Lucene search
K

43687 matches found

RedhatCVE
RedhatCVE
added 2026/01/13 10:52 p.m.4 views

CVE-2026-22594

Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0...

8.1CVSS6.7AI score0.00367EPSS
Exploits0References1
CVE
CVE
added 2026/01/13 10:52 p.m.11 views

CVE-2022-50939

CVE-2022-50939 (e107 CMS 3.2.1) affects the Media Manager’s remote URL upload (image.php) in the admin interface. The upload_caption parameter is not properly sanitized, allowing an authenticated administrator to use directory traversal (../../../) to overwrite arbitrary files outside the intende...

8.6CVSS6.8AI score0.01087EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/01/13 10:52 p.m.19 views

CVE-2022-50937 Ametys CMS v4.4.1 - Cross Site Scripting (XSS)

Ametys CMS v4.4.1 contains a persistent cross-site scripting vulnerability in the link directory's input fields for external links. Attackers can inject malicious script code in link text and descriptions to execute persistent attacks that compromise user sessions and manipulate application modul...

6.1CVSS0.00262EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/01/13 10:52 p.m.24 views

CVE-2022-50936 WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)

WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by...

8.8CVSS0.00785EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/01/13 10:52 p.m.3 views

CVE-2022-50937 Ametys CMS v4.4.1 - Cross Site Scripting (XSS)

Ametys CMS v4.4.1 contains a persistent cross-site scripting vulnerability in the link directory's input fields for external links. Attackers can inject malicious script code in link text and descriptions to execute persistent attacks that compromise user sessions and manipulate application modul...

6.1CVSS6.1AI score0.00262EPSS
Exploits1References4
CVE
CVE
added 2026/01/13 10:52 p.m.15 views

CVE-2022-50937

Ametys CMS v4.4.1 contains a persistent cross-site scripting (XSS) vulnerability in the link directory’s input fields for external links. An attacker can inject script into link text and descriptions, enabling persistent attacks that can compromise user sessions and manipulate application modules...

6.1CVSS6.1AI score0.00262EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/01/13 10:52 p.m.19 views

CVE-2022-50936

WBCE CMS 1.5.2 is affected by an authenticated remote code execution vulnerability in the admin panel’s droplet upload functionality. Authenticated attackers can craft a zip payload to upload a malicious droplet, enabling arbitrary PHP code execution on the server. This aligns with multiple sourc...

8.8CVSS8.1AI score0.00785EPSS
Exploits1References5Affected Software1
CVE
CVE
added 2026/01/13 10:51 p.m.17 views

CVE-2022-50916

CVE-2022-50916 affects e107 CMS v3.2.1. A file upload vulnerability in the Media Manager import functionality allows authenticated administrators to override server files by manipulating the upload URL parameter, potentially overwriting files like top.php in the web application directory. Publicl...

8.7CVSS6.5AI score0.00804EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/01/13 10:51 p.m.22 views

CVE-2022-50907 e107 CMS v3.2.1 - Admin Upload Restriction Bypass + RCE

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code execution...

8.6CVSS0.01049EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/01/13 10:51 p.m.3 views

CVE-2022-50907 e107 CMS v3.2.1 - Admin Upload Restriction Bypass + RCE

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code execution...

8.6CVSS7.9AI score0.01049EPSS
Exploits1References4
CVE
CVE
added 2026/01/13 10:51 p.m.14 views

CVE-2022-50907

Affected software: e107 CMS 3.2.1. Issue: a file upload restriction bypass in the Media Manager import flow allows authenticated admin users to upload PHP files outside restricted locations, enabling remote code execution. Root cause: manipulation of the upload URL parameter enables placing malic...

8.6CVSS7.9AI score0.01049EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/01/13 10:51 p.m.12 views

CVE-2022-50905

CVE-2022-50905 affects e107 CMS v3.2.1. The issues: (1) a reflected XSS in the news comment flow, where an authenticated user can inject JavaScript via a URL parameter that executes when they click outside the comment field; (2) an upload restriction bypass for authenticated administrators that e...

9.8CVSS5.5AI score0.00574EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/01/13 10:51 p.m.21 views

CVE-2022-50895 Aero CMS 0.0.1 - SQL Injection

Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially compromise the...

9.8CVSS0.00554EPSS
Exploits1References4
CVE
CVE
added 2026/01/13 10:51 p.m.17 views

CVE-2022-50895

Aero CMS 0.0.1 is affected by a SQL injection in the author parameter. The vulnerability allows attackers to manipulate SQL queries using boolean-based, error-based, time-based, and UNION techniques to extract sensitive data and potentially compromise the system. Affected component: author parame...

9.8CVSS7.3AI score0.00554EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/01/13 10:51 p.m.1 views

CVE-2022-50895 Aero CMS 0.0.1 - SQL Injection

Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially compromise the...

9.8CVSS7.3AI score0.00554EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/01/13 8:37 p.m.9 views

TYPO3 CMS Allows Broken Access Control in Recycler Module

Problem Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the websit...

8.1CVSS6.8AI score0.0038EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2026/01/13 8:37 p.m.2 views

GHSA-6C46-P6J5-3F49 TYPO3 CMS Allows Broken Access Control in Redirects Module

Problem Backend users with access to the redirects module and write permission on the sysredirect table were able to read, create, and modify any redirect record - without restriction to the user’s own file‑mounts or web‑mounts. This allowed attackers to insert or alter redirects pointing to...

5.3CVSS6.8AI score0.00246EPSS
Exploits0References7
OSV
OSV
added 2026/01/13 8:37 p.m.3 views

GHSA-5J7Q-WMH7-CQHG TYPO3 CMS Allows Broken Access Control in Edit Document Controller

Problem By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a...

5.3CVSS6.7AI score0.00287EPSS
Exploits0References7
AstraLinux
AstraLinux
added 2026/01/13 2:1 p.m.3 views

Astra Linux – Vulnerability in OpenSSL

Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData messages with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing a Denial of Service, or potentially remote code execution. When parsing CMS...

8.8CVSS7.8AI score0.47621EPSS
Exploits7References3
Snyk
Snyk
added 2026/01/13 1:3 p.m.3 views

Deserialization of Untrusted Data

Overview typo3/cms-core is a free open source enterprise content management system. Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to deserialization of files without any class restrictions. A local attacker can execute arbitrary PHP code by crafting a...

7.8CVSS7.5AI score0.00165EPSS
Exploits0References2
Rows per page
Query Builder