VYPR

Vendor CVEs

Dedecms

All CVEs

170 total · sorted by risk
  • CVE-2017-17731CriDec 18, 2017
    risk 0.65cvss 9.8epss 0.13

    DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.

  • CVE-2026-38615CriJun 9, 2026
    risk 0.64cvss 9.8epss 0.01

    DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.

  • CVE-2026-30643CriApr 1, 2026
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload.

  • CVE-2018-12045CriJun 8, 2018
    risk 0.64cvss 9.8epss 0.01

    DedeCMS through V5.7SP2 allows arbitrary file upload in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=upload request with an upfile1 parameter, as demonstrated by uploading a .php file.

  • CVE-2018-10375CriApr 25, 2018
    risk 0.64cvss 9.8epss 0.01

    A file uploading vulnerability exists in /include/helpers/upload.helper.php in DedeCMS V5.7 SP2, which can be utilized by attackers to upload and execute arbitrary PHP code via the /dede/archives_do.php?dopost=uploadLitpic litpic parameter when "Content-Type: image/jpeg" is…

  • CVE-2018-9175CriApr 2, 2018
    risk 0.64cvss 9.8epss 0.02

    DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the egroup parameter to uploads/dede/stepselect_main.php because code within the database is accessible to uploads/dede/sys_cache_up.php.

  • CVE-2018-9174CriApr 2, 2018
    risk 0.64cvss 9.8epss 0.01

    sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the refiles array parameter, because the contents of modifytmp.inc are under an attacker's control.

  • CVE-2017-17730CriDec 18, 2017
    risk 0.64cvss 9.8epss 0.01

    DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php.

  • CVE-2018-7700HigMar 27, 2018
    risk 0.63cvss 8.8epss 0.75

    DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.

  • CVE-2018-16785HigSep 19, 2018
    risk 0.57cvss 8.8epss 0.02

    XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell

  • CVE-2018-9134HigMar 30, 2018
    risk 0.57cvss 8.8epss 0.01

    file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. This uses the oldfilename and newfilename parameters.

  • CVE-2017-17727HigDec 18, 2017
    risk 0.57cvss 8.8epss 0.01

    DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php.

  • CVE-2018-6910HigFeb 13, 2018
    risk 0.50cvss 7.5epss 0.19

    DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php.

  • CVE-2018-12046HigJun 8, 2018
    risk 0.49cvss 7.5epss 0.01

    DedeCMS through 5.7SP2 allows arbitrary file write in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=newfile request with name and str parameters, as demonstrated by writing to a new .php file.

  • CVE-2026-10608HigJun 2, 2026
    risk 0.47cvss 7.3epss 0.00

    A security flaw has been discovered in DedeCMS 5.7.88. This affects the function RemoveXSS of the file /plus/carbuyaction.php. The manipulation of the argument postname/des results in sql injection. The attack may be launched remotely. The exploit has been released to the public…

  • CVE-2026-10607HigJun 2, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was identified in DedeCMS 5.7.88. The impacted element is the function dede_htmlspecialchars of the file /plus/flink.php. The manipulation of the argument msg leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and…

  • CVE-2026-10606HigJun 2, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was determined in DedeCMS 5.7.88. The affected element is the function TrimMsg of the file /plus/feedback.php of the component Feedback Handler. Executing a manipulation of the argument msg can lead to sql injection. The attack can be launched remotely. The…

  • CVE-2018-16784HigSep 21, 2018
    risk 0.47cvss 7.2epss 0.02

    DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring.

  • CVE-2026-10581MedJun 2, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in DedeCMS 5.7.88. Affected by this vulnerability is the function base64_decode of the file /plus/download.php?open=1. This manipulation of the argument Link causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has…

  • CVE-2025-15004MedDec 22, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in DedeCMS up to 5.7.118. This impacts an unknown function of the file /freelist_main.php. The manipulation of the argument orderby leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might…

  • CVE-2018-16786MedSep 21, 2018
    risk 0.40cvss 6.1epss 0.01

    DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php.

