CVE-2022-25464

A stored cross-site scripting (XSS) vulnerability in the component /admin/contenttemp of DoraCMS v2.1.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2022-35147

DoraCMS v2.18 and earlier allows attackers to bypass login authentication via a crafted HTTP request.