VYPR

Galette

by Galette

Source repositories

CVEs (11)

  • CVE-2025-58052HigDec 19, 2025
    risk 0.46cvss 8.1epss 0.00

    Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since…

  • CVE-2012-2338May 21, 2012
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in includes/picture.class.php in Galette 0.63, 0.63.1, 0.63.2, 0.63.3, and 0.64rc1 allows remote attackers to execute arbitrary SQL commands via the id_adh parameter to picture.php.

  • CVE-2025-58053Dec 19, 2025
    risk 0.00cvss epss 0.00

    Galette is a membership management web application for non profit organizations. Prior to version 1.2.0, while updating any existing account with a self forged POST request, one can gain higher privileges. Version 1.2.0 fixes the issue.

  • CVE-2025-53922Dec 19, 2025
    risk 0.00cvss epss 0.00

    Galette is a membership management web application for non profit organizations. Starting in version 1.1.4 and prior to version 1.2.0, a user who is logged in as group manager may bypass intended restrictions on Contributions and Transactions. Version 1.2.0 fixes the issue.

  • CVE-2025-48884Nov 4, 2025
    risk 0.00cvss epss 0.00

    Galette is a membership management web application for non profit organizations. In versions 1.1.5.2 and below, Galette's Document Type is vulnerable to Cross-site Scripting. This issue is fixed in version 1.2.0.

  • CVE-2025-48076Nov 4, 2025
    risk 0.00cvss epss 0.00

    Galette is a membership management web application for non profit organizations. Versions 1.1.5.2 and below allow a user to edit a group name and insert an XSS payload. This issue is fixed in version 1.2.0.

  • CVE-2024-24761Mar 6, 2024
    risk 0.00cvss epss 0.01

    Galette is a membership management web application for non profit organizations. Starting in version 1.0.0 and prior to version 1.0.2, public pages are per default restricted to only administrators and staff members. From configuration, it is possible to restrict to up-to-date…

  • CVE-2021-41261Dec 16, 2021
    risk 0.00cvss epss 0.01

    Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 are subject to stored cross site scripting attacks via the preferences footer. The preference footer can only be altered by a site admin. This…

  • CVE-2021-41262Dec 16, 2021
    risk 0.00cvss epss 0.01

    Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 are subject to SQL injection attacks by users with "member" privilege. Users are advised to upgrade to version 0.9.6 as soon as possible. There…

  • CVE-2021-41260Dec 16, 2021
    risk 0.00cvss epss 0.00

    Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 do not check for Cross Site Request Forgery attacks. All users are advised to upgrade to 0.9.6 as soon as possible. There are no known…

  • CVE-2021-21319Oct 25, 2021
    risk 0.00cvss epss 0.01

    Galette is a membership management web application geared towards non profit organizations. In versions prior to 0.9.5, malicious javascript code can be stored to be displayed later on self subscription page. The self subscription feature can be disabled as a workaround (this is…