severity: medium description: | Clansphere CMS 2011.4 contains an unauthenticat...
Microweber < 1.2.12 - Stored Cross-Site Scripting
Microweber prior to 1.2.12 contains a stored cross-site scripting vulnerability via the Type parameter in the body of POST request, which is triggered by Add/Edit Tax. id: CVE-2022-0928 info: name: Microweber 1.2.12 - Stored Cross-Site Scripting author: amit-jd severity: medium description: |...
Royal Event - SQL Injection
Royal Event is vulnerable to a SQL injection vulnerability. id: CVE-2022-28080 info: name: Royal Event - SQL Injection author: lucasljm2001,ekrause,ritikchaddha severity: high description: | Royal Event is vulnerable to a SQL injection vulnerability. impact: | Successful exploitation of this...
Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting XSS vulnerability via Post content. id: CVE-2022-42096 info: name: Backdrop CMS version 1.23.0 - Cross Site Scripting Stored author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 was...
Car Rental Management System 1.0 - SQL Injection
Car Rental Management System 1.0 contains an SQL injection vulnerability via /booking.php?carid=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id: CVE-2022-32024 info:...
Masa CMS - Authentication Bypass
Masa CMS 7.2, 7.3, and 7.4-beta are susceptible to authentication bypass in the Remember Me function. An attacker can bypass authentication via a crafted web request and thereby obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the...
Cuppa CMS v1.0 - SQL injection
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/&menufilter=3 parameter. id: CVE-2022-24265 info: name: Cuppa CMS v1.0 - SQL injection author: theamanrawat severity: high description: | Cuppa CMS v1.0 was...
Mara CMS 7.5 - Cross-Site Scripting
Mara CMS 7.5 allows reflected cross-site scripting in contact.php via the theme or pagetheme parameters. id: CVE-2020-24223 info: name: Mara CMS 7.5 - Cross-Site Scripting author: pikpikcu severity: medium description: Mara CMS 7.5 allows reflected cross-site scripting in contact.php via the them...
Processwire CMS <2.7.1 - Local File Inclusion
Processwire CMS prior to 2.7.1 is vulnerable to local file inclusion because it allows a remote attacker to retrieve sensitive files via the download parameter to index.php. id: CVE-2020-27467 info: name: Processwire CMS 2.7.1 - Local File Inclusion author: 0xAkoko severity: high description:...
LG Supersign EZ CMS - Remote Code Execution
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsrserver/device/getThumbnail. id: CVE-2018-17173 info: name: LG Supersign EZ CMS - Remote Code Execution author: pussycat0x severity: critical description: | LG SuperSign CMS allows remote attackers...
Monstra CMS <=3.0.4 - Cross-Site Scripting
Monstra CMS 3.0.4 and earlier contains a cross-site scripting vulnerability via index.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch...
Hospital Management System 1.0 - SQL Injection
Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/admin.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id:...
Lotus Core CMS 1.0.1 - Local File Inclusion
Lotus Core CMS 1.0.1 allows authenticated local file inclusion of .php files via directory traversal in the index.php pageslug parameter. id: CVE-2020-8641 info: name: Lotus Core CMS 1.0.1 - Local File Inclusion author: 0xAkoko severity: high description: Lotus Core CMS 1.0.1 allows authenticated...
Monstra CMS 3.0.4 - Cross-Site Scripting
Monstra CMS 3.0.4 contains a cross-site scripting vulnerability via the page feature in admin/index.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials...
Aryanic HighMail (High CMS) - Cross-Site Scripting
A cross-site scripting vulnerability in Aryanic HighMail High CMS versions 2020 and before allows remote attackers to inject arbitrary web script or HTML, via 'user' to LoginForm. id: CVE-2020-23517 info: name: Aryanic HighMail High CMS - Cross-Site Scripting author: geeknik severity: medium...