VYPR
Vendor

Aimeos

Products
48
CVEs
83
Across products
76
Status
Private

Products

48
View all 48 products →

Recent CVEs

83
View all 83 CVEs →
  • CVE-2026-45247CriKEVMay 26, 2026
    risk 0.76cvss 9.8epss 0.28

    Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit…

  • CVE-2025-48200CriMay 21, 2025
    risk 0.65cvss 10.0epss 0.01

    The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution.

  • CVE-2024-4228CriJun 26, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE - 522 - Insufficiently Protected Credentials vulnerability in Magarsus Consultancy SSO (Single Sign On) allows SQL…

  • CVE-2024-36681CriJun 24, 2024
    risk 0.64cvss 9.8epss 0.01

    SQL Injection vulnerability in the module "Isotope" (pk_isotope) <=1.7.3 from Promokit.eu for PrestaShop allows attackers to obtain sensitive information and cause other impacts via `pk_isotope::saveData` and `pk_isotope::removeData` methods.

  • CVE-2024-34989CriJun 21, 2024
    risk 0.64cvss 9.8epss 0.00

    In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().'

  • CVE-2024-33276CriApr 29, 2024
    risk 0.64cvss 9.8epss 0.01

    SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method.

  • CVE-2024-33269CriApr 29, 2024
    risk 0.64cvss 9.8epss 0.01

    SQL Injection vulnerability in Prestaddons flashsales 1.9.7 and before allows an attacker to run arbitrary SQL commands via the FsModel::getFlashSales method.

  • CVE-2024-33266CriApr 29, 2024
    risk 0.64cvss 9.8epss 0.01

    SQL Injection vulnerability in Helloshop deliveryorderautoupdate v.2.8.1 and before allows an attacker to run arbitrary SQL commands via the DeliveryorderautoupdateOrdersModuleFrontController::initContent function.

  • CVE-2026-29203HigMay 8, 2026
    risk 0.57cvss 8.8epss 0.00

    A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled…

  • CVE-2025-28357HigOct 1, 2025
    risk 0.57cvss 8.8epss 0.00

    A CRLF injection vulnerability in Neto CMS v6.313.0 through v6.314.0 allows attackers to execute arbitrary code via supplying a crafted HTTP request.

  • CVE-2025-9573HigSep 2, 2025
    risk 0.56cvss epss 0.01

    The ns_backup extension through 13.0.2 for TYPO3 allows command injection.

  • CVE-2025-48205HigMay 21, 2025
    risk 0.56cvss 8.6epss 0.00

    The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference.

  • CVE-2014-6046HigAug 28, 2018
    risk 0.53cvss 8.8epss 0.02

    Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open…

  • CVE-2021-30492criApr 29, 2021
    risk 0.52cvss epss 0.00

    ### Impact Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF). ### Resolution Validate the provided Zendesk subdomain to be a valid subdomain in: * getAuthUrl * getAccessToken

  • CVE-2026-46394HigJun 5, 2026
    risk 0.50cvss epss 0.01

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The application constructs shell command strings using unsanitized input and executes them…

  • CVE-2026-8427HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L…

  • CVE-2024-38516HigJun 25, 2024
    risk 0.50cvss 8.8epss 0.01

    ai-client-html is an Aimeos e-commerce HTML client component. Debug information revealed sensitive information from environment variables in error log. This issue has been patched in versions 2024.04.7, 2023.10.15, 2022.10.13 and 2021.10.22.

  • CVE-2024-34991HigJun 24, 2024
    risk 0.49cvss 7.5epss 0.00

    In the module "Axepta" (axepta) before 1.3.4 from Quadra Informatique for PrestaShop, a guest can download partial credit card information (expiry date) / postal address / email / etc. without restriction due to a lack of permissions control.

  • CVE-2023-45385HigApr 30, 2024
    risk 0.49cvss 7.5epss 0.01

    ProQuality pqprintshippinglabels before v.4.15.0 is vulnerable to Directory Traversal via the pqprintshippinglabels module.

  • CVE-2025-60869HigOct 10, 2025
    risk 0.47cvss 7.3epss 0.00

    Publii CMS v0.46.5 (build 17089) allows persistent Cross-Site Scripting (XSS) via unsanitized input in configuration fields such as "Site Description" and "Footer Follow Buttons". An attacker can inject arbitrary JavaScript, which is stored in the project and executed in the…