Vendor CVEs
Aimeos
All CVEs
83 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-45247 | Cri | 0.76 | 9.8 | 0.28 | KEV | May 26, 2026 | Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit… | |
| CVE-2025-48200 | Cri | 0.65 | 10.0 | 0.01 | May 21, 2025 | The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution. | ||
| CVE-2024-4228 | Cri | 0.64 | 9.8 | 0.00 | Jun 26, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE - 522 - Insufficiently Protected Credentials vulnerability in Magarsus Consultancy SSO (Single Sign On) allows SQL… | ||
| CVE-2024-36681 | Cri | 0.64 | 9.8 | 0.01 | Jun 24, 2024 | SQL Injection vulnerability in the module "Isotope" (pk_isotope) <=1.7.3 from Promokit.eu for PrestaShop allows attackers to obtain sensitive information and cause other impacts via `pk_isotope::saveData` and `pk_isotope::removeData` methods. | ||
| CVE-2024-34989 | Cri | 0.64 | 9.8 | 0.00 | Jun 21, 2024 | In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().' | ||
| CVE-2024-33276 | Cri | 0.64 | 9.8 | 0.01 | Apr 29, 2024 | SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method. | ||
| CVE-2024-33269 | Cri | 0.64 | 9.8 | 0.01 | Apr 29, 2024 | SQL Injection vulnerability in Prestaddons flashsales 1.9.7 and before allows an attacker to run arbitrary SQL commands via the FsModel::getFlashSales method. | ||
| CVE-2024-33266 | Cri | 0.64 | 9.8 | 0.01 | Apr 29, 2024 | SQL Injection vulnerability in Helloshop deliveryorderautoupdate v.2.8.1 and before allows an attacker to run arbitrary SQL commands via the DeliveryorderautoupdateOrdersModuleFrontController::initContent function. | ||
| CVE-2026-29203 | Hig | 0.57 | 8.8 | 0.00 | May 8, 2026 | A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled… | ||
| CVE-2025-28357 | Hig | 0.57 | 8.8 | 0.00 | Oct 1, 2025 | A CRLF injection vulnerability in Neto CMS v6.313.0 through v6.314.0 allows attackers to execute arbitrary code via supplying a crafted HTTP request. | ||
| CVE-2025-9573 | Hig | 0.56 | — | 0.01 | Sep 2, 2025 | The ns_backup extension through 13.0.2 for TYPO3 allows command injection. | ||
| CVE-2025-48205 | Hig | 0.56 | 8.6 | 0.00 | May 21, 2025 | The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference. | ||
| CVE-2014-6046 | Hig | 0.53 | 8.8 | 0.02 | Aug 28, 2018 | Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open… | ||
| CVE-2021-30492 | cri | 0.52 | — | 0.00 | Apr 29, 2021 | ### Impact Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF). ### Resolution Validate the provided Zendesk subdomain to be a valid subdomain in: * getAuthUrl * getAccessToken | ||
| CVE-2026-46394 | Hig | 0.50 | — | 0.01 | Jun 5, 2026 | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The application constructs shell command strings using unsanitized input and executes them… | ||
| CVE-2026-8427 | Hig | 0.50 | 8.8 | 0.00 | May 21, 2026 | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L… | ||
| CVE-2024-38516 | Hig | 0.50 | 8.8 | 0.01 | Jun 25, 2024 | ai-client-html is an Aimeos e-commerce HTML client component. Debug information revealed sensitive information from environment variables in error log. This issue has been patched in versions 2024.04.7, 2023.10.15, 2022.10.13 and 2021.10.22. | ||
| CVE-2024-34991 | Hig | 0.49 | 7.5 | 0.00 | Jun 24, 2024 | In the module "Axepta" (axepta) before 1.3.4 from Quadra Informatique for PrestaShop, a guest can download partial credit card information (expiry date) / postal address / email / etc. without restriction due to a lack of permissions control. | ||
| CVE-2023-45385 | Hig | 0.49 | 7.5 | 0.01 | Apr 30, 2024 | ProQuality pqprintshippinglabels before v.4.15.0 is vulnerable to Directory Traversal via the pqprintshippinglabels module. | ||
| CVE-2025-60869 | Hig | 0.47 | 7.3 | 0.00 | Oct 10, 2025 | Publii CMS v0.46.5 (build 17089) allows persistent Cross-Site Scripting (XSS) via unsanitized input in configuration fields such as "Site Description" and "Footer Follow Buttons". An attacker can inject arbitrary JavaScript, which is stored in the project and executed in the… | ||
| CVE-2026-8727 | Hig | 0.46 | — | 0.00 | May 19, 2026 | The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation… | ||
| CVE-2020-36950 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2026 | Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the 'range' parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server. | ||
| CVE-2018-16141 | Med | 0.42 | 6.5 | 0.01 | Aug 30, 2018 | ThinkCMF X2.2.3 has an arbitrary file deletion vulnerability in do_avatar in \application\User\Controller\ProfileController.class.php via an imgurl parameter with a ..\ sequence. A member user can delete any file on a Windows server. | ||
