VYPR
Vendor

Backdropcms

Products
1
CVEs
19
Across products
19
Status
Private

Products

1

Recent CVEs

19
  • CVE-2026-45430HigMay 12, 2026
    risk 0.46cvss 7.1epss 0.00

    The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks.

  • CVE-2024-54123MedNov 29, 2024
    risk 0.33cvss 6.1epss 0.00

    Backdrop CMS before 1.28.4 and 1.29.x before 1.29.2 allows XSS via an SVG document, if the SVG tag is allowed for a text format.

  • CVE-2023-31045MedApr 24, 2023
    risk 0.24cvss 4.8epss 0.01

    A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored…

  • CVE-2025-71310LowMay 26, 2026
    risk 0.05cvss epss 0.00

    The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an…

  • CVE-2025-25062Feb 3, 2025
    risk 0.03cvss epss 0.02

    An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML and JavaScript that may be…

  • CVE-2019-11358Apr 19, 2019
    risk 0.03cvss epss 0.87

    jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

  • CVE-2025-44141Jun 26, 2025
    risk 0.00cvss epss 0.00

    A Cross-Site Scripting (XSS) vulnerability exists in the node creation form of Backdrop CMS 1.30.

  • CVE-2025-25063Feb 3, 2025
    risk 0.00cvss epss 0.00

    An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and…

  • CVE-2022-34530Aug 1, 2022
    risk 0.00cvss epss 0.01

    An issue in the login and reset password functionality of Backdrop CMS v1.22.0 allows attackers to enumerate usernames via password reset requests and distinct responses returned based on usernames.

  • CVE-2022-24590Feb 15, 2022
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or HTML.

  • CVE-2021-45268Feb 3, 2022
    risk 0.00cvss epss 0.02

    A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack…

  • CVE-2019-19900Dec 19, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an…

  • CVE-2019-19902Dec 19, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded archives for invalid data, allowing…

  • CVE-2019-19903Dec 19, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Backdrop CMS 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when…

  • CVE-2019-19901Dec 19, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying certain block descriptions created by administrators. An attacker could potentially craft a specialized description, then have an…

  • CVE-2019-14769Aug 8, 2019
    risk 0.00cvss epss 0.01

    Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering…

  • CVE-2019-14770Aug 8, 2019
    risk 0.00cvss epss 0.01

    In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. (This issue is mitigated by the attacker needing permissions…

  • CVE-2019-14771Aug 8, 2019
    risk 0.00cvss epss 0.03

    Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded archives for invalid data, potentially allowing non-configuration scripts to be…

  • CVE-2018-1000813Dec 20, 2018
    risk 0.00cvss epss 0.01

    Backdrop CMS version 1.11.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in Sanitization of custom class names used on blocks and layouts. that can result in Execution of JavaScript from an unexpected source.. This attack appear to be exploitable via A user…