FuelCMS
Source repositories
CVEs (14)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-16763 | Cri | 0.73 | 9.8 | 0.83 | Sep 9, 2018 | FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution. | ||
| CVE-2018-16762 | Cri | 0.64 | 9.8 | 0.01 | Sep 9, 2018 | FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or search_term parameter to pages/items. | ||
| CVE-2026-30460 | Hig | 0.57 | 8.8 | 0.01 | Apr 7, 2026 | Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module. | ||
| CVE-2018-20188 | Hig | 0.57 | 8.8 | 0.01 | Dec 17, 2018 | FUEL CMS 1.4.3 has CSRF via users/create/ to add an administrator account. | ||
| CVE-2018-16416 | Hig | 0.57 | 8.8 | 0.01 | Sep 3, 2018 | Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inline= in FUEL CMS 1.4 allows remote attackers to change the administrator's password. | ||
| CVE-2026-30461 | Hig | 0.54 | 8.3 | 0.01 | Apr 15, 2026 | Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule. | ||
| CVE-2026-30459 | Hig | 0.46 | 7.1 | 0.00 | Apr 16, 2026 | An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message. | ||
| CVE-2021-44607 | Med | 0.35 | 5.4 | 0.00 | Feb 24, 2022 | A Cross Site Scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 in the Assets page via an SVG file. | ||
| CVE-2018-20137 | Med | 0.31 | 4.8 | 0.01 | Dec 13, 2018 | XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the pages/edit/1?lang=english URI. | ||
| CVE-2018-20136 | Med | 0.31 | 4.8 | 0.01 | Dec 13, 2018 | XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the pages/edit/1?lang=english URI. | ||
| CVE-2026-30462 | Med | 0.28 | 4.3 | 0.01 | Apr 27, 2026 | A path traversal vulnerability in the Blocks module of Daylight Studio FuelCMS v1.5.2 allows attackers to execute a directory traversal. | ||
| CVE-2026-30457 | 0.00 | — | 0.01 | Mar 26, 2026 | An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code. | |||
| CVE-2026-30458 | 0.00 | — | 0.00 | Mar 26, 2026 | An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack. | |||
| CVE-2026-30463 | 0.00 | — | 0.00 | Mar 26, 2026 | Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component. |
- risk 0.73cvss 9.8epss 0.83
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
- risk 0.64cvss 9.8epss 0.01
FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or search_term parameter to pages/items.
- risk 0.57cvss 8.8epss 0.01
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module.
- risk 0.57cvss 8.8epss 0.01
FUEL CMS 1.4.3 has CSRF via users/create/ to add an administrator account.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inline= in FUEL CMS 1.4 allows remote attackers to change the administrator's password.
- risk 0.54cvss 8.3epss 0.01
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.
- risk 0.46cvss 7.1epss 0.00
An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.
- risk 0.35cvss 5.4epss 0.00
A Cross Site Scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 in the Assets page via an SVG file.
- risk 0.31cvss 4.8epss 0.01
XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the pages/edit/1?lang=english URI.
- risk 0.31cvss 4.8epss 0.01
XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the pages/edit/1?lang=english URI.
- risk 0.28cvss 4.3epss 0.01
A path traversal vulnerability in the Blocks module of Daylight Studio FuelCMS v1.5.2 allows attackers to execute a directory traversal.
- CVE-2026-30457Mar 26, 2026risk 0.00cvss —epss 0.01
An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code.
- CVE-2026-30458Mar 26, 2026risk 0.00cvss —epss 0.00
An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack.
- CVE-2026-30463Mar 26, 2026risk 0.00cvss —epss 0.00
Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component.