Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS : CiviCRM vulnerability (USN-8242-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8242-1 advisory. Takuya Aramaki discovered that Smarty, vendored in CiviCRM, did not properly escape JavaScript code. An attacker could possibl...

CVE-2023-25440

Stored Cross Site Scripting XSS vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field...

Linux Distros Unpatched Vulnerability : CVE-2025-65187

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript...

PT-2025-48712

A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed...

EUVD-2020-23920

Malware in sbrugna...

EUVD-2015-4414

Malware in sbrugna...

EUVD-2011-5139

Malware in sbrugna...

EUVD-2020-23919

Malware in sbrugna...

EUVD-2023-29395

Malicious code in bioql PyPI...

CVE-2020-36389

In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF...

CVE-2011-5239

CiviCRM 4.0.5 and 4.1.1 does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

CVE-2025-32551 WordPress Connector to CiviCRM with CiviMcRestFace plugin <= 1.0.8 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Jaap Jansma Connector to CiviCRM with CiviMcRestFace allows Reflected XSS. This issue affects Connector to CiviCRM with CiviMcRestFace: from n/a through 1.0.8...

CVE-2025-31618 WordPress Connector to CiviCRM with CiviMcRestFace plugin <= 1.0.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jaap Jansma Connector to CiviCRM with CiviMcRestFace allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Connector to CiviCRM with CiviMcRestFace: from n/a through 1.0.9...

Linux Distros Unpatched Vulnerability : CVE-2023-25440

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Stored Cross Site Scripting XSS vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name...

CVE-2023-25440

Stored Cross Site Scripting XSS vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field...

Cross-Site Request Forgery (CSRF)

civicrm/civicrm-core is vulnerable to cross-site request forgery. Lack of sufficient validation on the configuration form allows a malicious third-party to trick a CiviCRM administrator into changing the configuration...

PT-2020-6425 · Civicrm · Civicrm

Name of the Vulnerable Software and Affected Versions: CiviCRM versions 5.22.x through 5.24.x before 5.24.3 CiviCRM versions prior to 5.21.3 Description: The issue in CiviCRM is related to the possibility of uploading and executing PHAR archives. Exploitation of this issue may allow a remote...