| CVE-2024-37295 | Hig | 0.40 | 7.2 | 0.01 | Jun 11, 2024 | Aimeos is an Open Source e-commerce framework for online shops. Starting in version 2024.01.1 and prior to version 2024.04.5, a user with administrative privileges can upload files that look like images but contain PHP code which can then be executed in the context of the web… | ||
| CVE-2024-39323 | Hig | 0.39 | 7.1 | 0.00 | Jul 2, 2024 | aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end.… | ||
| CVE-2014-6072 | hig | 0.39 | — | 0.01 | May 30, 2024 | All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony WebProfiler bundle are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not… | ||
| CVE-2014-5245 | hig | 0.39 | — | 0.01 | May 30, 2024 | All 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpKernel component are affected by this security issue. Your application is vulnerable only if the ESI feature is enabled and there is a proxy in front of the web application. This issue has been fixed in Symfony… | ||
| CVE-2014-5244 | hig | 0.39 | — | 0.02 | May 30, 2024 | All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not… | ||
| CVE-2014-4931 | hig | 0.39 | — | 0.01 | May 30, 2024 | When investigating issue [#11093](https://github.com/symfony/symfony/issues/11093), [Jeremy Derussé](https://connect.sensiolabs.com/profile/jderusse) found a serious code injection issue in the way Symfony implements translation caching in FrameworkBundle. - Your Symfony… | ||
| CVE-2026-46723 | Med | 0.38 | — | 0.00 | May 19, 2026 | The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index. | ||
| CVE-2026-7887 | Med | 0.35 | 6.4 | 0.00 | May 21, 2026 | For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this… | ||
| CVE-2023-45256 | Med | 0.35 | 5.4 | 0.00 | Jun 12, 2025 | Multiple SQL injection vulnerabilities in the EuroInformation MoneticoPaiement module before 1.1.1 for PrestaShop allow remote attackers to execute arbitrary SQL commands via the TPE, societe, MAC, reference, or aliascb parameter to transaction.php, validation.php, or… | ||
| CVE-2024-47173 | Med | 0.29 | 5.5 | 0.00 | Oct 24, 2024 | Aimeos is an e-commerce framework. All SaaS and marketplace setups using the Aimeos GraphQL API admin interface version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack. Version 2024.07.2 fixes the issue. | ||
| CVE-2024-37294 | Med | 0.29 | 5.5 | 0.00 | Jun 11, 2024 | Aimeos is an Open Source e-commerce framework for online shops. All SaaS and marketplace setups using Aimeos version from 2022/2023/2024 are affected by a potential denial of service attack. Users should upgrade to versions 2022.10.17, 2023.10.17, or 2024.04 of the… | ||
| CVE-2024-37296 | Med | 0.27 | 5.3 | 0.01 | Jun 11, 2024 | The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g.… | ||
| CVE-2022-31114 | Med | 0.26 | — | 0.00 | Jun 3, 2026 | backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.69, and 4.0.63 are vulnerable to cross-site scripting. An attacker could conduct… | ||
| CVE-2025-30083 | med | 0.26 | — | 0.00 | Mar 19, 2025 | A cross-site scripting (XSS) vulnerability has been discovered in the Additional TCA extension. This vulnerabily is exploitable by a logged in backend user utilizing the TYPO3 backend user interface. This user can create output in the HTML context by exploiting improperly… | ||
| CVE-2023-50462 | med | 0.26 | — | 0.01 | Dec 13, 2023 | The extension fails to verify whether a specified content element identifier is permitted by the plugin. This enables an unauthenticated user to display various content elements, leading to an insecure direct object reference (IDOR) vulnerability with the potential to expose… | ||
| CVE-2023-50459 | med | 0.26 | — | 0.00 | Dec 13, 2023 | The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts. Another missing access check in the backend module of… | ||
| CVE-2015-2309 | med | 0.19 | — | 0.01 | May 30, 2024 | All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, 2.5.X, and 2.6.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.27, 2.5.11, and 2.6.6. Note that no fixes are provided for Symfony 2.0, 2.1, 2.2, and 2.4 as… | ||
| CVE-2014-6061 | med | 0.19 | — | 0.01 | May 30, 2024 | All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not… | ||
| CVE-2025-11019 | Low | 0.16 | 2.4 | 0.00 | Sep 26, 2025 | A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||
| CVE-2025-10940 | Low | 0.16 | 2.4 | 0.00 | Sep 25, 2025 | A vulnerability was found in Total.js CMS 1.0.0. Affected by this vulnerability is the function layouts_save of the file /admin/ of the component Layout Page. Performing manipulation of the argument HTML results in cross site scripting. It is possible to initiate the attack… | ||
| CVE-2017-18357 | 0.08 | — | 0.27 | Jan 15, 2019 | Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object. | |||
| CVE-2019-9650 | 0.03 | — | 0.03 | Mar 11, 2019 | An XSS issue was discovered in upcoming_events.php in the Upcoming Events plugin before 1.33 for MyBB via a crafted name for an event. | |||
| CVE-2018-19799 | 0.03 | — | 0.04 | Dec 26, 2018 | Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS. | |||
| CVE-2022-44276 | 0.02 | — | 0.02 | Jun 28, 2023 | In Responsive Filemanager < 9.12.0, an attacker can bypass upload restrictions resulting in RCE. | |||
| CVE-2026-56396 | 0.00 | — | 0.00 | Jun 21, 2026 | phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can set is_superadmin flag or grant arbitrary rights… | |||
| CVE-2025-14840 | 0.00 | — | 0.00 | Jan 28, 2026 | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1. | |||
| CVE-2025-13980 | 0.00 | — | 0.00 | Jan 28, 2026 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before… |
- risk 0.76cvss 9.8epss 0.28
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit…
- risk 0.65cvss 10.0epss 0.01
The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution.
- risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE - 522 - Insufficiently Protected Credentials vulnerability in Magarsus Consultancy SSO (Single Sign On) allows SQL…
- risk 0.64cvss 9.8epss 0.01
SQL Injection vulnerability in the module "Isotope" (pk_isotope) <=1.7.3 from Promokit.eu for PrestaShop allows attackers to obtain sensitive information and cause other impacts via `pk_isotope::saveData` and `pk_isotope::removeData` methods.
- risk 0.64cvss 9.8epss 0.00
In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().'
- risk 0.64cvss 9.8epss 0.01
SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method.
- risk 0.64cvss 9.8epss 0.01
SQL Injection vulnerability in Prestaddons flashsales 1.9.7 and before allows an attacker to run arbitrary SQL commands via the FsModel::getFlashSales method.
- risk 0.64cvss 9.8epss 0.01
SQL Injection vulnerability in Helloshop deliveryorderautoupdate v.2.8.1 and before allows an attacker to run arbitrary SQL commands via the DeliveryorderautoupdateOrdersModuleFrontController::initContent function.
- risk 0.57cvss 8.8epss 0.00
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled…
- risk 0.57cvss 8.8epss 0.00
A CRLF injection vulnerability in Neto CMS v6.313.0 through v6.314.0 allows attackers to execute arbitrary code via supplying a crafted HTTP request.
- risk 0.56cvss —epss 0.01
The ns_backup extension through 13.0.2 for TYPO3 allows command injection.
- risk 0.56cvss 8.6epss 0.00
The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference.
- risk 0.53cvss 8.8epss 0.02
Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open…
- risk 0.52cvss —epss 0.00
### Impact Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF). ### Resolution Validate the provided Zendesk subdomain to be a valid subdomain in: * getAuthUrl * getAccessToken
- risk 0.50cvss —epss 0.01
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The application constructs shell command strings using unsanitized input and executes them…
- risk 0.50cvss 8.8epss 0.00
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L…
- risk 0.50cvss 8.8epss 0.01
ai-client-html is an Aimeos e-commerce HTML client component. Debug information revealed sensitive information from environment variables in error log. This issue has been patched in versions 2024.04.7, 2023.10.15, 2022.10.13 and 2021.10.22.
- risk 0.49cvss 7.5epss 0.00
In the module "Axepta" (axepta) before 1.3.4 from Quadra Informatique for PrestaShop, a guest can download partial credit card information (expiry date) / postal address / email / etc. without restriction due to a lack of permissions control.
- risk 0.49cvss 7.5epss 0.01
ProQuality pqprintshippinglabels before v.4.15.0 is vulnerable to Directory Traversal via the pqprintshippinglabels module.
- risk 0.47cvss 7.3epss 0.00
Publii CMS v0.46.5 (build 17089) allows persistent Cross-Site Scripting (XSS) via unsanitized input in configuration fields such as "Site Description" and "Footer Follow Buttons". An attacker can inject arbitrary JavaScript, which is stored in the project and executed in the…
- risk 0.46cvss —epss 0.00
The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation…
- risk 0.42cvss 6.5epss 0.00
Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the 'range' parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server.
