Lucene search
+L

755 matches found

OSV
OSV
added last week2 views

CVE-2026-54002 Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins that use the writer or list fields or call Dom::sanitize, Sane::sanitize, Sane::Html::sanitize, Sane::Svg::sanitize, Sane::Xml::sanitize, Sane::sanitizeFile, or file sanitizeContents with untruste...

8.5CVSS5.8AI score0.00409EPSS
Exploits0References9
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/18 1:17 p.m.8 views

Security Bulletin: Oracle Outside In Technology (OIT) v8.5.7 BP9, v8.5.8 BP2 vulnerabilities CVE-2025-54874 (vulnerable), CVE-2025-59375 (vulnerable) in FileNet Content Manager (FNCM) Content Based Retrieval (CBR) content indexing

Summary Oracle Outside In Technology OIT v8.5.7 BP9, v8.5.8 BP2 January, 2026 vulnerabilities CVE-2025-54874 vulnerable, CVE-2025-59375 vulnerable in FileNet Content Manager FNCM Content Based Retrieval CBR content indexing Vulnerability Details CVEID:CVE-2025-54874 DESCRIPTION: OpenJPEG is an...

9.8CVSS6.6AI score0.01279EPSS
Exploits2Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/03 1:53 p.m.12 views

Security Bulletin: Oracle Outside In Technology (OIT) v8.5.7 BP9, v8.5.8 BP2 vulnerabilities CVE-2025-54874 (vulnerable), CVE-2025-59375 (vulnerable) in FileNet Content Manager (FNCM) Content Based Retrieval (CBR) content indexing

Summary Oracle Outside In Technology OIT v8.5.7 BP9, v8.5.8 BP2 January, 2025 vulnerabilities CVE-2025-54874 vulnerable, CVE-2025-59375 vulnerable in FileNet Content Manager FNCM Content Based Retrieval CBR content indexing Vulnerability Details CVEID:CVE-2025-54874 DESCRIPTION: OpenJPEG is an...

9.8CVSS7.3AI score0.01279EPSS
Exploits2Affected Software1
EUVD
EUVD
added 2026/05/26 2:54 p.m.13 views

EUVD-2026-31849

e107 is a content management system CMS. Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to edit comments posted by others. This stems from inadequate server-side access control validation, where the application depends...

6.5CVSS5.8AI score0.00181EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/22 12:31 a.m.11 views

EUVD-2026-31362

Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update without field whitelisting resulting in password change without requiring the current...

5.3CVSS5.8AI score0.00182EPSS
Exploits0References2
OSV
OSV
added 2026/05/21 9:30 p.m.3 views

CVE-2026-8413 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/page/bulk/design. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonata...

2.3CVSS5.9AI score0.0013EPSS
Exploits0References4
OSV
OSV
added 2026/05/21 9:18 p.m.2 views

CVE-2026-7886 Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter

Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments parameter which can lead to file permission bypass. The AddMessage and UpdateMessage conversation controllers accept user-supplied file attachment IDs and load files directly via $em-findFile::class,...

2.3CVSS5.8AI score0.00288EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/16 3:25 p.m.10 views

EUVD-2020-31240

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when othe...

6.4CVSS5.6AI score0.00243EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/16 3:25 p.m.46 views

CVE-2020-37238 CMS Made Simple 2.2.15 Stored XSS via SVG File Upload

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when othe...

6.4CVSS0.00243EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/16 3:25 p.m.12 views

CVE-2020-37238 CMS Made Simple 2.2.15 Stored XSS via SVG File Upload

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when othe...

6.4CVSS5.6AI score0.00243EPSS
Exploits0References4
CVE
CVE
added 2026/05/16 3:25 p.m.19 views

CVE-2020-37238

CVE-2020-37238 affects CMS Made Simple 2.2.15. The vulnerability is a stored cross-site scripting (XSS) flaw in the file manager: authenticated Content Manager users can upload SVG files containing embedded JavaScript, which executes when other authenticated users view the uploaded file, enabling...

6.4CVSS5.6AI score0.00243EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/16 12:0 a.m.15 views

PT-2026-41438

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when othe...

6.4CVSS5.6AI score0.00243EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/05/16 12:0 a.m.11 views

CMS Made Simple 跨站脚本漏洞

CMS Made Simple CMSMS is an open-source content management system developed by the Cmsms team. This system supports role-based permission management systems, wizard-based installation and update mechanisms, and intelligent caching features. Version 2.2.15 of CMS Made Simple contains a cross-site...

6.4CVSS5.6AI score0.00243EPSS
Exploits0References1
OSV
OSV
added 2026/05/12 8:19 p.m.3 views

CVE-2026-44012 Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure

Craft CMS is a content management system CMS. From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder fetches an asset by ID and returns its filename and complete folder hierarchy including volume handle, volume UID, folder names, folder UIDs, and folder URI paths without checking...

7.1CVSS6.1AI score0.00324EPSS
Exploits0References4
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/12 11:2 a.m.13 views

Security Bulletin: Content Manager Enterprise Edition for June 2026 - Multiple CVEs

Summary Content Manager Enterprise Edition is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-342...

8.7CVSS7.8AI score0.00702EPSS
Exploits1Affected Software1
Cvelist
Cvelist
added 2026/05/09 3:35 a.m.49 views

CVE-2026-42069 Kirby: Read access to site, user and role information is not gated by permissions

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0...

7.1CVSS0.00231EPSS
Exploits0References3
OSV
OSV
added 2026/04/24 12:23 a.m.2 views

CVE-2026-34587 Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... ...

7.6CVSS5.9AI score0.00334EPSS
Exploits0References5
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/15 11:57 a.m.5 views

Security Bulletin: Rhino CVE-2025-66453 security vulnerability in FileNet Content Manager

Summary Rhino CVE-2025-66453 security vulnerability in FileNet Content Manager. Affected and vulnerable Vulnerability Details CVEID:CVE-2025-66453 DESCRIPTION: Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an applicatio...

7.5CVSS6.7AI score0.00235EPSS
Exploits0Affected Software1
GithubExploit
GithubExploit
added 2026/04/09 10:37 p.m.162 views

Exploit for Injection in Thedaylightstudio Fuel_Cms

CVE-2018-16763 — Fuel CMS 1.4.1 Remote Code Execution PoC...

9.8CVSS7.9AI score0.82937EPSS
Exploits17
NVD
NVD
added 2026/04/01 8:16 p.m.5 views

CVE-2026-34747

Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patche...

8.5CVSS0.00317EPSS
Exploits0References2
Rows per page
Query Builder