Instantcms Security Vulnerabilities and Issues — Instantcms CVE List

InstantcmsInstantcms

21 matches found

CVE•added 2023/08/05 7:17 p.m.•73 views

CVE-2023-4189

CVE-2023-4189 is a reflected XSS in instantsoft/icms2 before version 2.16.1-git. The Red Hat, NVD, and other sources confirm that the vulnerability arises from reflecting unsanitized user input in the URL, enabling an attacker to inject script. The Huntr entry provides a concrete PoC path showing...

4.8CVSS4.9AI score0.00409EPSS

CVE•added 2023/08/05 5:17 p.m.•62 views

CVE-2023-4187

CVE-2023-4187 affects instantsoft/icms2 prior to 2.16.1-git with stored XSS in content handled by the system. The vulnerability is documented across multiple feeds; a Proof-of-Concept is available (Huntr) showing stored XSS in the admin item title, indicating practical exploitability in a real UI...

4.8CVSS4.1AI score0.00409EPSS

CVE•added 2023/09/10 5:53 p.m.•62 views

CVE-2023-4879

CVE-2023-4879 is a stored XSS vulnerability in the GitHub repository for instantsoft/icms2, affecting versions prior to 2.16.1.-git. The Red Hat and other records reiterate the same issue: stored cross-site scripting in icms2 before the 2.16.1.-git release. The PT Security/Huntr entries confirm t...

4.8CVSS4.1AI score0.00345EPSS

CVE•added 2024/04/04 11:2 p.m.•58 views

CVE-2024-31212

CVE-2024-31212 affects InstantCMS v2.16.2 in the index_chart_data action. The vulnerability arises from unsanitized user input passed to the core model’s filterFunc, which is embedded into an SQL statement, allowing an attacker with administrative privileges to inject SQL code. The vulnerable inp...

7.2CVSS6.8AI score0.00854EPSS

CVE•added 2023/08/05 7:10 p.m.•54 views

CVE-2023-4188

CVE-2023-4188 affects instantsoft/icms2. The Red Hat and NVD records, along with linked advisories, confirm a SQL Injection in instantsoft/icms2 prior to 2.16.1-git. The related Huntr entry describes an unauthenticated blind SQL injection in the /tags/autocomplete endpoint (term parameter) with a...

9.8CVSS9.8AI score0.00777EPSS

CVE•added 2023/09/10 5:49 p.m.•52 views

CVE-2023-4878

CVE-2023-4878 affects instantsoft/icms2 prior to 2.16.1-git. The issue is a Server-Side Request Forgery (SSRF) vulnerability in the icms2 codebase. Root cause details are not explicitly described beyond SSRF in the provided documents. Impact is that an attacker could cause the server to make unin...

5.4CVSS4.8AI score0.00317EPSS

CVE•added 2024/10/29 10:25 p.m.•52 views

CVE-2024-50348

CVE-2024-50348 affects InstantCMS. The vulnerability is a Cross-Site Scripting (XSS) flaw in the photo upload function of the photo album page caused by insufficient input validation. This impacts versions prior to 2.16.3 and can enable an attacker to inject and execute script or HTML via crafted...

5.4CVSS5.2AI score0.0032EPSS

CVE•added 2024/04/05 2:43 p.m.•49 views

CVE-2024-31213

CVE-2024-31213 describes an open redirect in InstantCMS ICMS2 (version 2.16.2) occurring after a user modifies their profile. An attacker could lure a victim to visit a malicious site that imitates the ICMS2 flow and prompts for the user’s password, which could be sent to the attacker. The CVE no...

5.4CVSS4AI score0.00399EPSS

CVE•added 2018/07/18 3:0 p.m.•46 views

CVE-2018-14382

CVE-2018-14382 affects InstantCMS 2.10.1 with a reflected XSS via the path /redirect?url= . The CVE record notes an injection in this redirect parameter; CVSS v2 base score 4.3 (MEDIUM) and CVSS v3 base score 6.1 (MEDIUM). Exploitation details are not described beyond the vulnerability type in th...

6.1CVSS6.3AI score0.00865EPSS

CVE•added 2023/08/31 12:0 a.m.•42 views

CVE-2023-4649

CVE-2023-4649 affects instantsoft/icms2 prior to 2.16.1. The issue is a session fixation vulnerability caused by the authentication cookie not being renewed after a successful login. Impact is described as limited confidentiality/integrity exposure (per CVSS data). Remediation: upgrade to icms2 2...

