Agora
Source repositories
CVEs (6)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-55135 | Med | 0.35 | 6.4 | 0.00 | Aug 7, 2025 | In Agora Foundation Agora fall23-Alpha1 before 690ce56, there is XSS via a profile picture to server/controller/userController.js. Formats other than PNG, JPEG, and WEBP are permitted by server/routes/userRoutes.js; this includes SVG. | ||
| CVE-2025-55134 | Med | 0.35 | 6.4 | 0.00 | Aug 7, 2025 | In Agora Foundation Agora fall23-Alpha1 before b087490, there is XSS via tag in client/agora/public/js/editorManager.js. | ||
| CVE-2025-55133 | Med | 0.35 | 6.4 | 0.00 | Aug 7, 2025 | In Agora Foundation Agora fall23-Alpha1 before b087490, there is XSS via topicName in client/agora/public/js/editorManager.js. | ||
| CVE-2006-7194 | 0.04 | — | 0.08 | Apr 18, 2007 | PHP remote file inclusion vulnerability in modules/Mysqlfinder/MysqlfinderAdmin.php in Agora 1.4 RC1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the _SESSION[PATH_COMPOSANT] parameter. | |||
| CVE-2025-67079 | 0.00 | — | 0.00 | Jan 15, 2026 | File upload vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute code through the MSL engine of the Imagick library via crafted PDF file to the file upload and thumbnail functions. | |||
| CVE-2025-67076 | 0.00 | — | 0.00 | Jan 15, 2026 | Directory traversal vulnerability in Omnispace Agora Project before 25.10 allowing unauthenticated attackers to read files on the system via the misc controller and the ExternalGetFile action. Only files with an extension can be read. |
- risk 0.35cvss 6.4epss 0.00
In Agora Foundation Agora fall23-Alpha1 before 690ce56, there is XSS via a profile picture to server/controller/userController.js. Formats other than PNG, JPEG, and WEBP are permitted by server/routes/userRoutes.js; this includes SVG.
- risk 0.35cvss 6.4epss 0.00
In Agora Foundation Agora fall23-Alpha1 before b087490, there is XSS via tag in client/agora/public/js/editorManager.js.
- risk 0.35cvss 6.4epss 0.00
In Agora Foundation Agora fall23-Alpha1 before b087490, there is XSS via topicName in client/agora/public/js/editorManager.js.
- CVE-2006-7194Apr 18, 2007risk 0.04cvss —epss 0.08
PHP remote file inclusion vulnerability in modules/Mysqlfinder/MysqlfinderAdmin.php in Agora 1.4 RC1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the _SESSION[PATH_COMPOSANT] parameter.
- CVE-2025-67079Jan 15, 2026risk 0.00cvss —epss 0.00
File upload vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute code through the MSL engine of the Imagick library via crafted PDF file to the file upload and thumbnail functions.
- CVE-2025-67076Jan 15, 2026risk 0.00cvss —epss 0.00
Directory traversal vulnerability in Omnispace Agora Project before 25.10 allowing unauthenticated attackers to read files on the system via the misc controller and the ExternalGetFile action. Only files with an extension can be read.