VYPR

CMS

by Statamic

Source repositories

CVEs (72)

  • CVE-2026-30993CriApr 15, 2026
    risk 0.64cvss 9.8epss 0.01

    Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable via a crafted input.

  • CVE-2016-20052CriApr 4, 2026
    risk 0.64cvss 9.8epss 0.01

    Snews CMS 1.7 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files including PHP executables to the snews_files directory. Attackers can upload malicious PHP files through the multipart form-data upload endpoint and…

  • CVE-2025-15498CriFeb 27, 2026
    risk 0.60cvss epss 0.00

    Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges.  This issue was identified in version 1.2.0 of this software. Due to…

  • CVE-2021-47964HigMay 15, 2026
    risk 0.57cvss 8.8epss 0.01

    Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block manager. Attackers can upload a crafted ZIP file containing PHP code in the…

  • CVE-2020-9322HigAug 8, 2025
    risk 0.57cvss 8.8epss 0.00

    The /users endpoint in Statamic Core before 2.11.8 allows XSS to add an administrator user. This can be exploited via CSRF. Stored XSS can occur via a JavaScript payload in a username during account registration. Reflected XSS can occur via the /users PATH_INFO.

  • CVE-2019-25439HigFeb 22, 2026
    risk 0.53cvss 8.2epss 0.00

    NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. Attackers can craft requests with time-based SQL injection payloads in the Referer header to…

  • CVE-2019-25433HigFeb 22, 2026
    risk 0.53cvss 8.2epss 0.00

    XOOPS CMS 2.5.9 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. Attackers can send GET requests to the gerar_pdf.php endpoint with malicious cid values to extract…

  • CVE-2026-6257CriApr 20, 2026
    risk 0.52cvss 9.1epss 0.01

    Vvveb CMS v1.0.8.2 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can exploit this…

  • CVE-2026-6249HigApr 20, 2026
    risk 0.50cvss 8.8epss 0.01

    Vvveb CMS 1.0.8.2 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and…

  • CVE-2025-5435HigJun 2, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in Marwal Infotech CMS 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /page.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed…

  • CVE-2025-5434HigJun 2, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in Aem Solutions CMS up to 1.0. It has been classified as critical. This affects an unknown part of the file /page.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been…

  • CVE-2025-64112HigOct 30, 2025
    risk 0.45cvss 8.0epss 0.00

    Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This…

  • CVE-2020-37237MedMay 16, 2026
    risk 0.42cvss 6.4epss 0.00

    Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Attackers with admin credentials can inject XSS payloads in the Description field of the Add…

  • CVE-2025-3534MedApr 13, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability, which was classified as critical, was found in PowerCreator CMS 1.0. Affected is an unknown function of the file /OpenPublicCourse.aspx. The manipulation of the argument cid leads to sql injection. It is possible to launch the attack remotely. The exploit has…

  • CVE-2026-3395HigMar 1, 2026
    risk 0.40cvss 7.3epss 0.00

    A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to…

  • CVE-2016-20053MedApr 4, 2026
    risk 0.34cvss 5.3epss 0.00

    Redaxo CMS 5.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the users endpoint…

  • CVE-2016-20051MedApr 4, 2026
    risk 0.34cvss 5.3epss 0.00

    Snews CMS 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials without authentication by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form…

  • CVE-2013-20005MedMar 16, 2026
    risk 0.34cvss 5.3epss 0.00

    Qool CMS 2.0 RC2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious web pages. Attackers can forge POST requests to the /admin/adduser endpoint with parameters like…

  • CVE-2026-45660MedMay 29, 2026
    risk 0.28cvss 5.4epss 0.00

    Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the…

  • CVE-2026-44306MedMay 12, 2026
    risk 0.27cvss 5.3epss 0.00

    Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which…

Page 1 of 4