Phpfusion
by PHP-Fusion
Source repositories
CVEs (77)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-5946 | 0.03 | — | 0.01 | Jan 22, 2009 | SQL injection vulnerability in readmore.php in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the news_id parameter. | |||
| CVE-2008-5335 | 0.03 | — | 0.03 | Dec 5, 2008 | SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158,… | |||
| CVE-2008-5197 | 0.03 | — | 0.04 | Nov 21, 2008 | SQL injection vulnerability in classifieds.php in PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the lid parameter in a detail_adverts action. | |||
| CVE-2008-1918 | 0.03 | — | 0.01 | Apr 23, 2008 | SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission… | |||
| CVE-2006-4673 | 0.03 | — | 0.01 | Sep 11, 2006 | Global variable overwrite vulnerability in maincore.php in PHP-Fusion 6.01.4 and earlier uses the extract function on the superglobals, which allows remote attackers to conduct SQL injection attacks via the _SERVER[REMOTE_ADDR] parameter to news.php. | |||
| CVE-2006-2459 | 0.03 | — | 0.02 | May 19, 2006 | SQL injection vulnerability in messages.php in PHP-Fusion 6.00.307 and earlier allows remote authenticated users to execute arbitrary SQL commands via the srch_where parameter. | |||
| CVE-2006-2331 | 0.03 | — | 0.04 | May 12, 2006 | Multiple directory traversal vulnerabilities in PHP-Fusion 6.00.306 allow remote attackers to include and execute arbitrary local files via (1) a .. (dot dot) in the settings[locale] parameter in infusions/last_seen_users_panel/last_seen_users_panel.php, and (2) a .. (dot dot)… | |||
| CVE-2005-4517 | 0.03 | — | 0.01 | Dec 28, 2005 | SQL injection vulnerability in PHP-Fusion 6.00.200 through 6.00.300 allows remote attackers to execute arbitrary SQL commands via the ratings parameter in multiple scripts, such as ratings_include.php. | |||
| CVE-2005-4516 | 0.03 | — | 0.02 | Dec 28, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion 6.00.200 through 6.00.300 allow remote attackers to inject arbitrary web script or HTML via (1) the sortby parameter in members.php and (2) IMG tags. | |||
| CVE-2005-4005 | 0.03 | — | 0.01 | Dec 5, 2005 | SQL injection vulnerability in messages.php in PHP-Fusion 6.00.109 allows remote attackers to obtain path information and possibly execute arbitrary SQL commands via the srch_text parameter in a Search and Sort option to messages.php. | |||
| CVE-2005-3157 | 0.03 | — | 0.04 | Oct 6, 2005 | SQL injection vulnerability in messages.php in PHP-Fusion 6.00.109 allows remote attackers to execute arbitrary SQL commands via the msg_send parameter, a different vulnerability than CVE-2005-3158 and CVE-2005-3159. | |||
| CVE-2005-3159 | 0.03 | — | 0.01 | Oct 6, 2005 | SQL injection vulnerability in messages.php in PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the msg_view parameter, a different vulnerability than CVE-2005-3157 and CVE-2005-3158. | |||
| CVE-2005-2783 | 0.03 | — | 0.02 | Sep 2, 2005 | Cross-site scripting (XSS) vulnerability in PHP-Fusion 6.00.107 and earlier allows remote attackers to inject arbitrary web script or HTML via nested, malformed URL BBCode tags. | |||
| CVE-2005-0345 | 0.03 | — | 0.03 | May 2, 2005 | viewthread.php in php-fusion 4.x does not check the (1) forum_id or (2) forum_cat parameters, which allows remote attackers to view protected forums via the thread_id parameter. | |||
| CVE-2005-0829 | 0.03 | — | 0.02 | May 2, 2005 | Cross-site scripting (XSS) vulnerability in setuser.php of the Digitanium addon to PHP-Fusion 5.01 allows remote attackers to inject arbitrary web script or HTML via the (1) user_name or (2) user_pass parameters. | |||
| CVE-2020-37152 | 0.00 | — | 0.00 | Feb 5, 2026 | PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the 'panel_content' POST parameter. The application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject arbitrary JavaScript. This can be exploited by… | |||
| CVE-2020-37137 | 0.00 | — | 0.01 | Feb 5, 2026 | PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content… | |||
| CVE-2023-53928 | 0.00 | — | 0.00 | Dec 17, 2025 | PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially… | |||
| CVE-2021-3172 | Hig | 0.00 | 8.1 | 0.01 | Feb 17, 2023 | An issue in Php-Fusion v9.03.90 fixed in v9.10.00 allows authenticated attackers to cause a Distributed Denial of Service via the Polling feature. | ||
| CVE-2022-3152 | Hig | 0.00 | 8.8 | 0.01 | Sep 7, 2022 | Unverified Password Change in GitHub repository phpfusion/phpfusion prior to 9.10.20. |
- CVE-2008-5946Jan 22, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in readmore.php in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the news_id parameter.
