| CVE-2017-1000160 | Med | 0.35 | 5.4 | 0.00 | | Nov 17, 2017 | EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection |
| CVE-2006-0461 | | 0.04 | — | 0.09 | | Jan 27, 2006 | Cross-site scripting (XSS) vulnerability in core.input.php in ExpressionEngine 1.4.1 allows remote attackers to inject arbitrary web script or HTML via HTTP_REFERER (referer). |
| CVE-2009-1070 | | 0.03 | — | 0.03 | | Mar 26, 2009 | Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 through 1.6.6, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the avatar parameter. |
| CVE-2025-59473 | | 0.00 | — | 0.00 | | Jan 26, 2026 | SQL Injection vulnerability in the Structure for Admin authenticated user |
| CVE-2014-5387 | | 0.00 | — | 0.00 | | Nov 4, 2014 | Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[] parameter to system/index.php or the (3) tbl_sort[0][] parameter in the comment module to system/index.php. |
| CVE-2008-0201 | | 0.00 | — | 0.01 | | Jan 10, 2008 | Cross-site scripting (XSS) vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL parameter. |
| CVE-2008-0202 | | 0.00 | — | 0.01 | | Jan 10, 2008 | CRLF injection vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the URL parameter. |
