VYPR

UliCMS

by UliCMS

CVEs (7)

  • CVE-2020-12704MedMay 7, 2020
    risk 0.43cvss 6.1epss 0.01

    UliCMS before 2020.2 has PageController stored XSS.

  • CVE-2019-11398MedMay 8, 2019
    risk 0.43cvss 6.1epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in UliCMS 2019.2 and 2019.1 allow remote attackers to inject arbitrary web script or HTML via the go parameter to admin/index.php, the go parameter to /admin/index.php?register=register, or the error parameter to…

  • CVE-2020-12703MedMay 7, 2020
    risk 0.40cvss 6.1epss 0.01

    UliCMS before 2020.2 has XSS during PackageController uninstall.

  • CVE-2023-53925Dec 17, 2025
    risk 0.00cvss epss 0.00

    UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users.

  • CVE-2023-53924Dec 17, 2025
    risk 0.00cvss epss 0.01

    UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system…

  • CVE-2023-53923Dec 17, 2025
    risk 0.00cvss epss 0.00

    UliCMS 2023.1 contains a privilege escalation vulnerability that allows unauthenticated attackers to create administrative accounts through the UserController endpoint. Attackers can send a crafted POST request to /dist/admin/index.php with specific parameters to generate a new…

  • CVE-2023-53914Dec 17, 2025
    risk 0.00cvss epss 0.01

    UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specific parameters to generate…