CVE-2024-22559

CVE-2024-22559 affects LightCMS v2.0 with a Cross Site Scripting (XSS) vulnerability in the Content Management – Articles field. The CVSSv3.1 base score is 5.4 (Medium) with Network attack vector, Low attack complexity, Privileges Required: Low, User Interaction: Required, Scope: Changed, and imp...

CVE-2022-33009

LightCMS v1.3.11 has a stored XSS vulnerability exploitable by uploading a crafted PDF file. Root cause: insufficient validation of user-supplied data and output filtering. Impact is client-side script execution. Affected version: LightCMS 1.3.11. No remediation details are provided in the suppli...

CVE-2021-3355

LightCMS v1.3.4 contains a stored-self XSS in the Title field used for Sensitive Words (to /admin/SensitiveWords). Exploitation involves injecting HTML/JavaScript into the vulnerable title, with PoC payloads available (e.g., from Exploit-DB). The issue is confirmed across multiple sources (NVD, C...

CVE-2023-27060

LightCMS v1.3.7 contains a remote code execution (RCE) vulnerability exploitable via the image:make function. Affected software: LightCMS 1.3.7. Root cause: ability to trigger arbitrary code execution through image:make. Impact: high/critical risk (per CVSS 3.1 metrics in the CVE entry). Remediat...

CVE-2021-27112

LightCMS v1.3.5 is affected by a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during external image download. The issue enables arbitrary code execution on successful exploitation, with no exploitation details provided in the sources. Affected product: ...

CVE-2026-29934

CVE-2026-29934 describes a reflected XSS in Lightcms v2.0, specifically the /admin/menus component. An attacker can inject arbitrary JavaScript by manipulating the Referer header in requests, causing the payload to execute in the user’s browser context. Public notes across multiple feeds corrobor...