CVE-2026-46620

CVE-2026-46620 affects the e107 CMS. Prior to version 2.3.5, CSRF protection for comment moderation actions was weakened because session_handler::check() only validates a token if one is present; if no token exists, the check is skipped. This could allow unauthorized state changes via CSRF where ...

EUVD-2026-31359

Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID throu...

Grav 跨站脚本漏洞

Grav is a scalable content management system CMS developed by the Grav open-source community, suitable for use in personal blogs, small content publishing platforms, and single-page product displays. Prior to Grav 9.1.0, there was a cross-site scripting vulnerability. This vulnerability stemmed...

Grav 输入验证错误漏洞

Grav is a scalable content management system CMS developed by the Grav open-source community, suitable for use in personal blogs, small content publishing platforms, and single-page product displays. Prior to Grav 2.0.0-beta.2, there was a vulnerability related to input validation errors. This...

Improper Enforcement of a Single, Unique Action

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Improper Enforcement of a Single, Unique Action through the user creation process. An attacker can remove administrative privileges and disrup...

Improper Neutralization of Special Elements Used in a Template Engine

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the Option::render and Options::factory code paths in the Option, Options, OptionsApi, and OptionsQuery classes. An attacker can inject template/query syntax into...

Kirby 安全漏洞

Kirby is a set of open-source content management systems based on files. Versions prior to Kirby 4.9.0 and 5.4.0 have security vulnerabilities. These vulnerabilities stem from improper handling of CDATA blocks by the Xml::value method, which may allow structured data outside of valid CDATA blocks...

CVE-2026-27937

October is a Content Management System CMS and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and...

Exploit-for-OSVDB-75095-LotusCMS-3.0

LotusCMS 3.0 eval RCE — Defensive Research Overview This...

Vvveb 安全漏洞

Vvveb is a powerful and easy-to-use CMS developed by Givan’s individual developers. It is used to build websites, blogs, or e-commerce stores. Version 1.0.8 of Vvveb has a security vulnerability. This vulnerability stems from an extension bypass issue in the media upload processing mechanism, whi...

MRCMS 安全漏洞

MRCMS is a content management system developed by Marker individuals. Version MRCMS 3.1.2 has a security vulnerability, which stems from improper access control. This vulnerability could allow unauthorized users to add super administrator accounts without authentication...

GHSA-HJ9C-P59C-VQPH Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation/editing module

An authenticated stored cross-site scripting XSS vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Content field...

CVE-2026-31352

Feehi CMS v2.1.1 contains an authenticated stored XSS in the Role Management module, exploitable by injecting a crafted payload into the Role Name field. The affected component is Role Management; the root cause is improper handling/escaping of input in Role Name. No exploit specifics or remedial...

PT-2026-29598

Name of the Vulnerable Software and Affected Versions Payload versions prior to 3.78.0 Description The client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. Recommendations...

CVE-2026-33886

Statamic is a Laravel and Git powered content management system CMS. Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their...

CVE-2026-33886 Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields

Statamic is a Laravel and Git powered content management system CMS. Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their...

CVE-2026-31858

Craft is a content management system CMS. The ElementSearchController::actionSearch endpoint is missing the unset protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability including criteriaorderBy, the original advisory vector works on th...

CVE-2018-25204

CVE-2018-25204 affects Library CMS 1.0. The vulnerability is an SQL injection in the admin login workflow: the username parameter is injectable, enabling unauthenticated attackers to bypass authentication via boolean-based blind SQL payloads in POST requests to the admin login endpoint, thereby g...

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Versions prior to 4.17.8 and 5.9.14 of Craft CMS had security vulnerabilities. These vulnerabilities stemmed from lack of resource-based authorization verification, which could allow unauthorized access to private asset...

CVE-2026-31834

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...