VYPR

Expressionengine

by Expressionengine

Source repositories

CVEs (15)

  • CVE-2017-0897HigJun 22, 2017
    risk 0.49cvss 7.5epss 0.04

    ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution.

  • CVE-2018-17874MedOct 1, 2018
    risk 0.40cvss 6.1epss 0.01

    ExpressionEngine before 4.3.5 has reflected XSS.

  • CVE-2017-1000160MedNov 17, 2017
    risk 0.35cvss 5.4epss 0.01

    EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection

  • CVE-2009-1070Mar 26, 2009
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 through 1.6.6, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the avatar parameter.

  • CVE-2006-0461Jan 27, 2006
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in core.input.php in ExpressionEngine 1.4.1 allows remote attackers to inject arbitrary web script or HTML via HTTP_REFERER (referer).

  • CVE-2025-59473Jan 26, 2026
    risk 0.00cvss epss 0.00

    SQL Injection vulnerability in the Structure for Admin authenticated user

  • CVE-2024-38454Jun 16, 2024
    risk 0.00cvss epss 0.00

    ExpressionEngine before 7.4.11 allows XSS.

  • CVE-2023-22953Feb 9, 2023
    risk 0.00cvss epss 0.01

    In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user.

  • CVE-2020-8242Feb 18, 2022
    risk 0.00cvss epss 0.01

    Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. The user needs member creation/admin control panel access to execute the attack.

  • CVE-2021-33199Aug 12, 2021
    risk 0.00cvss epss 0.01

    In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg.

  • CVE-2021-27230Mar 15, 2021
    risk 0.00cvss epss 0.03

    ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory.

  • CVE-2020-13443Jun 24, 2020
    risk 0.00cvss epss 0.04

    ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges (member) is able to upload this. It is possible to bypass the MIME type check and…

  • CVE-2014-5387Nov 4, 2014
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[] parameter to system/index.php or the (3) tbl_sort[0][] parameter in the comment module…

  • CVE-2008-0201Jan 10, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL parameter.

  • CVE-2008-0202Jan 10, 2008
    risk 0.00cvss epss 0.01

    CRLF injection vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the URL parameter.