Novel Plus
by Xxyopen
Source repositories
CVEs (44)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-6535 | Med | 0.41 | 6.3 | 0.00 | Jun 24, 2025 | A vulnerability has been found in xxyopen/201206030 novel-plus up to 5.1.3 and classified as critical. This vulnerability affects the function list of the file novel-admin/src/main/resources/mybatis/system/UserMapper.xml of the component User Management Module. The manipulation… | ||
| CVE-2025-6533 | Med | 0.36 | 5.6 | 0.00 | Jun 24, 2025 | A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected by this issue is the function ajaxLogin of the file novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java of the component CATCHA… | ||
| CVE-2025-6534 | Med | 0.27 | 4.2 | 0.00 | Jun 24, 2025 | A vulnerability, which was classified as problematic, was found in xxyopen/201206030 novel-plus up to 5.1.3. This affects the function remove of the file novel-admin/src/main/java/com/java2nb/common/controller/FileController.java of the component File Handler. The manipulation… | ||
| CVE-2025-60298 | 0.00 | — | 0.00 | Oct 8, 2025 | Novel-Plus up to 5.2.4 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /author/updateIndexName endpoint. This vulnerability allows authenticated attackers to inject malicious JavaScript code through the indexName parameter, which gets stored… | |||
| CVE-2025-60299 | 0.00 | — | 0.00 | Oct 8, 2025 | Novel-Plus with 5.2.0 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /book/addCommentReply endpoint. An authenticated user can inject malicious JavaScript through the replyContent parameter when replying to a book comment. The payload is… | |||
| CVE-2025-45890 | 0.00 | — | 0.01 | Jun 20, 2025 | Directory Traversal vulnerability in novel plus before v.5.1.0 allows a remote attacker to execute arbitrary code via the filePath parameter | |||
| CVE-2025-4019 | 0.00 | — | 0.01 | Apr 28, 2025 | A vulnerability, which was classified as critical, was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. Affected is the function genCode of the file novel-admin/src/main/java/com/java2nb/common/controller/GeneratorController.java. The manipulation… | |||
| CVE-2025-4018 | 0.00 | — | 0.01 | Apr 28, 2025 | A vulnerability, which was classified as critical, has been found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This issue affects the function addCrawlSource of the file novel-crawl/src/main/java/com/java2nb/novel/controller/CrawlController.java. The… | |||
| CVE-2025-4017 | 0.00 | — | 0.00 | Apr 28, 2025 | A vulnerability classified as problematic was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This vulnerability affects the function list of the file nnovel-admin/src/main/java/com/java2nb/common/controller/LogController.java. The manipulation leads… | |||
| CVE-2025-4016 | 0.00 | — | 0.00 | Apr 28, 2025 | A vulnerability classified as critical has been found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This affects the function deleteIndex of the file novel-admin/src/main/java/com/java2nb/common/controller/LogController.java. The manipulation leads to… | |||
| CVE-2025-4015 | 0.00 | — | 0.01 | Apr 28, 2025 | A vulnerability was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. It has been rated as critical. Affected by this issue is the function list of the file novel-system/src/main/java/com/java2nb/system/controller/SessionController.java. The… | |||
| CVE-2025-3856 | 0.00 | — | 0.00 | Apr 22, 2025 | A vulnerability was found in xxyopen Novel-Plus 5.1.0. It has been classified as critical. This affects the function searchByPage of the file /book/searchByPage. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remotely. The… | |||
| CVE-2025-3676 | 0.00 | — | 0.00 | Apr 16, 2025 | A vulnerability classified as critical has been found in xxyopen Novel-Plus 3.5.0. This affects an unknown part of the file /api/front/search/books. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remotely. The exploit has been… | |||
| CVE-2025-3369 | 0.00 | — | 0.00 | Apr 7, 2025 | A vulnerability was found in xxyopen Novel-Plus 5.1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /novel/friendLink/list. The manipulation of the argument sort leads to sql injection. The attack may be launched remotely. The… | |||
| CVE-2025-26182 | 0.00 | — | 0.00 | Mar 4, 2025 | An issue in xxyopen novel plus v.4.4.0 and before allows a remote attacker to execute arbitrary code via the PageController.java file | |||
| CVE-2024-25274 | 0.00 | — | 0.01 | Feb 20, 2024 | An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 allows attackers to execute arbitrary code via uploading a crafted file. | |||
| CVE-2024-24017 | 0.00 | — | 0.01 | Feb 8, 2024 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /common/dict/list | |||
| CVE-2024-24025 | 0.00 | — | 0.01 | Feb 8, 2024 | An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download. | |||
