CVE-2006-2519

Summary of CVE-2006-2519 (phpwcms/spaw_root RFI) Affected product: phpwcms 1.2.5-DEV (SPA W Editor PHP Edition note indicates the underlying issue may be in SPAW Editor PHP Edition). Vulnerability: Directory traversal allows remote attackers to include arbitrary local files via .. sequences in th...

CVE-2021-4301

The CVE-2021-4301 entry affects slackero phpwcms (versions up to 1.9.26). The root cause is SQL injection triggered by manipulating the PHP variable phpwcms['db_prepend']. Impact is SQL injection with remote attack potential on affected installations. A fix is available in phpwcms 1.9.27, with th...

CVE-2011-3789

The CVE-2011-3789 entry concerns phpwcms 1.4.7 r412, where remote attackers can disclose sensitive information by directly requesting certain PHP files (e.g., template/inc_script/frontend_render/disabled/majonavi.php), causing error messages to reveal the installation path. The connected sources ...

CVE-2025-5497

CVE-2025-5497 affects Slackero’s phpwcms Feedimport Module (processing.inc.php) where manipulating the cnt_text argument leads to deserialization. The vulnerability exists in phpwcms versions up to 1.9.45/1.10.8 and can be triggered remotely; public exploits have been disclosed. A fix is availabl...

CVE-2021-36425

CVE-2021-36425 affects phpcms 1.9.25 and related entries describe a directory traversal vulnerability. An attacker can delete arbitrary files by supplying an unfiltered file parameter to the unlink call in the file path include/inc_act/act_ftptakeover.php. The connected documents confirm the vuln...

CVE-2021-4302

The CVE-2021-4302 issue affects slackero phpwcms versions up to 1.9.26, specifically the SVG File Handler. The vulnerability enables cross-site scripting and can be triggered remotely. Root cause details are not fully disclosed in the provided documents, but the documented mitigation is to upgrad...

CVE-2025-5498

Slackero phpWCMS contains a deserialization vulnerability in cnt21.readform.inc.php (file_cnt: file_get_contents/is_file) triggered by manipulating the cpage_custom parameter. Affected versions: 1.9.45 and earlier, and 1.10.8 and earlier. Exploitation can be performed remotely; public disclosure ...

CVE-2025-5499

Slackero phpwcms versions up to 1.9.45 and 1.10.8 are affected. The vulnerability is in image_resized.php, specifically the is_file/getimagesize usage, where manipulation of the imgfile argument leads to deserialization. This can be exploited remotely and has been publicly disclosed. Remediation:...

CVE-2005-3789

phpwcms 1.2.5 is affected by multiple directory traversal vulnerabilities. The issues allow remote attackers to read arbitrary local files via dot-dot in the form_lang parameter of login.php and the imgdir parameter in random_image.php. A Nessus plugin also notes that the form_lang issue could le...

CVE-2006-7019

Summary: CVE-2006-7019 affects phpwcms 1.2.5-DEV and earlier, and 1.1 prior to RC4, enabling remote arbitrary code execution via crafted arguments to the text_evento and email_eventonome_evento parameters. The vulnerable code paths are phpwcms_code_snippets/mail_file_form.php and sample_ext_php/m...

CVE-2020-21784

CVE-2020-21784 affects phpwcms 1.9.13 and is described as a Code Injection vulnerability exploitable via the API endpoint /phpwcms/setup/setup.php. The connected sources consistently identify the vulnerable component and path but do not provide concrete exploit steps, affected versions beyond 1.9...

CVE-2021-36424

CVE-2021-36424 affects phpwcms 1.9.25 and allows remote attackers to execute arbitrary code via the DB user field during installation. This is documented across multiple sources (NVD, Red Hat, OSV, CNNVD, CVE listing, PT Security) with no publicly available fix version indicated in the provided m...

CVE-2017-15872

CVE-2017-15872 affects phpwcms 1.8.9 with a cross-site scripting (XSS) vulnerability in include/inc_tmpl/admin.edituser.tmpl.php and include/inc_tmpl/admin.newuser.tmpl.php, exploitable via the username (new_login) field. The affected components are these two admin templates; the underlying cause...

CVE-2018-12990

CVE-2018-12990 affects phpwcms 1.8.9. A remote attacker can disclose the installation path via an invalid csrf_token_value field, an information-disclosure issue arising from the csrf_token handling. Several sources (NVD/CNVD entries and related databases) describe phpwcms 1.8.9 as vulnerable to ...

CVE-2006-6886

The vulnerability affects phpwcms 1.2.5-DEV. Affected component: include/inc_lib/ files public-userroot.inc.php and private.additions.inc.php. Root cause: direct requests expose filesystem paths in error messages, enabling information disclosure. Impact: partial confidentiality breach; no evidenc...

CVE-2006-2518

CVE-2006-2518 affects phpWCMS 1.2.5-DEV where a crafted value in the BL[be_cnt_plainhtml] parameter is echoed into include/inc_tmpl/content/cnt6.inc.php, enabling cross-site scripting. The vulnerability originates from improper handling of user-supplied input in that parameter, leading to arbitra...

CVE-2020-19855

CVE-2020-19855 affects phpwcms v1.9 with a cross-site scripting (XSS) vulnerability in /image_zoom.php. Several connected sources confirm the issue and its impact: an attacker could exploit this XSS to obtain an administrator cookie (CNVD/CNNVD entries). The Red Hat, NVD, and CVE listings all des...

CVE-2021-36426

CVE-2021-36426 affects phpwcms 1.9.25, where a crafted file upload to include/inc_lib/general.inc.php enables remote code execution. The vulnerability is described consistently across multiple sources as a File Upload vulnerability that lets an attacker run arbitrary code, with high impact (C/H I...

CVE-2021-47783

CVE-2021-47783 affects Phpwcms 1.9.30. The vulnerability is a file upload flaw where authenticated attackers can upload crafted SVG files containing JavaScript via the multiple file upload feature, potentially enabling cross-site scripting on the platform. The connected documents confirm the affe...