CMS
by Havalite
CVEs (27)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-27179 | 0.10 | — | 0.61 | Apr 11, 2023 | GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary file download vulenrability via the filename parameter at /_admin/imgdownload.php. | |||
| CVE-2022-46020 | 0.07 | — | 0.39 | Dec 20, 2022 | WBCE CMS v1.5.4 can implement getshell by modifying the upload file type. | |||
| CVE-2019-25137 | 0.04 | — | 0.04 | May 18, 2023 | Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx. | |||
| CVE-2013-0161 | 0.03 | — | 0.01 | Jan 29, 2020 | Havalite CMS 1.1.7 has a stored XSS vulnerability | |||
| CVE-2012-5919 | 0.03 | — | 0.02 | Nov 19, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) find or (2) replace fields to havalite/findReplace.php; (3) username parameter to havalite/hava_login.php, (4) the Edit… | |||
| CVE-2012-5894 | 0.03 | — | 0.01 | Nov 17, 2012 | SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the postId parameter. | |||
| CVE-2025-70866 | 0.00 | — | 0.00 | Feb 13, 2026 | LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share… | |||
| CVE-2025-71177 | 0.00 | — | 0.00 | Jan 23, 2026 | LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later… | |||
| CVE-2024-31828 | 0.00 | — | 0.01 | Apr 26, 2024 | Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL. | |||
| CVE-2024-27668 | 0.00 | — | 0.00 | Mar 4, 2024 | Flusity-CMS v2.33 is affected by: Cross Site Scripting (XSS) in 'Custom Blocks.' | |||
| CVE-2023-36983 | 0.00 | — | 0.01 | Aug 1, 2023 | LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure. | |||
| CVE-2023-36984 | 0.00 | — | 0.01 | Aug 1, 2023 | LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure. | |||
| CVE-2023-36291 | 0.00 | — | 0.00 | Jul 3, 2023 | Cross Site Scripting vulnerability in Maxsite CMS v.108.7 allows a remote attacker to execute arbitrary code via the f_content parameter in the admin/page_new file. | |||
| CVE-2023-27082 | 0.00 | — | 0.01 | Jun 26, 2023 | Cross Site Scripting (XSS) vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file. | |||
| CVE-2023-31903 | 0.00 | — | 0.02 | May 17, 2023 | GuppY CMS 6.00.10 is vulnerable to Unrestricted File Upload which allows remote attackers to execute arbitrary code by uploading a php file. | |||
| CVE-2023-27237 | 0.00 | — | 0.01 | May 12, 2023 | LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack. | |||
| CVE-2023-27238 | 0.00 | — | 0.01 | May 12, 2023 | LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning. | |||
| CVE-2023-27178 | 0.00 | — | 0.01 | Apr 10, 2023 | An arbitrary file upload vulnerability in the upload function of GDidees CMS 3.9.1 allows attackers to execute arbitrary code via a crafted file. | |||
| CVE-2023-27180 | 0.00 | — | 0.01 | Apr 7, 2023 | GDidees CMS v3.9.1 was discovered to contain a source code disclosure vulnerability by the backup feature which is accessible via /_admin/backup.php. | |||
| CVE-2023-25828 | 0.00 | — | 0.02 | Mar 27, 2023 | Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Albums are used to create collections of images that can be inserted into web pages across the site. Albums allow the upload of various filetypes, which… |
- CVE-2023-27179Apr 11, 2023risk 0.10cvss —epss 0.61
GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary file download vulenrability via the filename parameter at /_admin/imgdownload.php.
- CVE-2022-46020Dec 20, 2022risk 0.07cvss —epss 0.39
WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
- CVE-2019-25137May 18, 2023risk 0.04cvss —epss 0.04
Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.
- CVE-2013-0161Jan 29, 2020risk 0.03cvss —epss 0.01
Havalite CMS 1.1.7 has a stored XSS vulnerability
- CVE-2012-5919Nov 19, 2012risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) find or (2) replace fields to havalite/findReplace.php; (3) username parameter to havalite/hava_login.php, (4) the Edit…
- CVE-2012-5894Nov 17, 2012risk 0.03cvss —epss 0.01
SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the postId parameter.
- CVE-2025-70866Feb 13, 2026risk 0.00cvss —epss 0.00
LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share…
- CVE-2025-71177Jan 23, 2026risk 0.00cvss —epss 0.00
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later…
- CVE-2024-31828Apr 26, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL.
- CVE-2024-27668Mar 4, 2024risk 0.00cvss —epss 0.00
Flusity-CMS v2.33 is affected by: Cross Site Scripting (XSS) in 'Custom Blocks.'
- CVE-2023-36983Aug 1, 2023risk 0.00cvss —epss 0.01
LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure.
- CVE-2023-36984Aug 1, 2023risk 0.00cvss —epss 0.01
LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure.
- CVE-2023-36291Jul 3, 2023risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in Maxsite CMS v.108.7 allows a remote attacker to execute arbitrary code via the f_content parameter in the admin/page_new file.
- CVE-2023-27082Jun 26, 2023risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file.
- CVE-2023-31903May 17, 2023risk 0.00cvss —epss 0.02
GuppY CMS 6.00.10 is vulnerable to Unrestricted File Upload which allows remote attackers to execute arbitrary code by uploading a php file.
- CVE-2023-27237May 12, 2023risk 0.00cvss —epss 0.01
LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack.
- CVE-2023-27238May 12, 2023risk 0.00cvss —epss 0.01
LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning.
- CVE-2023-27178Apr 10, 2023risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the upload function of GDidees CMS 3.9.1 allows attackers to execute arbitrary code via a crafted file.
- CVE-2023-27180Apr 7, 2023risk 0.00cvss —epss 0.01
GDidees CMS v3.9.1 was discovered to contain a source code disclosure vulnerability by the backup feature which is accessible via /_admin/backup.php.
- CVE-2023-25828Mar 27, 2023risk 0.00cvss —epss 0.02
Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Albums are used to create collections of images that can be inserted into web pages across the site. Albums allow the upload of various filetypes, which…
Page 1 of 2