Vendor CVEs
CSZ CMS
All CVEs
31 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-13086 | Cri | 0.66 | 9.8 | 0.32 | Jun 30, 2019 | core/MY_Security.php in CSZ CMS 1.2.2 before 2019-06-20 has member/login/check SQL injection by sending a crafted HTTP User-Agent header and omitting the csrf_csz parameter. | ||
| CVE-2024-25414 | Cri | 0.64 | 9.8 | 0.02 | Feb 16, 2024 | An arbitrary file upload vulnerability in /admin/upgrade of CSZ CMS v1.3.0 allows attackers to execute arbitrary code via uploading a crafted Zip file. | ||
| CVE-2022-27165 | Cri | 0.64 | 9.8 | 0.01 | Apr 12, 2022 | CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Plugin_manager_setstatus | ||
| CVE-2022-27164 | Cri | 0.64 | 9.8 | 0.01 | Apr 12, 2022 | CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_viewUsers | ||
| CVE-2022-27163 | Cri | 0.64 | 9.8 | 0.01 | Apr 12, 2022 | CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_editUser | ||
| CVE-2022-27162 | Cri | 0.64 | 9.8 | 0.01 | Apr 12, 2022 | CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_editUser | ||
| CVE-2022-27161 | Cri | 0.64 | 9.8 | 0.01 | Apr 12, 2022 | Csz Cms 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_viewUsers | ||
| CVE-2021-46377 | Cri | 0.64 | 9.8 | 0.01 | Jan 27, 2022 | There is a front-end sql injection vulnerability in cszcms 1.2.9 via cszcms/controllers/Member.php#viewUser | ||
| CVE-2020-21250 | Cri | 0.64 | 9.8 | 0.01 | Oct 27, 2021 | CSZ CMS v1.2.4 was discovered to contain an arbitrary file upload vulnerability in the component /core/MY_Security.php. | ||
| CVE-2019-15524 | Cri | 0.64 | 9.8 | 0.03 | Aug 26, 2019 | CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php file to admin/filemanager in the File Management Module, which leads to remote code execution by visiting a photo/upload/2019/ URI. | ||
| CVE-2021-37144 | Cri | 0.59 | 9.1 | 0.01 | Jul 30, 2021 | CSZ CMS 1.2.9 is vulnerable to Arbitrary File Deletion. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. | ||
| CVE-2020-19786 | Hig | 0.57 | 8.8 | 0.01 | Mar 23, 2023 | File upload vulnerability in CSKaza CSZ CMS v.1.2.2 fixed in v1.2.4 allows attacker to execute aritrary commands and code via crafted PHP file. | ||
| CVE-2019-7566 | Hig | 0.57 | 8.8 | 0.01 | Feb 7, 2019 | CSZ CMS 1.1.8 has CSRF via admin/users/new/add. | ||
| CVE-2020-36136 | Hig | 0.49 | 7.5 | 0.01 | Aug 11, 2023 | SQL Injection vulnerability in cskaza cszcms version 1.2.9, allows attackers to gain sensitive information via pm_sendmail parameter in csz_model.php. | ||
| CVE-2021-43701 | Med | 0.46 | 6.5 | 0.03 | Mar 29, 2022 | CSZ CMS 1.2.9 has a Time and Boolean-based Blind SQL Injection vulnerability in the endpoint /admin/export/getcsv/article_db, via the fieldS[] and orderby parameters. | ||
| CVE-2024-27734 | Med | 0.40 | 6.1 | 0.00 | Mar 1, 2024 | A Cross Site Scripting vulnerability in CSZ CMS v.1.3.0 allows an attacker to execute arbitrary code via a crafted script to the Site Name fields of the Site Settings component. | ||
| CVE-2023-41601 | Med | 0.40 | 6.1 | 0.00 | Sep 6, 2023 | Multiple cross-site scripting (XSS) vulnerabilities in install/index.php of CSZ CMS v1.3.0 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Database Username or Database Host parameters. | ||
| CVE-2023-38910 | Med | 0.40 | 6.1 | 0.00 | Aug 18, 2023 | CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin. | ||
| CVE-2024-27752 | Med | 0.35 | 5.4 | 0.01 | Apr 19, 2024 | Cross Site Scripting vulnerability in CSZ CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the Default Keyword field in the settings function. | ||
