VYPR

Vendor CVEs

Aimeos

All CVEs

83 total · sorted by risk
  • CVE-2026-45247CriKEVMay 26, 2026
    risk 0.76cvss 9.8epss 0.28

    Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit…

  • CVE-2025-48200CriMay 21, 2025
    risk 0.65cvss 10.0epss 0.01

    The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution.

  • CVE-2024-4228CriJun 26, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE - 522 - Insufficiently Protected Credentials vulnerability in Magarsus Consultancy SSO (Single Sign On) allows SQL…

  • CVE-2024-36681CriJun 24, 2024
    risk 0.64cvss 9.8epss 0.01

    SQL Injection vulnerability in the module "Isotope" (pk_isotope) <=1.7.3 from Promokit.eu for PrestaShop allows attackers to obtain sensitive information and cause other impacts via `pk_isotope::saveData` and `pk_isotope::removeData` methods.

  • CVE-2024-34989CriJun 21, 2024
    risk 0.64cvss 9.8epss 0.00

    In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().'

  • CVE-2024-33276CriApr 29, 2024
    risk 0.64cvss 9.8epss 0.01

    SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method.

  • CVE-2024-33269CriApr 29, 2024
    risk 0.64cvss 9.8epss 0.01

    SQL Injection vulnerability in Prestaddons flashsales 1.9.7 and before allows an attacker to run arbitrary SQL commands via the FsModel::getFlashSales method.

  • CVE-2024-33266CriApr 29, 2024
    risk 0.64cvss 9.8epss 0.01

    SQL Injection vulnerability in Helloshop deliveryorderautoupdate v.2.8.1 and before allows an attacker to run arbitrary SQL commands via the DeliveryorderautoupdateOrdersModuleFrontController::initContent function.

  • CVE-2026-29203HigMay 8, 2026
    risk 0.57cvss 8.8epss 0.00

    A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled…

  • CVE-2025-28357HigOct 1, 2025
    risk 0.57cvss 8.8epss 0.00

    A CRLF injection vulnerability in Neto CMS v6.313.0 through v6.314.0 allows attackers to execute arbitrary code via supplying a crafted HTTP request.

  • CVE-2025-9573HigSep 2, 2025
    risk 0.56cvss epss 0.01

    The ns_backup extension through 13.0.2 for TYPO3 allows command injection.

  • CVE-2025-48205HigMay 21, 2025
    risk 0.56cvss 8.6epss 0.00

    The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference.

  • CVE-2014-6046HigAug 28, 2018
    risk 0.53cvss 8.8epss 0.02

    Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open…

  • CVE-2021-30492criApr 29, 2021
    risk 0.52cvss epss 0.00

    ### Impact Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF). ### Resolution Validate the provided Zendesk subdomain to be a valid subdomain in: * getAuthUrl * getAccessToken

  • CVE-2026-46394HigJun 5, 2026
    risk 0.50cvss epss 0.01

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The application constructs shell command strings using unsanitized input and executes them…

  • CVE-2026-8427HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L…

  • CVE-2024-38516HigJun 25, 2024
    risk 0.50cvss 8.8epss 0.01

    ai-client-html is an Aimeos e-commerce HTML client component. Debug information revealed sensitive information from environment variables in error log. This issue has been patched in versions 2024.04.7, 2023.10.15, 2022.10.13 and 2021.10.22.

  • CVE-2024-34991HigJun 24, 2024
    risk 0.49cvss 7.5epss 0.00

    In the module "Axepta" (axepta) before 1.3.4 from Quadra Informatique for PrestaShop, a guest can download partial credit card information (expiry date) / postal address / email / etc. without restriction due to a lack of permissions control.

  • CVE-2023-45385HigApr 30, 2024
    risk 0.49cvss 7.5epss 0.01

    ProQuality pqprintshippinglabels before v.4.15.0 is vulnerable to Directory Traversal via the pqprintshippinglabels module.

  • CVE-2025-60869HigOct 10, 2025
    risk 0.47cvss 7.3epss 0.00

    Publii CMS v0.46.5 (build 17089) allows persistent Cross-Site Scripting (XSS) via unsanitized input in configuration fields such as "Site Description" and "Footer Follow Buttons". An attacker can inject arbitrary JavaScript, which is stored in the project and executed in the…

  • CVE-2026-8727HigMay 19, 2026
    risk 0.46cvss epss 0.00

    The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation…

  • CVE-2020-36950MedJan 27, 2026
    risk 0.42cvss 6.5epss 0.00

    Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the 'range' parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server.

  • CVE-2018-16141MedAug 30, 2018
    risk 0.42cvss 6.5epss 0.01

    ThinkCMF X2.2.3 has an arbitrary file deletion vulnerability in do_avatar in \application\User\Controller\ProfileController.class.php via an imgurl parameter with a ..\ sequence. A member user can delete any file on a Windows server.

