Firefly Iii/firefly Iii
by Firefly Iii
Source repositories
CVEs (23)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-50886 | Cri | 0.59 | 9.1 | 0.00 | Jun 15, 2026 | Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request. | ||
| CVE-2024-37893 | Med | 0.31 | 5.9 | 0.01 | Jun 17, 2024 | Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using… | ||
| CVE-2024-22075 | 0.00 | — | 0.00 | Jan 5, 2024 | Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection. | |||
| CVE-2023-1788 | 0.00 | — | 0.00 | Apr 5, 2023 | Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6. | |||
| CVE-2023-1789 | 0.00 | — | 0.00 | Apr 1, 2023 | Improper Input Validation in GitHub repository firefly-iii/firefly-iii prior to 6.0.0. | |||
| CVE-2023-0298 | 0.00 | — | 0.01 | Jan 14, 2023 | Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0. | |||
| CVE-2021-4005 | 0.00 | — | 0.00 | Dec 4, 2021 | firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | |||
| CVE-2021-4015 | 0.00 | — | 0.00 | Dec 1, 2021 | firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | |||
| CVE-2021-3921 | 0.00 | — | 0.00 | Nov 13, 2021 | firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | |||
| CVE-2021-3901 | 0.00 | — | 0.01 | Oct 27, 2021 | firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | |||
| CVE-2021-3900 | 0.00 | — | 0.01 | Oct 27, 2021 | firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | |||
| CVE-2021-3851 | 0.00 | — | 0.01 | Oct 19, 2021 | firefly-iii is vulnerable to URL Redirection to Untrusted Site | |||
| CVE-2021-3846 | 0.00 | — | 0.01 | Oct 19, 2021 | firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous Type | |||
| CVE-2021-3819 | 0.00 | — | 0.01 | Sep 27, 2021 | firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | |||
| CVE-2021-3730 | 0.00 | — | 0.00 | Aug 23, 2021 | firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | |||
| CVE-2021-3729 | 0.00 | — | 0.00 | Aug 23, 2021 | firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | |||
| CVE-2021-3728 | 0.00 | — | 0.01 | Aug 23, 2021 | firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | |||
| CVE-2021-3663 | 0.00 | — | 0.01 | Jul 25, 2021 | firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts | |||
| CVE-2019-14667 | 0.00 | — | 0.01 | Aug 5, 2019 | Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due to the lack of filtration of user-supplied data in the transaction description field and the asset account name. The JavaScript code is executed during a convert transaction action. | |||
| CVE-2019-14668 | 0.00 | — | 0.01 | Aug 5, 2019 | Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the transaction description field. The JavaScript code is executed during deletion of a transaction link. |
- risk 0.59cvss 9.1epss 0.00
Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request.
- risk 0.31cvss 5.9epss 0.01
Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using…
- CVE-2024-22075Jan 5, 2024risk 0.00cvss —epss 0.00
Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection.
- CVE-2023-1788Apr 5, 2023risk 0.00cvss —epss 0.00
Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6.
- CVE-2023-1789Apr 1, 2023risk 0.00cvss —epss 0.00
Improper Input Validation in GitHub repository firefly-iii/firefly-iii prior to 6.0.0.
- CVE-2023-0298Jan 14, 2023risk 0.00cvss —epss 0.01
Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0.
- CVE-2021-4005Dec 4, 2021risk 0.00cvss —epss 0.00
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-4015Dec 1, 2021risk 0.00cvss —epss 0.00
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3921Nov 13, 2021risk 0.00cvss —epss 0.00
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3901Oct 27, 2021risk 0.00cvss —epss 0.01
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3900Oct 27, 2021risk 0.00cvss —epss 0.01
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3851Oct 19, 2021risk 0.00cvss —epss 0.01
firefly-iii is vulnerable to URL Redirection to Untrusted Site
- CVE-2021-3846Oct 19, 2021risk 0.00cvss —epss 0.01
firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous Type
- CVE-2021-3819Sep 27, 2021risk 0.00cvss —epss 0.01
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3730Aug 23, 2021risk 0.00cvss —epss 0.00
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3729Aug 23, 2021risk 0.00cvss —epss 0.00
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3728Aug 23, 2021risk 0.00cvss —epss 0.01
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3663Jul 25, 2021risk 0.00cvss —epss 0.01
firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts
- CVE-2019-14667Aug 5, 2019risk 0.00cvss —epss 0.01
Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due to the lack of filtration of user-supplied data in the transaction description field and the asset account name. The JavaScript code is executed during a convert transaction action.
- CVE-2019-14668Aug 5, 2019risk 0.00cvss —epss 0.01
Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the transaction description field. The JavaScript code is executed during deletion of a transaction link.
Page 1 of 2