| CVE-2023-39599 | Med | 0.35 | 5.4 | 0.00 | Aug 22, 2023 | Cross-Site Scripting (XSS) vulnerability in CSZ CMS v.1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Social Settings parameter. | ||
| CVE-2023-38911 | Med | 0.35 | 5.4 | 0.00 | Aug 18, 2023 | A Cross-Site Scripting (XSS) vulnerability in CSZ CMS 1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Gallery parameter in the YouTube URL fields. | ||
| CVE-2020-25392 | Med | 0.35 | 5.4 | 0.00 | Jul 9, 2021 | A cross site scripting (XSS) vulnerability in CSZ CMS 1.2.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'New Article' field under the 'Article' plugin. | ||
| CVE-2020-25391 | Med | 0.35 | 5.4 | 0.00 | Jul 9, 2021 | A cross site scripting vulnerability in CSZ CMS 1.2.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'New Pages' field under the 'Pages Content' module. | ||
| CVE-2021-26776 | Med | 0.35 | 5.4 | 0.01 | Mar 11, 2021 | CSZ CMS 1.2.9 is affected by a cross-site scripting (XSS) vulnerability in multiple pages through the field name. | ||
| CVE-2021-3224 | Med | 0.35 | 5.4 | 0.01 | Mar 10, 2021 | A stored cross-site scripting (XSS) vulnerability in cszcms 1.2.9 exists in /admin/pages/new via the content parameter. | ||
| CVE-2021-47737 | 0.00 | — | 0.00 | Dec 23, 2025 | CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering… | |||
| CVE-2021-47738 | 0.00 | — | 0.00 | Dec 23, 2025 | CSZ CMS 1.2.7 contains a persistent cross-site scripting vulnerability that allows unauthorized users to embed malicious JavaScript in private messages. Attackers can send messages with script payloads in the user-agent header, which will execute when an admin views the message… | |||
| CVE-2024-58307 | 0.00 | — | 0.00 | Dec 11, 2025 | CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious SQL code through the view parameter to potentially execute time-based blind SQL… | |||
| CVE-2025-63608 | 0.00 | — | 0.00 | Oct 30, 2025 | A SQL injection vulnerability exists in CSZ-CMS <=1.3.0 in the Form Builder view functionality. The vulnerability is located in the field parameter of the form viewing feature, allowing authenticated administrators to execute arbitrary SQL queries. | |||
| CVE-2025-29084 | 0.00 | — | 0.00 | Sep 23, 2025 | SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Upgrade.php file. | |||
| CVE-2025-29083 | 0.00 | — | 0.00 | Sep 23, 2025 | SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Plugin_Manager.php file. |
- risk 0.66cvss 9.8epss 0.32
core/MY_Security.php in CSZ CMS 1.2.2 before 2019-06-20 has member/login/check SQL injection by sending a crafted HTTP User-Agent header and omitting the csrf_csz parameter.
- risk 0.64cvss 9.8epss 0.02
An arbitrary file upload vulnerability in /admin/upgrade of CSZ CMS v1.3.0 allows attackers to execute arbitrary code via uploading a crafted Zip file.
- risk 0.64cvss 9.8epss 0.01
CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Plugin_manager_setstatus
- risk 0.64cvss 9.8epss 0.01
CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_viewUsers
- risk 0.64cvss 9.8epss 0.01
CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_editUser
- risk 0.64cvss 9.8epss 0.01
CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_editUser
- risk 0.64cvss 9.8epss 0.01
Csz Cms 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_viewUsers
- risk 0.64cvss 9.8epss 0.01
There is a front-end sql injection vulnerability in cszcms 1.2.9 via cszcms/controllers/Member.php#viewUser
- risk 0.64cvss 9.8epss 0.01
CSZ CMS v1.2.4 was discovered to contain an arbitrary file upload vulnerability in the component /core/MY_Security.php.
