Vendor CVEs
Aimeos
All CVEs
83 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-59117 | 0.00 | — | 0.00 | Nov 18, 2025 | Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. This vulnerability can be exploited by a privileged user and may target users with higher privileges. Only version 4.1 was tested… | |||
| CVE-2025-59110 | 0.00 | — | 0.00 | Nov 18, 2025 | Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account. Only version 4.1 was… | |||
| CVE-2025-60574 | 0.00 | — | 0.00 | Nov 7, 2025 | A Local File Inclusion (LFI) vulnerability has been identified in tQuadra CMS 4.2.1117. The issue exists in the "/styles/" path, which fails to properly sanitize user-supplied input. An attacker can exploit this by sending a crafted GET request to retrieve arbitrary files from… | |||
| CVE-2025-63593 | 0.00 | — | 0.00 | Nov 3, 2025 | Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS). | |||
| CVE-2025-60454 | 0.00 | — | 0.00 | Oct 3, 2025 | A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the image management module, specifically in the app\system\img\admin\img_admin.class.php component. The vulnerability allows attackers to upload… | |||
| CVE-2025-7065 | 0.00 | — | 0.01 | Sep 30, 2025 | Due to client-controlled permission check parameter, PAD CMS's photo upload functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution. This issue affects all… | |||
| CVE-2024-48341 | 0.00 | — | 0.00 | Sep 8, 2025 | dingfanzu CMS V1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/doAdminAction.php?act=addShop | |||
| CVE-2024-39319 | 0.00 | — | 0.00 | Sep 26, 2024 | aimeos/ai-controller-frontend is the Aimeos frontend controller package for e-commerce projects. Prior to versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, an insecure direct object reference allows an attacker to disable subscriptions and reviews of another… | |||
| CVE-2024-39325 | 0.00 | — | 0.00 | Jul 2, 2024 | aimeos/ai-controller-frontend is the Aimeos frontend controller. Prior to versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, aimeos/ai-controller-frontend doesn't reset the payment status of a user's basket after the user completes a purchase. Versions… | |||
| CVE-2024-39322 | 0.00 | — | 0.00 | Jul 2, 2024 | aimeos/ai-admin-jsonadm is the Aimeos e-commerce JSON API for administrative tasks. In versions prior to 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2, improper access control allows editors to remove admin group and locale configuration in the Aimeos backend.… | |||
| CVE-2024-39324 | 0.00 | — | 0.00 | Jul 2, 2024 | aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end.… | |||
| CVE-2023-39096 | 0.00 | — | 0.00 | Aug 3, 2023 | WebBoss.io CMS v3.7.0.1 contains a stored Cross-Site Scripting (XSS) vulnerability due to lack of input validation and output encoding. | |||
| CVE-2023-34916 | 0.00 | — | 0.00 | Jul 31, 2023 | Fuge CMS v1.0 contains an Open Redirect vulnerability via /front/ProcessAct.java. | |||
| CVE-2023-34917 | 0.00 | — | 0.00 | Jul 31, 2023 | Fuge CMS v1.0 contains an Open Redirect vulnerability in member/RegisterAct.java. | |||
| CVE-2023-37742 | 0.00 | — | 0.00 | Jul 21, 2023 | WebBoss.io CMS before v3.7.0.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability. | |||
| CVE-2023-36339 | 0.00 | — | 0.00 | Jul 21, 2023 | An access control issue in WebBoss.io CMS v3.7.0.1 allows attackers to access the Website Backup Tool via a crafted GET request. | |||
| CVE-2023-3785 | 0.00 | — | 0.01 | Jul 20, 2023 | A vulnerability was found in PaulPrinting CMS 2018. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation of the argument firstname/lastname/address/city/state leads to cross site scripting. The attack may be launched remotely.… | |||
| CVE-2022-46604 | 0.00 | — | 0.09 | Feb 2, 2023 | An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file, leading to arbitrary code execution. | |||
| CVE-2022-24381 | 0.00 | — | 0.01 | Aug 23, 2022 | All versions of package asneg/opcuastack are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number… | |||
| CVE-2022-25302 | 0.00 | — | 0.01 | Aug 23, 2022 | All versions of package asneg/opcuastack are vulnerable to Denial of Service (DoS) due to a missing handler for failed casting when unvalidated data is forwarded to boost::get function in OpcUaNodeIdBase.h. Exploiting this vulnerability is possible when sending a specifically… | |||
| CVE-2017-20145 | 0.00 | — | 0.01 | Jul 25, 2022 | A vulnerability was found in Tecrail Responsive Filemanger up to 9.10.x and classified as critical. The manipulation leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 9.11.0 is able to… | |||
| CVE-2020-11106 | 0.00 | — | 0.01 | Mar 30, 2020 | An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $_SESSION['RF']["view_type"] wasn't sanitized if it was already set. This made stored XSS possible if one opens ajax_calls.php and uses the "view" action and places a… | |||
| CVE-2018-20795 | 0.00 | — | 0.03 | Feb 25, 2019 | tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary files via path traversal with the path parameter, through the copy_cut action in ajax_calls.php and the paste_clipboard action in execute.php. | |||
