Lucene search
K

12 matches found

RedhatCVE
RedhatCVE
added 2026/05/13 8:23 p.m.10 views

CVE-2026-44012

Craft CMS is a content management system CMS. From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder fetches an asset by ID and returns its filename and complete folder hierarchy including volume handle, volume UID, folder names, folder UIDs, and folder URI paths without checking...

7.1CVSS6AI score0.00324EPSS
Exploits0References1
NVD
NVD
added 2026/05/12 9:16 p.m.16 views

CVE-2026-44012

Craft CMS is a content management system CMS. From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder fetches an asset by ID and returns its filename and complete folder hierarchy including volume handle, volume UID, folder names, folder UIDs, and folder URI paths without checking...

7.1CVSS0.00324EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/21 11:34 p.m.5 views

EUVD-2026-24569

Craft CMS is a content management system CMS. Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" and "Create...

7CVSS5.7AI score0.00275EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/02/06 7:11 p.m.4 views

CVE-2026-22254

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would...

5.6AI score0.00251EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/02/06 7:11 p.m.5 views

EUVD-2026-5618

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would...

5.6AI score0.00251EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/06 7:11 p.m.27 views

CVE-2026-22254 Winter Affected by Stored Cross-Site Scripting (XSS) in Asset Manager

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would...

0.00251EPSS
Exploits0References3
Snyk
Snyk
added 2026/02/04 9:32 p.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Asset Manager upload process. A user with cms.manageassets permission can execute arbitrary scripts in the context of the affected application by uploading specially crafted SVG files. Details Cross-site...

4.8CVSS5.5AI score0.00251EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/04 12:0 a.m.5 views

PT-2026-6448

Impact Affected versions of Winter CMS allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage asse...

5.3AI score
Exploits0References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.7 views

EUVD-2020-0474

Malware in sbrugna...

4CVSS3.8AI score0.0118EPSS
Exploits3References7
Snyk
Snyk
added 2023/12/07 6:44 a.m.5 views

Cross-site Scripting (XSS)

Overview Squidex.ClientLibrary is a ClientLibrary for Squidex Headless CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS due an incomplete blacklist in the SVG inspection process. An attacker can inject malicious JavaScript via the SRC attribute of an IFRAME elemen...

5.4CVSS5.3AI score0.00569EPSS
Exploits1References2
Snyk
Snyk
added 2019/03/19 2:37 p.m.2 views

Arbitrary File Upload

Overview pimcore/pimcore is a content & product management framework CMS/PIM/E-Commerce. Affected versions of this package are vulnerable to Arbitrary File Upload. It is possible to for a user to upload a .php file when creating a permission on the assets feature, resulting in arbitrary code...

8.8CVSS7.7AI score0.01399EPSS
Exploits0References2
Prion
Prion
added 2015/08/18 5:59 p.m.18 views

Directory traversal

Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a .. dot dot in the dir parameter to admin/asset/add-asset-compatibility...

4.9CVSS6.8AI score0.03814EPSS
Exploits5References3
Rows per page
Query Builder