CMS Made Simple（CMSMS） 路径遍历漏洞

CMS Made Simple CMSMS is an open-source content management system developed by the Cmsms team. This system supports role-based permission management, wizard-based installation and update mechanisms, and intelligent caching features. Version 2.2.22 and earlier of CMS Made Simple contained a path...

baserCMS 操作系统命令注入漏洞

BaserCMS is a corporate-level content management system CMS developed by the BaserCMS team. Versions of BaserCMS prior to 5.2.3 had a vulnerability related to operating system command injection. This vulnerability originated from the core module of the installation process. Attackers could...

📄 Grav CMS 1.7.49.5 Remote Code Execution

Grav CMS versions 1.7.49.5 and below with Admin Plugin versions 1.10.49.3 and below are vulnerable to an authenticated remote code execution vulnerability via the "Direct Install" feature in the administrative interface. An authenticated administrator can upload a crafted plugin archive containin...

baserCMS SQL注入漏洞

BaserCMS is a corporate-level content management system CMS developed by the BaserCMS team. Versions of BaserCMS prior to 5.2.3 had an SQL injection vulnerability; this vulnerability originated from the blog article-related functionality and made it susceptible to SQL injection attacks...

CVE-2026-30878

creationtimestamp| type| source ---|---|--- 2026-03-30 23:03:52+00:00| published-proof-of-concept| https://github.com/baserproject/basercms/security/advisories/GHSA-8cr7-r8qw-gp3c...

EUVD-2026-17148

Grav CMS v1.7.x and before is vulnerable to XML External Entity XXE through the SVG file upload functionality in the admin panel and File Manager plugin...

XML External Entity (XXE) Injection

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to XML External Entity XXE Injection via the SVG file upload functionality in the admin panel and File Manager plugin. An attacker can access...

CVE-2026-34558 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or...

CVE-2026-34558 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or...

CVE-2026-27599 CI4MS: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Mail Settings. Several configuration...

CVE-2026-29924

Grav CMS v1.7.x and before is vulnerable to XML External Entity XXE through the SVG file upload functionality in the admin panel and File Manager plugin...

EUVD-2026-17094

Incorrect access control in the filedetails.asp endpoint of DDSN Interactive Acora CMS v10.7.1 allows attackers with editor privileges to access sensitive files via crafted requests...

@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files

Summary A Path Traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server...

CVE-2026-29597

DDSN Interactive cm3 Acora CMS version 10.7.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive configuration files by force browsing the “/Admin/filemanager/filedetails.asp” endpoint and manipulating the “file” parameter. By referencing specific...

CVE-2026-29924

Grav CMS v1.7.x and before is vulnerable to XML External Entity XXE through the SVG file upload functionality in the admin panel and File Manager plugin...

PT-2026-29038

CVE-2026-29597 Incorrect access control in the file details.asp endpoint of DDSN Interactive Acora CMS v10.7.1 allows attackers with editor privileges to access sensitive files via … https://t.co/pzg5FME6z1...

PT-2026-29127

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Description CI4MS is a CodeIgniter 4-based CMS skeleton offering a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application does not properly...

CVE-2026-29924

Grav CMS v1.7.x and before is vulnerable to XML External Entity XXE through the SVG file upload functionality in the admin panel and File Manager plugin...

PT-2026-29117

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Description CI4MS, a CodeIgniter 4-based CMS skeleton, does not properly sanitize user-controlled input within System Settings – Mail Settings. Configuration fields, including Mail Server, Mail Port, Email...

PT-2026-29157

Name of the Vulnerable Software and Affected Versions Tina versions prior to 2.2.2 Description A path traversal vulnerability exists in @tinacms/graphql, allowing unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePat...