Lucene search
+L

44025 matches found

CVE
CVE
added 8 hours ago7 views

CVE-2026-62237

CVE-2026-62237 affects Grav before 2.0.4. The vulnerability is a ReDoS in the regex_replace filter and function that are allowlisted in the Twig content sandbox. When Twig processing of page content is enabled (security.twig_content.process_enabled: true), an authenticated page editor can supply ...

6.5CVSS6.1AI score
Exploits0References2
CVE
CVE
added 8 hours ago5 views

CVE-2026-62234

Grav 2.x prior to 2.0.4 contains an SSRF vulnerability in webhook dispatch where authenticated users with api.webhooks.write can create webhooks using file://, dict://, or gopher:// protocols. This unrestricted protocol handling can be leveraged to read local files, access process information, or...

8.4CVSS6.1AI score
Exploits0References2
CVE
CVE
added yesterday26 views

CVE-2026-44175

Kirby has a stored XSS vulnerability in the list field prior to versions 4.9.1 and 5.4.1 due to server-side sanitization on save not being applied (HTML in list field not escaped without breaking formatting). The content is stored as HTML and could be sent via Kirby’s API bypassing the Panel, the...

8.5CVSS5.9AI score0.0004EPSS
Exploits0References2
CVE
CVE
added yesterday25 views

CVE-2026-44174

Kirby CMS (versions prior to 4.9.1 and 5.4.1) exposes REST API search and collection queries that did not validate model attributes, allowing authenticated users to invoke arbitrary model methods (e.g., password(), root(), loginPasswordless(), delete()) via collection endpoints. This can disclose...

8.7CVSS6.2AI score0.0007EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday90 views

IPeakCMS 3.5 - SQL Injection

ipeak Infosystems ibexwebCMS 3.5 contains an unauthenticated Boolean-based SQL injection caused by unsanitized 'id' parameter in /cms/print.php, letting attackers execute arbitrary SQL commands, exploit requires no authentication. id: CVE-2021-3018 info: name: IPeakCMS 3.5 - SQL Injection author:...

9.8CVSS7.2AI score0.19506EPSS
Exploits3References3
Nuclei
Nuclei
added yesterday97 views

Clansphere CMS 2011.4 - Cross-Site Scripting

Clansphere CMS 2011.4 contains an unauthenticated reflected cross-site scripting vulnerability via the "module" parameter. id: CVE-2021-27309 info: name: Clansphere CMS 2011.4 - Cross-Site Scripting author: edoardottt severity: medium description: | Clansphere CMS 2011.4 contains an unauthenticat...

6.1CVSS6.4AI score0.01977EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday90 views

Microweber < 1.2.12 - Stored Cross-Site Scripting

Microweber prior to 1.2.12 contains a stored cross-site scripting vulnerability via the Type parameter in the body of POST request, which is triggered by Add/Edit Tax. id: CVE-2022-0928 info: name: Microweber 1.2.12 - Stored Cross-Site Scripting author: amit-jd severity: medium description: |...

6.8CVSS6.6AI score0.02389EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday45 views

Royal Event - SQL Injection

Royal Event is vulnerable to a SQL injection vulnerability. id: CVE-2022-28080 info: name: Royal Event - SQL Injection author: lucasljm2001,ekrause,ritikchaddha severity: high description: | Royal Event is vulnerable to a SQL injection vulnerability. impact: | Successful exploitation of this...

8.8CVSS7.1AI score0.57317EPSS
Exploits3References5
Nuclei
Nuclei
added yesterday72 views

Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting XSS vulnerability via Post content. id: CVE-2022-42096 info: name: Backdrop CMS version 1.23.0 - Cross Site Scripting Stored author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 was...

4.8CVSS6AI score0.0196EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday42 views

Car Rental Management System 1.0 - SQL Injection

Car Rental Management System 1.0 contains an SQL injection vulnerability via /booking.php?carid=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id: CVE-2022-32024 info:...

7.2CVSS7AI score0.04522EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday101 views

Masa CMS - Authentication Bypass

Masa CMS 7.2, 7.3, and 7.4-beta are susceptible to authentication bypass in the Remember Me function. An attacker can bypass authentication via a crafted web request and thereby obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the...

9.8CVSS7.1AI score0.06253EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday50 views

Cuppa CMS v1.0 - SQL injection

Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/&menufilter=3 parameter. id: CVE-2022-24265 info: name: Cuppa CMS v1.0 - SQL injection author: theamanrawat severity: high description: | Cuppa CMS v1.0 was...

7.8CVSS7AI score0.06711EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday92 views

Mara CMS 7.5 - Cross-Site Scripting

Mara CMS 7.5 allows reflected cross-site scripting in contact.php via the theme or pagetheme parameters. id: CVE-2020-24223 info: name: Mara CMS 7.5 - Cross-Site Scripting author: pikpikcu severity: medium description: Mara CMS 7.5 allows reflected cross-site scripting in contact.php via the them...

6.1CVSS6.4AI score0.14552EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday88 views

Processwire CMS <2.7.1 - Local File Inclusion

Processwire CMS prior to 2.7.1 is vulnerable to local file inclusion because it allows a remote attacker to retrieve sensitive files via the download parameter to index.php. id: CVE-2020-27467 info: name: Processwire CMS 2.7.1 - Local File Inclusion author: 0xAkoko severity: high description:...

7.8CVSS7AI score0.15737EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday21 views

LG Supersign EZ CMS - Remote Code Execution

LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsrserver/device/getThumbnail. id: CVE-2018-17173 info: name: LG Supersign EZ CMS - Remote Code Execution author: pussycat0x severity: critical description: | LG SuperSign CMS allows remote attackers...

9.8CVSS7.4AI score0.56237EPSS
Exploits9References4
Nuclei
Nuclei
added yesterday52 views

Monstra CMS <=3.0.4 - Cross-Site Scripting

Monstra CMS 3.0.4 and earlier contains a cross-site scripting vulnerability via index.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch...

6.1CVSS6.7AI score0.04754EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday83 views

Hospital Management System 1.0 - SQL Injection

Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/admin.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id:...

7.2CVSS7AI score0.03745EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday59 views

Lotus Core CMS 1.0.1 - Local File Inclusion

Lotus Core CMS 1.0.1 allows authenticated local file inclusion of .php files via directory traversal in the index.php pageslug parameter. id: CVE-2020-8641 info: name: Lotus Core CMS 1.0.1 - Local File Inclusion author: 0xAkoko severity: high description: Lotus Core CMS 1.0.1 allows authenticated...

8.8CVSS7AI score0.10808EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday61 views

Monstra CMS 3.0.4 - Cross-Site Scripting

Monstra CMS 3.0.4 contains a cross-site scripting vulnerability via the page feature in admin/index.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials...

5.4CVSS6.7AI score0.01885EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday82 views

Aryanic HighMail (High CMS) - Cross-Site Scripting

A cross-site scripting vulnerability in Aryanic HighMail High CMS versions 2020 and before allows remote attackers to inject arbitrary web script or HTML, via 'user' to LoginForm. id: CVE-2020-23517 info: name: Aryanic HighMail High CMS - Cross-Site Scripting author: geeknik severity: medium...

6.1CVSS6.5AI score0.07051EPSS
Exploits1References5
Rows per page
Query Builder