CVE-2025-70363

Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x allows unauthenticated attackers to access sensitive data via enumerating object IDs...

EUVD-2025-208341

Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x allows unauthenticated attackers to access sensitive data via enumerating object IDs...

CVE-2019-12139

An XSS issue was discovered in the Admin UI in eZ Platform 2.x. This affects ezplatform-admin-ui 1.3.x before 1.3.5 and 1.4.x before 1.4.4, and ezplatform-page-builder 1.1.x before 1.1.5 and 1.2.x before 1.2.4...

EUVD-2023-1083

Malicious code in bioql PyPI...

EUVD-2022-3342

Malicious code in bioql PyPI...

EUVD-2023-0895

Malicious code in bioql PyPI...

EUVD-2025-18275

Malicious code in bioql PyPI...

EUVD-2025-18274

Malicious code in bioql PyPI...

EUVD-2023-0981

Malicious code in bioql PyPI...

CVE-2022-48365

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges...

CVE-2022-48366

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack...

CVE-2021-46875

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An XSS attack can occur because JavaScript code can be uploaded in a .html or .js file...

Persistent Cross-site Scripting in eZ Platform Rich Text Field Type

Impact The validator for the RichText fieldtype blocklists javascript: and vbscript: in links to prevent XSS. This can leave other options open, and the check can be circumvented using upper case. Content editing permissions for RichText content is required to exploit this vulnerability, which...

GHSA-RHM7-7469-RCPW Persistent Cross-site Scripting in eZ Platform Rich Text Field Type

Impact The validator for the RichText fieldtype blocklists javascript: and vbscript: in links to prevent XSS. This can leave other options open, and the check can be circumvented using upper case. Content editing permissions for RichText content is required to exploit this vulnerability, which...

GHSA-GC5H-6JX9-Q2QH eZ Platform Admin UI vulnerable to DOM-based Cross-site Scripting in file upload widget

Impact The file upload widget is vulnerable to XSS payloads in filenames. Access permission to upload files is required. As such, in most cases only authenticated editors and administrators will have the required permission. It is not persistent, i.e. the payload is only executed during the uploa...

eZ Platform Admin UI vulnerable to DOM-based Cross-site Scripting in file upload widget

Impact The file upload widget is vulnerable to XSS payloads in filenames. Access permission to upload files is required. As such, in most cases only authenticated editors and administrators will have the required permission. It is not persistent, i.e. the payload is only executed during the uploa...

Cache Poisoning

ezsystems/ezplatform is vulnerable to cache poisoning. The vulnerability is due to the inability to prevent front-controller script inclusion in URLs when using eZ Platform Cloud or within the .platform.app.yaml configuration file. It allows an attacker to manipulate the cache and potentially ser...

Access Bypass

ezsystems/ezplatform is vulnerable to Access Bypass. The vulnerability is due to inadequate rewrite rules for blocking access to executable files in the var directory when using eZ Platform Cloud on Platform.sh...

GHSA-3G43-XFRW-PV5M eZ Platform User data disclosure

In eZ Platform v2.3.x it is possible to bypass permission checks in a particular case. This means user data such as name and email but not passwords or password hashes can be read by unauthenticated users. This affects only v2.3.x. If you use v2.2.x or older you are not affected. To install, use...

eZ Platform User data disclosure

In eZ Platform v2.3.x it is possible to bypass permission checks in a particular case. This means user data such as name and email but not passwords or password hashes can be read by unauthenticated users. This affects only v2.3.x. If you use v2.2.x or older you are not affected. To install, use...