| CVE-2024-24023 | 0.00 | — | 0.01 | Feb 8, 2024 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/bookContent/list. | |||
| CVE-2024-24018 | 0.00 | — | 0.01 | Feb 8, 2024 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/dataPerm/list |
- risk 0.41cvss 6.3epss 0.00
A vulnerability has been found in xxyopen/201206030 novel-plus up to 5.1.3 and classified as critical. This vulnerability affects the function list of the file novel-admin/src/main/resources/mybatis/system/UserMapper.xml of the component User Management Module. The manipulation…
- risk 0.36cvss 5.6epss 0.00
A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected by this issue is the function ajaxLogin of the file novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java of the component CATCHA…
- risk 0.27cvss 4.2epss 0.00
A vulnerability, which was classified as problematic, was found in xxyopen/201206030 novel-plus up to 5.1.3. This affects the function remove of the file novel-admin/src/main/java/com/java2nb/common/controller/FileController.java of the component File Handler. The manipulation…
- CVE-2025-60298Oct 8, 2025risk 0.00cvss —epss 0.00
Novel-Plus up to 5.2.4 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /author/updateIndexName endpoint. This vulnerability allows authenticated attackers to inject malicious JavaScript code through the indexName parameter, which gets stored…
- CVE-2025-60299Oct 8, 2025risk 0.00cvss —epss 0.00
Novel-Plus with 5.2.0 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /book/addCommentReply endpoint. An authenticated user can inject malicious JavaScript through the replyContent parameter when replying to a book comment. The payload is…
- CVE-2025-45890Jun 20, 2025risk 0.00cvss —epss 0.01
Directory Traversal vulnerability in novel plus before v.5.1.0 allows a remote attacker to execute arbitrary code via the filePath parameter
- CVE-2025-4019Apr 28, 2025risk 0.00cvss —epss 0.01
A vulnerability, which was classified as critical, was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. Affected is the function genCode of the file novel-admin/src/main/java/com/java2nb/common/controller/GeneratorController.java. The manipulation…
- CVE-2025-4018Apr 28, 2025risk 0.00cvss —epss 0.01
A vulnerability, which was classified as critical, has been found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This issue affects the function addCrawlSource of the file novel-crawl/src/main/java/com/java2nb/novel/controller/CrawlController.java. The…
- CVE-2025-4017Apr 28, 2025risk 0.00cvss —epss 0.00
A vulnerability classified as problematic was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This vulnerability affects the function list of the file nnovel-admin/src/main/java/com/java2nb/common/controller/LogController.java. The manipulation leads…
- CVE-2025-4016Apr 28, 2025risk 0.00cvss —epss 0.00
A vulnerability classified as critical has been found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This affects the function deleteIndex of the file novel-admin/src/main/java/com/java2nb/common/controller/LogController.java. The manipulation leads to…
- CVE-2025-4015Apr 28, 2025risk 0.00cvss —epss 0.01
A vulnerability was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. It has been rated as critical. Affected by this issue is the function list of the file novel-system/src/main/java/com/java2nb/system/controller/SessionController.java. The…
- CVE-2025-3856Apr 22, 2025risk 0.00cvss —epss 0.00
A vulnerability was found in xxyopen Novel-Plus 5.1.0. It has been classified as critical. This affects the function searchByPage of the file /book/searchByPage. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remotely. The…
- CVE-2025-3676Apr 16, 2025risk 0.00cvss —epss 0.00
A vulnerability classified as critical has been found in xxyopen Novel-Plus 3.5.0. This affects an unknown part of the file /api/front/search/books. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remotely. The exploit has been…
- CVE-2025-3369Apr 7, 2025risk 0.00cvss —epss 0.00
A vulnerability was found in xxyopen Novel-Plus 5.1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /novel/friendLink/list. The manipulation of the argument sort leads to sql injection. The attack may be launched remotely. The…
- CVE-2025-26182Mar 4, 2025risk 0.00cvss —epss 0.00
An issue in xxyopen novel plus v.4.4.0 and before allows a remote attacker to execute arbitrary code via the PageController.java file
- CVE-2024-25274Feb 20, 2024risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-24017Feb 8, 2024risk 0.00cvss —epss 0.01
A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /common/dict/list
- CVE-2024-24025Feb 8, 2024risk 0.00cvss —epss 0.01
An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.
- CVE-2024-24023Feb 8, 2024risk 0.00cvss —epss 0.01
A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/bookContent/list.
- CVE-2024-24018Feb 8, 2024risk 0.00cvss —epss 0.01
A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/dataPerm/list
Page 1 of 3