| CVE-2018-20789 | 0.00 | — | 0.04 | Feb 25, 2019 | tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary directory as a consequence of a paths[0] path traversal mitigation bypass through the delete_folder action in execute.php. | |||
| CVE-2018-20791 | 0.00 | — | 0.01 | Feb 25, 2019 | tecrail Responsive FileManager 9.13.4 allows XSS via a media file upload with an XSS payload in the name, because of mishandling of the media_preview action. | |||
| CVE-2018-20792 | 0.00 | — | 0.03 | Feb 25, 2019 | tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary file via path traversal with the path parameter, through the get_file action in ajax_calls.php. | |||
| CVE-2018-20793 | 0.00 | — | 0.05 | Feb 25, 2019 | tecrail Responsive FileManager 9.13.4 allows remote attackers to write to an arbitrary file as a consequence of a paths[0] path traversal mitigation bypass, through the create_file action in execute.php. | |||
| CVE-2018-20794 | 0.00 | — | 0.04 | Feb 25, 2019 | tecrail Responsive FileManager 9.13.4 allows remote attackers to write to an arbitrary image file (jpg/jpeg/png) via path traversal with the path parameter, through the save_img action in ajax_calls.php. | |||
| CVE-2018-20790 | 0.00 | — | 0.04 | Feb 25, 2019 | tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary file as a consequence of a paths[0] path traversal mitigation bypass through the delete_file action in execute.php. | |||
| CVE-2018-20713 | 0.00 | — | 0.01 | Jan 15, 2019 | Shopware before 5.4.3 allows SQL Injection by remote authenticated users, aka SW-21404. | |||
| CVE-2018-18867 | 0.00 | — | 0.01 | Oct 31, 2018 | An SSRF issue was discovered in tecrail Responsive FileManager 9.13.4 via the upload.php url parameter. NOTE: this issue exists because of an incomplete fix for CVE-2018-15495. | |||
| CVE-2018-18061 | 0.00 | — | 0.01 | Oct 10, 2018 | An issue was discovered in dialog.php in tecrail Responsive FileManager 9.8.1. Attackers can access the file manager interface that provides them with the ability to upload and delete files. | |||
| CVE-2018-18062 | 0.00 | — | 0.01 | Oct 10, 2018 | An issue was discovered in dialog.php in tecrail Responsive FileManager 9.8.1. A reflected XSS vulnerability allows remote attackers to inject arbitrary web script or HTML. |
- CVE-2025-59117Nov 18, 2025risk 0.00cvss —epss 0.00
Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. This vulnerability can be exploited by a privileged user and may target users with higher privileges. Only version 4.1 was tested…
- CVE-2025-59110Nov 18, 2025risk 0.00cvss —epss 0.00
Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account. Only version 4.1 was…
- CVE-2025-60574Nov 7, 2025risk 0.00cvss —epss 0.00
A Local File Inclusion (LFI) vulnerability has been identified in tQuadra CMS 4.2.1117. The issue exists in the "/styles/" path, which fails to properly sanitize user-supplied input. An attacker can exploit this by sending a crafted GET request to retrieve arbitrary files from…
- CVE-2025-63593Nov 3, 2025risk 0.00cvss —epss 0.00
Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS).
- CVE-2025-60454Oct 3, 2025risk 0.00cvss —epss 0.00
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the image management module, specifically in the app\system\img\admin\img_admin.class.php component. The vulnerability allows attackers to upload…
- CVE-2025-7065Sep 30, 2025risk 0.00cvss —epss 0.01
Due to client-controlled permission check parameter, PAD CMS's photo upload functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution. This issue affects all…
- CVE-2024-48341Sep 8, 2025risk 0.00cvss —epss 0.00
dingfanzu CMS V1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/doAdminAction.php?act=addShop
- CVE-2024-39319Sep 26, 2024risk 0.00cvss —epss 0.00
aimeos/ai-controller-frontend is the Aimeos frontend controller package for e-commerce projects. Prior to versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, an insecure direct object reference allows an attacker to disable subscriptions and reviews of another…
- CVE-2024-39325Jul 2, 2024risk 0.00cvss —epss 0.00
aimeos/ai-controller-frontend is the Aimeos frontend controller. Prior to versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, aimeos/ai-controller-frontend doesn't reset the payment status of a user's basket after the user completes a purchase. Versions…
- CVE-2024-39322Jul 2, 2024risk 0.00cvss —epss 0.00
aimeos/ai-admin-jsonadm is the Aimeos e-commerce JSON API for administrative tasks. In versions prior to 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2, improper access control allows editors to remove admin group and locale configuration in the Aimeos backend.…
- CVE-2024-39324Jul 2, 2024risk 0.00cvss —epss 0.00
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end.…
- CVE-2023-39096Aug 3, 2023risk 0.00cvss —epss 0.00
WebBoss.io CMS v3.7.0.1 contains a stored Cross-Site Scripting (XSS) vulnerability due to lack of input validation and output encoding.