- risk 0.64cvss 9.8epss 0.03
CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php file to admin/filemanager in the File Management Module, which leads to remote code execution by visiting a photo/upload/2019/ URI.
- risk 0.59cvss 9.1epss 0.01
CSZ CMS 1.2.9 is vulnerable to Arbitrary File Deletion. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization.
- risk 0.57cvss 8.8epss 0.01
File upload vulnerability in CSKaza CSZ CMS v.1.2.2 fixed in v1.2.4 allows attacker to execute aritrary commands and code via crafted PHP file.
- risk 0.57cvss 8.8epss 0.01
CSZ CMS 1.1.8 has CSRF via admin/users/new/add.
- risk 0.49cvss 7.5epss 0.01
SQL Injection vulnerability in cskaza cszcms version 1.2.9, allows attackers to gain sensitive information via pm_sendmail parameter in csz_model.php.
- risk 0.46cvss 6.5epss 0.03
CSZ CMS 1.2.9 has a Time and Boolean-based Blind SQL Injection vulnerability in the endpoint /admin/export/getcsv/article_db, via the fieldS[] and orderby parameters.
- risk 0.40cvss 6.1epss 0.00
A Cross Site Scripting vulnerability in CSZ CMS v.1.3.0 allows an attacker to execute arbitrary code via a crafted script to the Site Name fields of the Site Settings component.
- risk 0.40cvss 6.1epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in install/index.php of CSZ CMS v1.3.0 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Database Username or Database Host parameters.
- risk 0.40cvss 6.1epss 0.00
CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin.
- risk 0.35cvss 5.4epss 0.01
Cross Site Scripting vulnerability in CSZ CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the Default Keyword field in the settings function.
- risk 0.35cvss 5.4epss 0.00
Cross-Site Scripting (XSS) vulnerability in CSZ CMS v.1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Social Settings parameter.
- risk 0.35cvss 5.4epss 0.00
A Cross-Site Scripting (XSS) vulnerability in CSZ CMS 1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Gallery parameter in the YouTube URL fields.
- risk 0.35cvss 5.4epss 0.00
A cross site scripting (XSS) vulnerability in CSZ CMS 1.2.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'New Article' field under the 'Article' plugin.
- risk 0.35cvss 5.4epss 0.00
A cross site scripting vulnerability in CSZ CMS 1.2.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'New Pages' field under the 'Pages Content' module.
- risk 0.35cvss 5.4epss 0.01
CSZ CMS 1.2.9 is affected by a cross-site scripting (XSS) vulnerability in multiple pages through the field name.
- risk 0.35cvss 5.4epss 0.01
A stored cross-site scripting (XSS) vulnerability in cszcms 1.2.9 exists in /admin/pages/new via the content parameter.
- CVE-2021-47737Dec 23, 2025risk 0.00cvss —epss 0.00
CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering…
- CVE-2021-47738Dec 23, 2025risk 0.00cvss —epss 0.00
CSZ CMS 1.2.7 contains a persistent cross-site scripting vulnerability that allows unauthorized users to embed malicious JavaScript in private messages. Attackers can send messages with script payloads in the user-agent header, which will execute when an admin views the message…
- CVE-2024-58307Dec 11, 2025risk 0.00cvss —epss 0.00
CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious SQL code through the view parameter to potentially execute time-based blind SQL…
- CVE-2025-63608Oct 30, 2025risk 0.00cvss —epss 0.00
A SQL injection vulnerability exists in CSZ-CMS <=1.3.0 in the Form Builder view functionality. The vulnerability is located in the field parameter of the form viewing feature, allowing authenticated administrators to execute arbitrary SQL queries.
- CVE-2025-29084Sep 23, 2025risk 0.00cvss —epss 0.00
SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Upgrade.php file.
- CVE-2025-29083Sep 23, 2025risk 0.00cvss —epss 0.00
SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Plugin_Manager.php file.