- risk 0.42cvss 6.5epss 0.01
ThinkCMF X2.2.3 has an arbitrary file deletion vulnerability in do_avatar in \application\User\Controller\ProfileController.class.php via an imgurl parameter with a ..\ sequence. A member user can delete any file on a Windows server.
- risk 0.40cvss 7.2epss 0.01
Aimeos is an Open Source e-commerce framework for online shops. Starting in version 2024.01.1 and prior to version 2024.04.5, a user with administrative privileges can upload files that look like images but contain PHP code which can then be executed in the context of the web…
- risk 0.39cvss 7.1epss 0.00
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end.…
- risk 0.39cvss —epss 0.01
All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony WebProfiler bundle are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not…
- risk 0.39cvss —epss 0.01
All 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpKernel component are affected by this security issue. Your application is vulnerable only if the ESI feature is enabled and there is a proxy in front of the web application. This issue has been fixed in Symfony…
- risk 0.39cvss —epss 0.02
All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not…
- risk 0.39cvss —epss 0.01
When investigating issue [#11093](https://github.com/symfony/symfony/issues/11093), [Jeremy Derussé](https://connect.sensiolabs.com/profile/jderusse) found a serious code injection issue in the way Symfony implements translation caching in FrameworkBundle. - Your Symfony…
- risk 0.38cvss —epss 0.00
The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index.
- risk 0.35cvss 6.4epss 0.00
For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this…
- risk 0.35cvss 5.4epss 0.00
Multiple SQL injection vulnerabilities in the EuroInformation MoneticoPaiement module before 1.1.1 for PrestaShop allow remote attackers to execute arbitrary SQL commands via the TPE, societe, MAC, reference, or aliascb parameter to transaction.php, validation.php, or…
- risk 0.29cvss 5.5epss 0.00
Aimeos is an e-commerce framework. All SaaS and marketplace setups using the Aimeos GraphQL API admin interface version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack. Version 2024.07.2 fixes the issue.
- risk 0.29cvss 5.5epss 0.00
Aimeos is an Open Source e-commerce framework for online shops. All SaaS and marketplace setups using Aimeos version from 2022/2023/2024 are affected by a potential denial of service attack. Users should upgrade to versions 2022.10.17, 2023.10.17, or 2024.04 of the…
- risk 0.27cvss 5.3epss 0.01
The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g.…
- risk 0.26cvss —epss 0.00
backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.69, and 4.0.63 are vulnerable to cross-site scripting. An attacker could conduct…
- risk 0.26cvss —epss 0.00
A cross-site scripting (XSS) vulnerability has been discovered in the Additional TCA extension. This vulnerabily is exploitable by a logged in backend user utilizing the TYPO3 backend user interface. This user can create output in the HTML context by exploiting improperly…
- risk 0.26cvss —epss 0.01
The extension fails to verify whether a specified content element identifier is permitted by the plugin. This enables an unauthenticated user to display various content elements, leading to an insecure direct object reference (IDOR) vulnerability with the potential to expose…
- risk 0.26cvss —epss 0.00
The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts. Another missing access check in the backend module of…
- risk 0.19cvss —epss 0.01
All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, 2.5.X, and 2.6.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.27, 2.5.11, and 2.6.6. Note that no fixes are provided for Symfony 2.0, 2.1, 2.2, and 2.4 as…
- risk 0.19cvss —epss 0.01
All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not…
- risk 0.16cvss 2.4epss 0.00
A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
- risk 0.16cvss 2.4epss 0.00
A vulnerability was found in Total.js CMS 1.0.0. Affected by this vulnerability is the function layouts_save of the file /admin/ of the component Layout Page. Performing manipulation of the argument HTML results in cross site scripting. It is possible to initiate the attack…
- CVE-2017-18357Jan 15, 2019risk 0.08cvss —epss 0.27
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.
- CVE-2019-9650Mar 11, 2019risk 0.03cvss —epss 0.03
An XSS issue was discovered in upcoming_events.php in the Upcoming Events plugin before 1.33 for MyBB via a crafted name for an event.
- CVE-2018-19799Dec 26, 2018risk 0.03cvss —epss 0.04
Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS.
- CVE-2022-44276Jun 28, 2023risk 0.02cvss —epss 0.02
In Responsive Filemanager < 9.12.0, an attacker can bypass upload restrictions resulting in RCE.
- CVE-2026-56396Jun 21, 2026risk 0.00cvss —epss 0.00
phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can set is_superadmin flag or grant arbitrary rights…
- CVE-2025-14840Jan 28, 2026risk 0.00cvss —epss 0.00
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.
- CVE-2025-13980Jan 28, 2026risk 0.00cvss —epss 0.00
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before…
Page 1 of 2