- CVE-2023-34916Jul 31, 2023risk 0.00cvss —epss 0.00
Fuge CMS v1.0 contains an Open Redirect vulnerability via /front/ProcessAct.java.
- CVE-2023-34917Jul 31, 2023risk 0.00cvss —epss 0.00
Fuge CMS v1.0 contains an Open Redirect vulnerability in member/RegisterAct.java.
- CVE-2023-37742Jul 21, 2023risk 0.00cvss —epss 0.00
WebBoss.io CMS before v3.7.0.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability.
- CVE-2023-36339Jul 21, 2023risk 0.00cvss —epss 0.00
An access control issue in WebBoss.io CMS v3.7.0.1 allows attackers to access the Website Backup Tool via a crafted GET request.
- CVE-2023-3785Jul 20, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in PaulPrinting CMS 2018. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation of the argument firstname/lastname/address/city/state leads to cross site scripting. The attack may be launched remotely.…
- CVE-2022-46604Feb 2, 2023risk 0.00cvss —epss 0.09
An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file, leading to arbitrary code execution.
- CVE-2022-24381Aug 23, 2022risk 0.00cvss —epss 0.01
All versions of package asneg/opcuastack are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number…
- CVE-2022-25302Aug 23, 2022risk 0.00cvss —epss 0.01
All versions of package asneg/opcuastack are vulnerable to Denial of Service (DoS) due to a missing handler for failed casting when unvalidated data is forwarded to boost::get function in OpcUaNodeIdBase.h. Exploiting this vulnerability is possible when sending a specifically…
- CVE-2017-20145Jul 25, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in Tecrail Responsive Filemanger up to 9.10.x and classified as critical. The manipulation leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 9.11.0 is able to…
- CVE-2020-11106Mar 30, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $_SESSION['RF']["view_type"] wasn't sanitized if it was already set. This made stored XSS possible if one opens ajax_calls.php and uses the "view" action and places a…
- CVE-2018-20795Feb 25, 2019risk 0.00cvss —epss 0.03
tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary files via path traversal with the path parameter, through the copy_cut action in ajax_calls.php and the paste_clipboard action in execute.php.
- CVE-2018-20789Feb 25, 2019risk 0.00cvss —epss 0.04
tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary directory as a consequence of a paths[0] path traversal mitigation bypass through the delete_folder action in execute.php.
- CVE-2018-20791Feb 25, 2019risk 0.00cvss —epss 0.01
tecrail Responsive FileManager 9.13.4 allows XSS via a media file upload with an XSS payload in the name, because of mishandling of the media_preview action.
- CVE-2018-20792Feb 25, 2019risk 0.00cvss —epss 0.03
tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary file via path traversal with the path parameter, through the get_file action in ajax_calls.php.
- CVE-2018-20793Feb 25, 2019risk 0.00cvss —epss 0.05
tecrail Responsive FileManager 9.13.4 allows remote attackers to write to an arbitrary file as a consequence of a paths[0] path traversal mitigation bypass, through the create_file action in execute.php.
- CVE-2018-20794Feb 25, 2019risk 0.00cvss —epss 0.04
tecrail Responsive FileManager 9.13.4 allows remote attackers to write to an arbitrary image file (jpg/jpeg/png) via path traversal with the path parameter, through the save_img action in ajax_calls.php.
- CVE-2018-20790Feb 25, 2019risk 0.00cvss —epss 0.04
tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary file as a consequence of a paths[0] path traversal mitigation bypass through the delete_file action in execute.php.
- CVE-2018-20713Jan 15, 2019risk 0.00cvss —epss 0.01
Shopware before 5.4.3 allows SQL Injection by remote authenticated users, aka SW-21404.
- CVE-2018-18867Oct 31, 2018risk 0.00cvss —epss 0.01
An SSRF issue was discovered in tecrail Responsive FileManager 9.13.4 via the upload.php url parameter. NOTE: this issue exists because of an incomplete fix for CVE-2018-15495.
- CVE-2018-18061Oct 10, 2018risk 0.00cvss —epss 0.01
An issue was discovered in dialog.php in tecrail Responsive FileManager 9.8.1. Attackers can access the file manager interface that provides them with the ability to upload and delete files.
- CVE-2018-18062Oct 10, 2018risk 0.00cvss —epss 0.01
An issue was discovered in dialog.php in tecrail Responsive FileManager 9.8.1. A reflected XSS vulnerability allows remote attackers to inject arbitrary web script or HTML.
Page 2 of 2