CVE-2026-7435

SSCMS v7.4.0 contains a SQL injection vulnerability in the stl:sqlContent tag where the queryString attribute is passed directly to database execution without parameterization or sanitization. Attackers can craft encrypted payloads submitted to the /api/stl/actions/dynamic endpoint to execute...

CVE-2026-4542

A vulnerability has been found in SSCMS 4.7.0. The affected element is an unknown function of the file LayerImageController.Submit.cs of the component layerImage Endpoint. Such manipulation of the argument filePaths leads to path traversal. The attack may be performed from remote. The exploit has...

CVE-2026-4222 SSCMS download PathUtils.RemoveParentPath path traversal

A vulnerability was determined in SSCMS up to 7.4.0. This vulnerability affects the function PathUtils.RemoveParentPath of the file /api/admin/plugins/install/actions/download. This manipulation of the argument path causes path traversal. Remote exploitation of the attack is possible. The exploit...

CVE-2023-43951

SSCMS 7.2.2 was discovered to contain a cross-site scripting XSS vulnerability via the Column Management component...

CVE-2023-43952

SSCMS 7.2.2 was discovered to contain a stored cross-site scripting XSS vulnerability via the Material Management component...

EUVD-2025-23655

Malicious code in bioql PyPI...

EUVD-2023-48311

Malicious code in bioql PyPI...

CVE-2025-45529

An arbitrary file read vulnerability in the ReadTextAsynchronous function of SSCMS v7.3.1 allows attackers to read arbitrary files via sending a crafted GET request to /cms/templates/templatesAssetsEditor...

CVE-2025-45529

CVE-2025-45529 affects SSCMS v7.3.1. The vulnerability resides in the ReadTextAsynchronous function, allowing an attacker to read arbitrary files by crafting a GET request to the endpoint /cms/templates/templatesAssetsEditor. Multiple connected sources confirm the same issue and root cause. A pra...