Lucene search
K

43672 matches found

CVE
CVE
added 2026/02/03 10:1 p.m.21 views

CVE-2020-37073

Victor CMS 1.0 has an authenticated file-upload flaw in the user_image parameter. The vulnerability allows an administrator to upload arbitrary PHP files (a PHP shell) to the /img/ directory, enabling command execution when the uploaded file is accessed with a cmd parameter. The issue is describe...

8.8CVSS5.8AI score0.00471EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/02/03 10:1 p.m.14 views

CVE-2020-37072

Victor CMS 1.0 is affected by a stored cross-site scripting (XSS) flaw in the 'comment_author' POST parameter. The vulnerability allows an attacker to inject JavaScript that executes in a victim’s browser when comments are processed. Documented as CVE-2020-37072, the issue is described with a net...

7.2CVSS5.7AI score0.00234EPSS
Exploits1References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/02/03 10:1 p.m.2 views

CVE-2020-37072

Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'commentauthor' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers...

7.2CVSS5.7AI score0.00234EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/02/03 10:1 p.m.26 views

CVE-2020-37072 Victor CMS 1.0 - 'comment_author' Persistent Cross-Site Scripting

Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'commentauthor' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers...

7.2CVSS0.00234EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/02/03 9:19 p.m.7 views

CVE-2026-1770

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE Remote Code...

7.3CVSS5.7AI score0.00425EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/03 9:17 p.m.32 views

CVE-2026-25510 CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution RCE by leveraging the file creation and sav...

9.9CVSS0.00805EPSS
Exploits1References2
EUVD
EUVD
added 2026/02/03 9:17 p.m.10 views

EUVD-2026-5162

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution RCE by leveraging the file creation and sav...

9.9CVSS6.1AI score0.00805EPSS
Exploits1References2
EUVD
EUVD
added 2026/02/03 9:16 p.m.7 views

EUVD-2026-5163

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether...

5.3CVSS5.5AI score0.00349EPSS
Exploits0References2
CVE
CVE
added 2026/02/03 9:16 p.m.16 views

CVE-2026-25509

CI4MS is a CodeIgniter 4–based CMS skeleton. A vulnerability in the authentication flow allows unauthenticated attackers to enumerate registered emails via password-reset responses, by differentiating between existing vs non-existing emails. The issue is documented across multiple feeds (NVD, Red...

5.3CVSS5.5AI score0.00349EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/02/03 7:16 p.m.27 views

CVE-2026-25484

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input source is in Commerce Product Type setting...

4.8CVSS0.00261EPSS
Exploits1References4
OSV
OSV
added 2026/02/03 6:16 p.m.4 views

CVE-2020-37110

60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like 'title' to inject malicious SQL code and potentially extract or modif...

9.8CVSS5.4AI score
Exploits0References3
NVD
NVD
added 2026/02/03 6:16 p.m.3 views

CVE-2020-37110

60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like 'title' to inject malicious SQL code and potentially extract or modif...

9.8CVSS0.00349EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/02/03 6:10 p.m.26 views

CVE-2026-25522 Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone Name & Descriptio...

6.1CVSS0.00261EPSS
Exploits1References4
CVE
CVE
added 2026/02/03 6:7 p.m.20 views

CVE-2026-25489

Craft Commerce (Craft CMS) has a stored XSS vulnerability in the Tax Zones Name and Description fields that can execute injected JavaScript in an administrator’s browser. Affected versions are 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1; the issue arises because sanitization is insufficient ...

6.1CVSS5.4AI score0.00283EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/03 6:7 p.m.1 views

CVE-2026-25487 Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the...

6.1CVSS5.5AI score0.00261EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/02/03 6:6 p.m.3 views

CVE-2026-25484

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input source is in Commerce Product Type setting...

4.8CVSS5.3AI score0.00261EPSS
Exploits1References5Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/03 6:5 p.m.1 views

CVE-2026-25483 Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script...

6.2CVSS5.4AI score0.003EPSS
Exploits1References4
EUVD
EUVD
added 2026/02/03 6:5 p.m.3 views

EUVD-2026-5211

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowi...

6.2CVSS5.5AI score0.00304EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/02/03 4:52 p.m.29 views

CVE-2020-37111 60CycleCMS 2.5.2 - 'news.php' Cross-site Scripting (XSS) Vulnerability

60CycleCMS 2.5.2 contains a cross-site scripting XSS vulnerability in news.php that allows attackers to inject malicious scripts through GET parameters. Attackers can craft malicious URLs with XSS payloads targeting the 'etsu' and 'ltsu' parameters to execute arbitrary scripts in victim's browser...

6.1CVSS0.00255EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/02/03 4:52 p.m.6 views

CVE-2020-37110

60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like 'title' to inject malicious SQL code and potentially extract or modif...

8.8CVSS5.2AI score0.00349EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder