VYPR
Vendor

Alfresco

Products
9
CVEs
38
Across products
43
Status
Private

Products

9

Recent CVEs

38
View all 38 CVEs →
  • CVE-2024-29309HigMay 2, 2024
    risk 0.50cvss 7.7epss 0.01

    An issue in Alfresco Content Services v.23.3.0.7 allows a remote attacker to execute arbitrary code via the Transfer Service.

  • CVE-2026-3967MedMar 12, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process…

  • CVE-2019-25367MedFeb 15, 2026
    risk 0.35cvss 5.4epss 0.00

    ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface (index.html) through search, user management, and API parameters. Attackers can inject scripts via parameters in /_db/_system/_admin/aardvark/index.html…

  • CVE-2025-0557MedJan 18, 2025
    risk 0.28cvss 4.3epss 0.01

    A vulnerability classified as problematic has been found in Hyland Alfresco Community Edition and Alfresco Enterprise Edition up to 6.2.2. This affects an unknown part of the file /share/s/ of the component URL Handler. The manipulation leads to cross site scripting. It is…

  • CVE-2025-12547LowOct 31, 2025
    risk 0.24cvss 3.7epss 0.01

    A vulnerability was identified in LogicalDOC Community Edition up to 9.2.1. This vulnerability affects unknown code of the file /login.jsp of the component Admin Login Page. Such manipulation leads to improper restriction of excessive authentication attempts. The attack can be…

  • CVE-2025-12546LowOct 31, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed…

  • CVE-2025-11946LowOct 19, 2025
    risk 0.23cvss 3.5epss 0.00

    A security flaw has been discovered in LogicalDOC Community Edition up to 9.2.1. This issue affects some unknown processing of the file /frontend.jsp of the component Add Contact Page. Performing manipulation of the argument First Name/Last Name/Company/Address/Phone/Mobile…

  • CVE-2019-14223Sep 6, 2019
    risk 0.04cvss epss 0.04

    An issue was discovered in Alfresco Community Edition versions below 5.2.6, 6.0.N and 6.1.N. The Alfresco Share application is vulnerable to an Open Redirect attack via a crafted POST request. By manipulating the POST parameters, an attacker can redirect a victim to a malicious…

  • CVE-2020-8778Mar 2, 2020
    risk 0.03cvss epss 0.03

    Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project.

  • CVE-2020-8777Mar 2, 2020
    risk 0.03cvss epss 0.03

    Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document.

  • CVE-2020-8776Mar 2, 2020
    risk 0.03cvss epss 0.03

    Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via the URL property of a file.

  • CVE-2014-9302Dec 7, 2014
    risk 0.03cvss epss 0.02

    Server-side request forgery (SSRF) vulnerability in the cmisbrowser servlet in Content Management Interoperability Service (CMIS) in Alfresco Community Edition 5.0.a and earlier allows remote attackers to trigger outbound requests via a crafted URI in the url parameter.

  • CVE-2014-9301Dec 7, 2014
    risk 0.03cvss epss 0.04

    Server-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter.

  • CVE-2026-26336Feb 19, 2026
    risk 0.00cvss epss 0.00

    Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.

  • CVE-2025-57244Nov 5, 2025
    risk 0.00cvss epss 0.00

    OpenKM Community Edition 6.3.12 is vulnerable to stored cross-site scripting (XSS) in the user account creation interface. The Name field accepts script tags and the Email field is vulnerable when the POST request is modified to include encoded script tags, by passing frontend…

  • CVE-2024-24506Apr 3, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function.

  • CVE-2023-39003Aug 9, 2023
    risk 0.00cvss epss 0.01

    OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp.

  • CVE-2023-39004Aug 9, 2023
    risk 0.00cvss epss 0.01

    Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escalation.

  • CVE-2023-38060Jul 24, 2023
    risk 0.00cvss epss 0.01

    Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the…

  • CVE-2023-1250Mar 20, 2023
    risk 0.00cvss epss 0.00

    Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This…