  • CVE-2024-37295HigJun 11, 2024
    risk 0.40cvss 7.2epss 0.01

    Aimeos is an Open Source e-commerce framework for online shops. Starting in version 2024.01.1 and prior to version 2024.04.5, a user with administrative privileges can upload files that look like images but contain PHP code which can then be executed in the context of the web…

  • CVE-2024-39323HigJul 2, 2024
    risk 0.39cvss 7.1epss 0.00

    aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end.…

  • CVE-2014-6072higMay 30, 2024
    risk 0.39cvss epss 0.01

    All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony WebProfiler bundle are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not…

  • CVE-2014-5245higMay 30, 2024
    risk 0.39cvss epss 0.01

    All 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpKernel component are affected by this security issue. Your application is vulnerable only if the ESI feature is enabled and there is a proxy in front of the web application. This issue has been fixed in Symfony…

  • CVE-2014-5244higMay 30, 2024
    risk 0.39cvss epss 0.02

    All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not…

  • CVE-2014-4931higMay 30, 2024
    risk 0.39cvss epss 0.01

    When investigating issue [#11093](https://github.com/symfony/symfony/issues/11093), [Jeremy Derussé](https://connect.sensiolabs.com/profile/jderusse) found a serious code injection issue in the way Symfony implements translation caching in FrameworkBundle. - Your Symfony…

  • CVE-2026-46723MedMay 19, 2026
    risk 0.38cvss epss 0.00

    The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index.

  • CVE-2026-7887MedMay 21, 2026
    risk 0.35cvss 6.4epss 0.00

    For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this…

  • CVE-2023-45256MedJun 12, 2025
    risk 0.35cvss 5.4epss 0.00

    Multiple SQL injection vulnerabilities in the EuroInformation MoneticoPaiement module before 1.1.1 for PrestaShop allow remote attackers to execute arbitrary SQL commands via the TPE, societe, MAC, reference, or aliascb parameter to transaction.php, validation.php, or…

  • CVE-2024-47173MedOct 24, 2024
    risk 0.29cvss 5.5epss 0.00

    Aimeos is an e-commerce framework. All SaaS and marketplace setups using the Aimeos GraphQL API admin interface version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack. Version 2024.07.2 fixes the issue.

  • CVE-2024-37294MedJun 11, 2024
    risk 0.29cvss 5.5epss 0.00

    Aimeos is an Open Source e-commerce framework for online shops. All SaaS and marketplace setups using Aimeos version from 2022/2023/2024 are affected by a potential denial of service attack. Users should upgrade to versions 2022.10.17, 2023.10.17, or 2024.04 of the…

  • CVE-2024-37296MedJun 11, 2024
    risk 0.27cvss 5.3epss 0.01

    The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g.…

  • CVE-2022-31114MedJun 3, 2026
    risk 0.26cvss epss 0.00

    backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.69, and 4.0.63 are vulnerable to cross-site scripting. An attacker could conduct…

  • CVE-2025-30083medMar 19, 2025
    risk 0.26cvss epss 0.00

    A cross-site scripting (XSS) vulnerability has been discovered in the Additional TCA extension. This vulnerabily is exploitable by a logged in backend user utilizing the TYPO3 backend user interface. This user can create output in the HTML context by exploiting improperly…

  • CVE-2023-50462medDec 13, 2023
    risk 0.26cvss epss 0.01

    The extension fails to verify whether a specified content element identifier is permitted by the plugin. This enables an unauthenticated user to display various content elements, leading to an insecure direct object reference (IDOR) vulnerability with the potential to expose…

  • CVE-2023-50459medDec 13, 2023
    risk 0.26cvss epss 0.00

    The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts. Another missing access check in the backend module of…

  • CVE-2015-2309medMay 30, 2024
    risk 0.19cvss epss 0.01

    All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, 2.5.X, and 2.6.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.27, 2.5.11, and 2.6.6. Note that no fixes are provided for Symfony 2.0, 2.1, 2.2, and 2.4 as…

  • CVE-2014-6061medMay 30, 2024
    risk 0.19cvss epss 0.01

    All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not…

  • CVE-2025-11019LowSep 26, 2025
    risk 0.16cvss 2.4epss 0.00

    A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

  • CVE-2025-10940LowSep 25, 2025
    risk 0.16cvss 2.4epss 0.00

    A vulnerability was found in Total.js CMS 1.0.0. Affected by this vulnerability is the function layouts_save of the file /admin/ of the component Layout Page. Performing manipulation of the argument HTML results in cross site scripting. It is possible to initiate the attack…

  • CVE-2017-18357Jan 15, 2019
    risk 0.08cvss epss 0.27

    Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.

  • CVE-2019-9650Mar 11, 2019
    risk 0.03cvss epss 0.03

    An XSS issue was discovered in upcoming_events.php in the Upcoming Events plugin before 1.33 for MyBB via a crafted name for an event.

  • CVE-2018-19799Dec 26, 2018
    risk 0.03cvss epss 0.04

    Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS.

  • CVE-2022-44276Jun 28, 2023
    risk 0.02cvss epss 0.02

    In Responsive Filemanager < 9.12.0, an attacker can bypass upload restrictions resulting in RCE.

  • CVE-2026-56396Jun 21, 2026
    risk 0.00cvss epss 0.00

    phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can set is_superadmin flag or grant arbitrary rights…

  • CVE-2025-14840Jan 28, 2026
    risk 0.00cvss epss 0.00

    Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.

  • CVE-2025-13980Jan 28, 2026
    risk 0.00cvss epss 0.00

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before…

Page 1 of 2