5.4CVSS4.8AI score0.00368EPSS

CVE•added 2023/08/16 11:2 a.m.•40 views

CVE-2023-4381

CVE-2023-4381 affects the instantsoft/icms2 CMS prior to version 2.16.1-git. The root cause is an unverified password change, enabling an attacker to change a user’s password without proper verification. Impact is described as minimal in the CVSS data, but the issue enables unauthorized password ...

4.3CVSS4.6AI score0.00358EPSS

CVE•added 2023/08/31 12:0 a.m.•39 views

CVE-2023-4654

The CVE-2023-4654 issue affects instantsoft/icms2 prior to 2.16.1, where an HTTPS session cookie is marked without the Secure attribute. Multiple sources (NVD entry, Red Hat advisory) corroborate this description. The root cause is the missing Secure flag on a session cookie, enabling potential c...

3.5CVSS3.8AI score0.00289EPSS

CVE•added 2023/08/31 12:0 a.m.•37 views

CVE-2023-4655

CVE-2023-4655 affects instantsoft/icms2 prior to 2.16.1, described as a reflected Cross-site Scripting (XSS) in the web UI. The vulnerability arises from input that is echoed in responses, enabling script execution in a user’s browser. No explicit exploitation status is provided in the initial/co...

6.1CVSS4.8AI score0.00408EPSS

CVE•added 2023/08/31 12:0 a.m.•35 views

CVE-2023-4651

CVE-2023-4651 describes a Server-Side Request Forgery (SSRF) in instantsoft/icms2 prior to 2.16.1. Affected component: icms2 server handling image/url fetches. Root cause: SSRF in how URLs are processed, allowing the server to make unintended requests. Impact: as described by the sources, potenti...

6.4CVSS5.6AI score0.00349EPSS

CVE•added 2023/09/01 9:55 a.m.•35 views

CVE-2023-4704

CVE-2023-4704 affects instantsoft/icms2 prior to 2.16.1-git, where an External Control of System or Configuration Setting vulnerability exists in the GitHub-hosted project. The Red Hat/NVD entries confirm the issue as an external control of configuration settings, enabling an attacker with networ...

8.8CVSS6.1AI score0.00739EPSS

CVE•added 2023/08/31 12:0 a.m.•33 views

CVE-2023-4652

CVE-2023-4652 is a stored Cross-site Scripting (XSS) vulnerability affecting instantsoft/icms2 releases prior to 2.16.1-git. Multiple sources confirm the issue is a stored XSS in icms2, with exploitation via attacker-supplied input that can induce script execution in an affected user’s browser. P...

6.8CVSS5.6AI score0.00438EPSS

CVE•added 2023/08/31 12:0 a.m.•33 views

CVE-2023-4653

CVE-2023-4653 is a stored XSS vulnerability in instantsoft/icms2 prior to 2.16.1-git. The Red Hat and CVE records corroborate stored XSS in icms2, affecting versions before 2.16.1-git. The issue stems from input handling in the affected module (admin/comments path in the Huntr PoC reference), ena...

5.9CVSS5.1AI score0.00426EPSS

CVE•added 2023/08/31 12:0 a.m.•31 views

CVE-2023-4650

CVE-2023-4650 affects instantsoft/icms2 prior to 2.16.1-git and is described as improper access control in the admin account management functionality. Connected sources confirm an admin account takeover/vector exists: a PoC demonstrates an authenticated admin can change other admins’ passwords, e...

4.7CVSS4.7AI score0.00453EPSS

CVE•added 2025/09/11 6:46 p.m.•20 views

CVE-2025-59055

CVE-2025-59055 concerns InstantCMS up to version 2.17.3, where a blind SSRF vulnerability exists in the installer’s package parameter. The underlying issue allows an authenticated attacker to make arbitrary HTTP/HTTPS requests, enabling actions such as scanning internal networks, invoking local s...

7.2CVSS6.2AI score0.00423EPSS

CVE•added 2025/08/01 8:41 p.m.•19 views

CVE-2013-10051

InstantCMS

9.8CVSS7.8AI score0.01894EPSS

CVE•added 2026/03/09 10:13 p.m.•8 views

CVE-2026-28281

InstantCMS prior to version 2.18.1 is affected by CSRF vulnerabilities due to missing CSRF token validation. The flaw allows attackers to perform actions on behalf of a user (grant moderator privileges, execute scheduled tasks, move posts to trash, accept friend requests). Mitigation is to upgrad...

7.1CVSS5.8AI score0.00127EPSS