- CVE-2008-5335Dec 5, 2008risk 0.03cvss —epss 0.03
SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158,…
- CVE-2008-5197Nov 21, 2008risk 0.03cvss —epss 0.04
SQL injection vulnerability in classifieds.php in PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the lid parameter in a detail_adverts action.
- CVE-2008-1918Apr 23, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission…
- CVE-2006-4673Sep 11, 2006risk 0.03cvss —epss 0.01
Global variable overwrite vulnerability in maincore.php in PHP-Fusion 6.01.4 and earlier uses the extract function on the superglobals, which allows remote attackers to conduct SQL injection attacks via the _SERVER[REMOTE_ADDR] parameter to news.php.
- CVE-2006-2459May 19, 2006risk 0.03cvss —epss 0.02
SQL injection vulnerability in messages.php in PHP-Fusion 6.00.307 and earlier allows remote authenticated users to execute arbitrary SQL commands via the srch_where parameter.
- CVE-2006-2331May 12, 2006risk 0.03cvss —epss 0.04
Multiple directory traversal vulnerabilities in PHP-Fusion 6.00.306 allow remote attackers to include and execute arbitrary local files via (1) a .. (dot dot) in the settings[locale] parameter in infusions/last_seen_users_panel/last_seen_users_panel.php, and (2) a .. (dot dot)…
- CVE-2005-4517Dec 28, 2005risk 0.03cvss —epss 0.01
SQL injection vulnerability in PHP-Fusion 6.00.200 through 6.00.300 allows remote attackers to execute arbitrary SQL commands via the ratings parameter in multiple scripts, such as ratings_include.php.
- CVE-2005-4516Dec 28, 2005risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion 6.00.200 through 6.00.300 allow remote attackers to inject arbitrary web script or HTML via (1) the sortby parameter in members.php and (2) IMG tags.
- CVE-2005-4005Dec 5, 2005risk 0.03cvss —epss 0.01
SQL injection vulnerability in messages.php in PHP-Fusion 6.00.109 allows remote attackers to obtain path information and possibly execute arbitrary SQL commands via the srch_text parameter in a Search and Sort option to messages.php.
- CVE-2005-3157Oct 6, 2005risk 0.03cvss —epss 0.04
SQL injection vulnerability in messages.php in PHP-Fusion 6.00.109 allows remote attackers to execute arbitrary SQL commands via the msg_send parameter, a different vulnerability than CVE-2005-3158 and CVE-2005-3159.
- CVE-2005-3159Oct 6, 2005risk 0.03cvss —epss 0.01
SQL injection vulnerability in messages.php in PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the msg_view parameter, a different vulnerability than CVE-2005-3157 and CVE-2005-3158.
- CVE-2005-2783Sep 2, 2005risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in PHP-Fusion 6.00.107 and earlier allows remote attackers to inject arbitrary web script or HTML via nested, malformed URL BBCode tags.
- CVE-2005-0345May 2, 2005risk 0.03cvss —epss 0.03
viewthread.php in php-fusion 4.x does not check the (1) forum_id or (2) forum_cat parameters, which allows remote attackers to view protected forums via the thread_id parameter.
- CVE-2005-0829May 2, 2005risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in setuser.php of the Digitanium addon to PHP-Fusion 5.01 allows remote attackers to inject arbitrary web script or HTML via the (1) user_name or (2) user_pass parameters.
- CVE-2020-37152Feb 5, 2026risk 0.00cvss —epss 0.00
PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the 'panel_content' POST parameter. The application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject arbitrary JavaScript. This can be exploited by…
- CVE-2020-37137Feb 5, 2026risk 0.00cvss —epss 0.01
PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content…
- CVE-2023-53928Dec 17, 2025risk 0.00cvss —epss 0.00
PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially…
- risk 0.00cvss 8.1epss 0.01
An issue in Php-Fusion v9.03.90 fixed in v9.10.00 allows authenticated attackers to cause a Distributed Denial of Service via the Polling feature.
- risk 0.00cvss 8.8epss 0.01
Unverified Password Change in GitHub repository phpfusion/phpfusion prior to 9.10.20.
Page 3 of 4