ProcessWire CMS
by ProcessWire
CVEs (6)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-27467 | Hig | 0.50 | 7.5 | 0.16 | Feb 24, 2022 | A Directory Traversal vulnerability exits in Processwire CMS before 2.7.1 via the download parameter to index.php. | ||
| CVE-2023-24676 | Hig | 0.47 | 7.2 | 0.01 | Jan 24, 2024 | An issue found in ProcessWire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the download_zip_url parameter when installing a new module. NOTE: this is disputed because exploitation requires that the attacker is able to enter requests as an… | ||
| CVE-2022-40488 | Med | 0.42 | 6.5 | 0.00 | Oct 31, 2022 | ProcessWire v3.0.200 was discovered to contain a Cross-Site Request Forgery (CSRF). | ||
| CVE-2022-40487 | Med | 0.40 | 6.1 | 0.00 | Oct 31, 2022 | ProcessWire v3.0.200 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Search Users and Search Pages function. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via injection of a crafted payload. | ||
| CVE-2024-41597 | Med | 0.27 | 4.2 | 0.00 | Jul 19, 2024 | Cross Site Request Forgery vulnerability in ProcessWire v.3.0.229 allows a remote attacker to execute arbitrary code via a crafted HTML file to the comments functionality. | ||
| CVE-2025-60790 | 0.00 | — | 0.00 | Oct 21, 2025 | ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limits prior to validation, enabling resource-exhaustion Denial of Service. |
- risk 0.50cvss 7.5epss 0.16
A Directory Traversal vulnerability exits in Processwire CMS before 2.7.1 via the download parameter to index.php.
- risk 0.47cvss 7.2epss 0.01
An issue found in ProcessWire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the download_zip_url parameter when installing a new module. NOTE: this is disputed because exploitation requires that the attacker is able to enter requests as an…
- risk 0.42cvss 6.5epss 0.00
ProcessWire v3.0.200 was discovered to contain a Cross-Site Request Forgery (CSRF).
- risk 0.40cvss 6.1epss 0.00
ProcessWire v3.0.200 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Search Users and Search Pages function. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via injection of a crafted payload.
- risk 0.27cvss 4.2epss 0.00
Cross Site Request Forgery vulnerability in ProcessWire v.3.0.229 allows a remote attacker to execute arbitrary code via a crafted HTML file to the comments functionality.
- CVE-2025-60790Oct 21, 2025risk 0.00cvss —epss 0.00
ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limits prior to validation, enabling resource-exhaustion Denial of Service.