Expressionengine
Source repositories
CVEs (15)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-0897 | Hig | 0.49 | 7.5 | 0.04 | Jun 22, 2017 | ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution. | ||
| CVE-2018-17874 | Med | 0.40 | 6.1 | 0.01 | Oct 1, 2018 | ExpressionEngine before 4.3.5 has reflected XSS. | ||
| CVE-2017-1000160 | Med | 0.35 | 5.4 | 0.01 | Nov 17, 2017 | EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection | ||
| CVE-2009-1070 | 0.03 | — | 0.02 | Mar 26, 2009 | Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 through 1.6.6, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the avatar parameter. | |||
| CVE-2006-0461 | 0.03 | — | 0.02 | Jan 27, 2006 | Cross-site scripting (XSS) vulnerability in core.input.php in ExpressionEngine 1.4.1 allows remote attackers to inject arbitrary web script or HTML via HTTP_REFERER (referer). | |||
| CVE-2025-59473 | 0.00 | — | 0.00 | Jan 26, 2026 | SQL Injection vulnerability in the Structure for Admin authenticated user | |||
| CVE-2024-38454 | 0.00 | — | 0.00 | Jun 16, 2024 | ExpressionEngine before 7.4.11 allows XSS. | |||
| CVE-2023-22953 | 0.00 | — | 0.01 | Feb 9, 2023 | In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user. | |||
| CVE-2020-8242 | 0.00 | — | 0.01 | Feb 18, 2022 | Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. The user needs member creation/admin control panel access to execute the attack. | |||
| CVE-2021-33199 | 0.00 | — | 0.01 | Aug 12, 2021 | In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg. | |||
| CVE-2021-27230 | 0.00 | — | 0.03 | Mar 15, 2021 | ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory. | |||
| CVE-2020-13443 | 0.00 | — | 0.04 | Jun 24, 2020 | ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges (member) is able to upload this. It is possible to bypass the MIME type check and… | |||
| CVE-2014-5387 | 0.00 | — | 0.02 | Nov 4, 2014 | Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[] parameter to system/index.php or the (3) tbl_sort[0][] parameter in the comment module… | |||
| CVE-2008-0201 | 0.00 | — | 0.01 | Jan 10, 2008 | Cross-site scripting (XSS) vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL parameter. | |||
| CVE-2008-0202 | 0.00 | — | 0.01 | Jan 10, 2008 | CRLF injection vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the URL parameter. |
- risk 0.49cvss 7.5epss 0.04
ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution.
- risk 0.40cvss 6.1epss 0.01
ExpressionEngine before 4.3.5 has reflected XSS.
- risk 0.35cvss 5.4epss 0.01
EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection
- CVE-2009-1070Mar 26, 2009risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 through 1.6.6, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the avatar parameter.
- CVE-2006-0461Jan 27, 2006risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in core.input.php in ExpressionEngine 1.4.1 allows remote attackers to inject arbitrary web script or HTML via HTTP_REFERER (referer).
- CVE-2025-59473Jan 26, 2026risk 0.00cvss —epss 0.00
SQL Injection vulnerability in the Structure for Admin authenticated user
- CVE-2024-38454Jun 16, 2024risk 0.00cvss —epss 0.00
ExpressionEngine before 7.4.11 allows XSS.
- CVE-2023-22953Feb 9, 2023risk 0.00cvss —epss 0.01
In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user.
- CVE-2020-8242Feb 18, 2022risk 0.00cvss —epss 0.01
Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. The user needs member creation/admin control panel access to execute the attack.
- CVE-2021-33199Aug 12, 2021risk 0.00cvss —epss 0.01
In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg.
- CVE-2021-27230Mar 15, 2021risk 0.00cvss —epss 0.03
ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory.
- CVE-2020-13443Jun 24, 2020risk 0.00cvss —epss 0.04
ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges (member) is able to upload this. It is possible to bypass the MIME type check and…
- CVE-2014-5387Nov 4, 2014risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[] parameter to system/index.php or the (3) tbl_sort[0][] parameter in the comment module…
- CVE-2008-0201Jan 10, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL parameter.
- CVE-2008-0202Jan 10, 2008risk 0.00cvss —epss 0.01
CRLF injection vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the URL parameter.