CVE-2020-20700

A stored cross site scripting XSS vulnerability in /app/formadd/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Title Entry text box...

CVE-2019-9925

S-CMS PHP v1.0 has XSS in 4.edu.php via the Sid parameter...

CVE-2019-10708

S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike id parameter...

CVE-2019-10237

S-CMS PHP v1.0 has a CSRF vulnerability to add a new admin user via the 4.edu.php/admin/ajax.php?type=admin=add⟨=0 URI, a related issue to CVE-2019-9040...

CVE-2018-18887

S-CMS PHP 1.0 has SQL injection in member/membernews.php via the type parameter aka the $Ntype field...

CVE-2019-9040

S-CMS PHP v3.0 has a CSRF vulnerability to add a new admin user via the admin/ajax.php?type=admin=add URI, a related issue to CVE-2018-19332...

CVE-2023-31585

Grocery-CMS-PHP-Restful-API v1.3 is vulnerable to a file upload flaw via /admin/add-category.php. The issue, confirmed across multiple sources, permits uploading arbitrary files, with CVSS v3.1 indicating Network attack, no privileges required, no user interaction, and high impact to confidential...

CVE-2023-31585

Grocery-CMS-PHP-Restful-API v1.3 is vulnerable to File Upload via /admin/add-category.php...

CVE-2025-32028

HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is...

CVE-2025-32028 HAX CMS PHP allows Insecure File Upload to Lead to Remote Code Execution

HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is...

CVE-2025-32028

CVE-2025-32028 affects HAX CMS PHP. The issue lies in the save() function in HAXCMSFile.php, which blocks only a non-exhaustive list of file types (.php, .sh, .js, .css); the logic is described as fail-open, enabling insecure file uploads. This can lead to remote code execution as described acros...

CVE-2025-32028 HAX CMS PHP allows Insecure File Upload to Lead to Remote Code Execution

HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is...

CVE-2022-4302 White Label CMS < 2.5 - Admin+ PHP Object Injection

The White Label CMS WordPress plugin before 2.5 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

CVE-2021-35284

SQL Injection vulnerability in function getuser in loginmanager.php in rizalafani cms-php v1...

Sql injection

SQL Injection vulnerability in function getuser in loginmanager.php in rizalafani cms-php v1...

CVE-2021-35284

SQL Injection vulnerability in function getuser in loginmanager.php in rizalafani cms-php v1...

CVE-2021-35284

SQL Injection vulnerability in function getuser in loginmanager.php in rizalafani cms-php v1...

CVE-2021-35284

CVE-2021-35284 affects rizalafani cms-php v1, with a SQL Injection vulnerability in the get_user function (login_manager.php). The issue is described across multiple sources as SQL injection in the get_user routine, consistent with a high-severity CVSS3.1 impact (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A...

Fork CMS Cross-Site Scripting Vulnerability (CNVD-2021-83552)

Fork CMS is an open source content management system CMS developed using PHP. The system contains blogs , questions and answers , forms and other modules . A cross-site scripting vulnerability exists in Fork CMS Content Management System version 5.8.0, which can be exploited by an attacker to...

CVE-2020-20701

A stored cross site scripting XSS vulnerability in /app/config/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...