PerfreeBlog
by perfree
CVEs (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-30333 | Cri | 0.64 | 9.8 | 0.01 | May 18, 2023 | An arbitrary file upload vulnerability in the component /admin/ThemeController.java of PerfreeBlog v3.1.2 allows attackers to execute arbitrary code via a crafted file. | ||
| CVE-2025-29281 | Hig | 0.57 | 8.8 | 0.01 | Apr 15, 2025 | In PerfreeBlog version 4.0.11, regular users can exploit the arbitrary file upload vulnerability in the attach component to upload arbitrary files and execute code within them. | ||
| CVE-2023-40825 | Hig | 0.47 | 7.2 | 0.01 | Aug 28, 2023 | An issue in Perfree PerfreeBlog v.3.1.2 allows a remote attacker to execute arbitrary code via crafted plugin listed in admin/plugin/access/list. | ||
| CVE-2023-29643 | Med | 0.35 | 5.4 | 0.00 | May 1, 2023 | Cross Site Scripting (XSS) vulnerability in PerfreeBlog 3.1.2 allows attackers to execute arbitrary code via the Post function. | ||
| CVE-2025-29280 | Med | 0.31 | 4.8 | 0.00 | Apr 15, 2025 | Stored cross-site scripting vulnerability exists in PerfreeBlog v4.0.11 in the website name field of the backend system settings interface allows an attacker to insert and execute arbitrary malicious code. | ||
| CVE-2025-5164 | Low | 0.24 | 3.7 | 0.01 | May 26, 2025 | A vulnerability has been found in PerfreeBlog 4.0.11 and classified as problematic. This vulnerability affects the function JwtUtil of the component JWT Handler. The manipulation leads to use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity… | ||
| CVE-2025-60319 | 0.00 | — | 0.00 | Oct 30, 2025 | PerfreeBlog v4.0.11 is vulnerable to Server-Side Request Forgery due to a missing authorization check in the uploadAttachByUrl API endpoint (AttachController.java). | |||
| CVE-2025-60729 | 0.00 | — | 0.00 | Oct 24, 2025 | PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the validThemeFilePath function | |||
| CVE-2025-60735 | 0.00 | — | 0.00 | Oct 24, 2025 | PerfreeBlog v4.0.11 has a File Upload vulnerability in the installPlugin function | |||
| CVE-2025-60730 | 0.00 | — | 0.00 | Oct 24, 2025 | PerfreeBlog v4.0.11 has an arbitrary file deletion vulnerability in the unInstallTheme function | |||
| CVE-2025-29420 | 0.00 | — | 0.01 | Aug 25, 2025 | PerfreeBlog v4.0.11 has a directory traversal vulnerability in the getThemeFilesByName function. | |||
| CVE-2025-29421 | 0.00 | — | 0.00 | Aug 25, 2025 | PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the getThemeFileContent function. |
- risk 0.64cvss 9.8epss 0.01
An arbitrary file upload vulnerability in the component /admin/ThemeController.java of PerfreeBlog v3.1.2 allows attackers to execute arbitrary code via a crafted file.
- risk 0.57cvss 8.8epss 0.01
In PerfreeBlog version 4.0.11, regular users can exploit the arbitrary file upload vulnerability in the attach component to upload arbitrary files and execute code within them.
- risk 0.47cvss 7.2epss 0.01
An issue in Perfree PerfreeBlog v.3.1.2 allows a remote attacker to execute arbitrary code via crafted plugin listed in admin/plugin/access/list.
- risk 0.35cvss 5.4epss 0.00
Cross Site Scripting (XSS) vulnerability in PerfreeBlog 3.1.2 allows attackers to execute arbitrary code via the Post function.
- risk 0.31cvss 4.8epss 0.00
Stored cross-site scripting vulnerability exists in PerfreeBlog v4.0.11 in the website name field of the backend system settings interface allows an attacker to insert and execute arbitrary malicious code.
- risk 0.24cvss 3.7epss 0.01
A vulnerability has been found in PerfreeBlog 4.0.11 and classified as problematic. This vulnerability affects the function JwtUtil of the component JWT Handler. The manipulation leads to use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity…
- CVE-2025-60319Oct 30, 2025risk 0.00cvss —epss 0.00
PerfreeBlog v4.0.11 is vulnerable to Server-Side Request Forgery due to a missing authorization check in the uploadAttachByUrl API endpoint (AttachController.java).
- CVE-2025-60729Oct 24, 2025risk 0.00cvss —epss 0.00
PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the validThemeFilePath function
- CVE-2025-60735Oct 24, 2025risk 0.00cvss —epss 0.00
PerfreeBlog v4.0.11 has a File Upload vulnerability in the installPlugin function
- CVE-2025-60730Oct 24, 2025risk 0.00cvss —epss 0.00
PerfreeBlog v4.0.11 has an arbitrary file deletion vulnerability in the unInstallTheme function
- CVE-2025-29420Aug 25, 2025risk 0.00cvss —epss 0.01
PerfreeBlog v4.0.11 has a directory traversal vulnerability in the getThemeFilesByName function.
- CVE-2025-29421Aug 25, 2025risk 0.00cvss —epss 0.00
PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the getThemeFileContent function.