Aimeos
Products
48- 12 CVEs
- 5 CVEs
- 3 CVEs
- 3 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- View all 48 products →
Recent CVEs
65| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-45247 | Cri | 0.76 | 9.8 | 0.28 | KEV | May 26, 2026 | Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit… | |
| CVE-2025-48200 | Cri | 0.65 | 10.0 | 0.01 | May 21, 2025 | The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution. | ||
| CVE-2024-4228 | Cri | 0.64 | 9.8 | 0.00 | Jun 26, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE - 522 - Insufficiently Protected Credentials vulnerability in Magarsus Consultancy SSO (Single Sign On) allows SQL… | ||
| CVE-2024-36681 | Cri | 0.64 | 9.8 | 0.01 | Jun 24, 2024 | SQL Injection vulnerability in the module "Isotope" (pk_isotope) <=1.7.3 from Promokit.eu for PrestaShop allows attackers to obtain sensitive information and cause other impacts via `pk_isotope::saveData` and `pk_isotope::removeData` methods. | ||
| CVE-2024-34989 | Cri | 0.64 | 9.8 | 0.00 | Jun 21, 2024 | In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().' | ||
| CVE-2024-33276 | Cri | 0.64 | 9.8 | 0.01 | Apr 29, 2024 | SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method. | ||
| CVE-2024-33269 | Cri | 0.64 | 9.8 | 0.01 | Apr 29, 2024 | SQL Injection vulnerability in Prestaddons flashsales 1.9.7 and before allows an attacker to run arbitrary SQL commands via the FsModel::getFlashSales method. | ||
| CVE-2024-33266 | Cri | 0.64 | 9.8 | 0.01 | Apr 29, 2024 | SQL Injection vulnerability in Helloshop deliveryorderautoupdate v.2.8.1 and before allows an attacker to run arbitrary SQL commands via the DeliveryorderautoupdateOrdersModuleFrontController::initContent function. | ||
| CVE-2026-29203 | Hig | 0.57 | 8.8 | 0.00 | May 8, 2026 | A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled… | ||
| CVE-2025-28357 | Hig | 0.57 | 8.8 | 0.00 | Oct 1, 2025 | A CRLF injection vulnerability in Neto CMS v6.313.0 through v6.314.0 allows attackers to execute arbitrary code via supplying a crafted HTTP request. | ||
| CVE-2025-9573 | Hig | 0.56 | — | 0.01 | Sep 2, 2025 | The ns_backup extension through 13.0.2 for TYPO3 allows command injection. | ||
| CVE-2025-48205 | Hig | 0.56 | 8.6 | 0.00 | May 21, 2025 | The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference. | ||
| CVE-2014-6046 | Hig | 0.53 | 8.8 | 0.02 | Aug 28, 2018 | Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open… | ||
| CVE-2021-30492 | cri | 0.52 | — | 0.00 | Apr 29, 2021 | ### Impact Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF). ### Resolution Validate the provided Zendesk subdomain to be a valid subdomain in: * getAuthUrl * getAccessToken | ||
| CVE-2026-46394 | Hig | 0.50 | — | 0.01 | Jun 5, 2026 | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The application constructs shell command strings using unsanitized input and executes them… | ||
| CVE-2026-8427 | Hig | 0.50 | 8.8 | 0.00 | May 21, 2026 | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L… | ||
| CVE-2024-38516 | Hig | 0.50 | 8.8 | 0.01 | Jun 25, 2024 | ai-client-html is an Aimeos e-commerce HTML client component. Debug information revealed sensitive information from environment variables in error log. This issue has been patched in versions 2024.04.7, 2023.10.15, 2022.10.13 and 2021.10.22. | ||
| CVE-2018-20713 | Hig | 0.50 | 8.8 | 0.01 | Jan 15, 2019 | Shopware before 5.4.3 allows SQL Injection by remote authenticated users, aka SW-21404. | ||
| CVE-2024-34991 | Hig | 0.49 | 7.5 | 0.00 | Jun 24, 2024 | In the module "Axepta" (axepta) before 1.3.4 from Quadra Informatique for PrestaShop, a guest can download partial credit card information (expiry date) / postal address / email / etc. without restriction due to a lack of permissions control. | ||
| CVE-2023-45385 | Hig | 0.49 | 7.5 | 0.01 | Apr 30, 2024 | ProQuality pqprintshippinglabels before v.4.15.0 is vulnerable to Directory Traversal via the pqprintshippinglabels module. |
- risk 0.76cvss 9.8epss 0.28
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit…
- risk 0.65cvss 10.0epss 0.01
The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution.
- risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE - 522 - Insufficiently Protected Credentials vulnerability in Magarsus Consultancy SSO (Single Sign On) allows SQL…
- risk 0.64cvss 9.8epss 0.01
SQL Injection vulnerability in the module "Isotope" (pk_isotope) <=1.7.3 from Promokit.eu for PrestaShop allows attackers to obtain sensitive information and cause other impacts via `pk_isotope::saveData` and `pk_isotope::removeData` methods.
- risk 0.64cvss 9.8epss 0.00
In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().'
- risk 0.64cvss 9.8epss 0.01
SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method.
- risk 0.64cvss 9.8epss 0.01
SQL Injection vulnerability in Prestaddons flashsales 1.9.7 and before allows an attacker to run arbitrary SQL commands via the FsModel::getFlashSales method.
- risk 0.64cvss 9.8epss 0.01
SQL Injection vulnerability in Helloshop deliveryorderautoupdate v.2.8.1 and before allows an attacker to run arbitrary SQL commands via the DeliveryorderautoupdateOrdersModuleFrontController::initContent function.
- risk 0.57cvss 8.8epss 0.00
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled…
- risk 0.57cvss 8.8epss 0.00
A CRLF injection vulnerability in Neto CMS v6.313.0 through v6.314.0 allows attackers to execute arbitrary code via supplying a crafted HTTP request.
- risk 0.56cvss —epss 0.01
The ns_backup extension through 13.0.2 for TYPO3 allows command injection.
- risk 0.56cvss 8.6epss 0.00
The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference.
- risk 0.53cvss 8.8epss 0.02
Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open…
- risk 0.52cvss —epss 0.00
### Impact Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF). ### Resolution Validate the provided Zendesk subdomain to be a valid subdomain in: * getAuthUrl * getAccessToken
- risk 0.50cvss —epss 0.01
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The application constructs shell command strings using unsanitized input and executes them…
- risk 0.50cvss 8.8epss 0.00
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L…
- risk 0.50cvss 8.8epss 0.01
ai-client-html is an Aimeos e-commerce HTML client component. Debug information revealed sensitive information from environment variables in error log. This issue has been patched in versions 2024.04.7, 2023.10.15, 2022.10.13 and 2021.10.22.
- risk 0.50cvss 8.8epss 0.01
Shopware before 5.4.3 allows SQL Injection by remote authenticated users, aka SW-21404.
- risk 0.49cvss 7.5epss 0.00
In the module "Axepta" (axepta) before 1.3.4 from Quadra Informatique for PrestaShop, a guest can download partial credit card information (expiry date) / postal address / email / etc. without restriction due to a lack of permissions control.
- risk 0.49cvss 7.5epss 0.01
ProQuality pqprintshippinglabels before v.4.15.0 is vulnerable to Directory Traversal via the pqprintshippinglabels module.