  • CVE-2025-6335MedJun 20, 2025
    risk 0.31cvss 4.7epss 0.07

    A vulnerability was found in DedeCMS up to 5.7.2 and classified as critical. This issue affects some unknown processing of the file /include/dedetag.class.php of the component Template Handler. The manipulation of the argument notes leads to command injection. The attack may be…

  • CVE-2023-3578Jul 10, 2023
    risk 0.06cvss epss 0.03

    A vulnerability classified as critical was found in DedeCMS 5.7.109. Affected by this vulnerability is an unknown functionality of the file co_do.php. The manipulation of the argument rssurl leads to server-side request forgery. The exploit has been disclosed to the public and…

  • CVE-2015-4553Jan 6, 2020
    risk 0.06cvss epss 0.57

    A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.

  • CVE-2018-20129Dec 13, 2018
    risk 0.06cvss epss 0.08

    An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by…

  • CVE-2023-2928May 27, 2023
    risk 0.05cvss epss 0.51

    A vulnerability was found in DedeCMS up to 5.7.106. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file uploads/dede/article_allowurl_edit.php. The manipulation of the argument allurls leads to code injection. The attack can…

  • CVE-2020-27533Oct 22, 2020
    risk 0.03cvss epss 0.03

    A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages.

  • CVE-2011-5200Sep 23, 2012
    risk 0.03cvss epss 0.02

    Multiple SQL injection vulnerabilities in DeDeCMS, possibly 5.6, allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) list.php, (2) members.php, or (3) book.php.

  • CVE-2009-3806Oct 27, 2009
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in feedback_js.php in DedeCMS 5.1 allows remote attackers to execute arbitrary SQL commands via the arcurl parameter.

  • CVE-2024-57241Feb 11, 2025
    risk 0.02cvss epss 0.01

    Dedecms 5.71sp1 and earlier is vulnerable to URL redirect. In the web application, a logic error does not judge the input GET request resulting in URL redirection.

  • CVE-2019-8933Feb 19, 2019
    risk 0.02cvss epss 0.03

    In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template…

  • CVE-2023-36298Aug 3, 2023
    risk 0.01cvss epss 0.01

    DedeCMS v5.7.109 has a File Upload vulnerability, leading to remote code execution (RCE).

  • CVE-2022-44118Nov 23, 2022
    risk 0.01cvss epss 0.02

    dedecmdv6 v6.1.9 is vulnerable to Remote Code Execution (RCE) via file_manage_control.php.

  • CVE-2022-35516Aug 17, 2022
    risk 0.01cvss epss 0.02

    DedeCMS v5.7.93 - v5.7.96 was discovered to contain a remote code execution vulnerability in login.php.

  • CVE-2022-34531Jul 29, 2022
    risk 0.01cvss epss 0.23

    DedeCMS v5.7.95 was discovered to contain a remote code execution (RCE) vulnerability via the component mytag_ main.php.

  • CVE-2022-23337Feb 14, 2022
    risk 0.01cvss epss 0.02

    DedeCMS v5.7.87 was discovered to contain a SQL injection vulnerability in article_coonepage_rule.php via the ids parameter.

  • CVE-2018-18608Oct 23, 2018
    risk 0.01cvss epss 0.03

    DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php,…

  • CVE-2026-29839Mar 24, 2026
    risk 0.00cvss epss 0.00

    DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php.

  • CVE-2026-30694Mar 19, 2026
    risk 0.00cvss epss 0.01

    An issue in DedeCMS v.5.7.118 and before allows a remote attacker to execute arbitrary code via the array_filter component

  • CVE-2024-30855Dec 29, 2025
    risk 0.00cvss epss 0.00

    DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /src/dede/makehtml_list_action.php.

  • CVE-2025-5137May 25, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was found in DedeCMS 5.7.117. It has been classified as critical. Affected is an unknown function of the file dede/sys_verifies.php?action=getfiles of the component Incomplete Fix CVE-2018-9175. The manipulation of the argument refiles leads to code injection. It…

  • CVE-2024-12183Dec 4, 2024
    risk 0.00cvss epss 0.00

    A vulnerability, which was classified as problematic, was found in DedeCMS 5.7.116. This affects the function RemoveXSS of the file /plus/carbuyaction.php of the component HTTP POST Request Handler. The manipulation leads to cross site scripting. It is possible to initiate the…

  • CVE-2024-12182Dec 4, 2024
    risk 0.00cvss epss 0.00

    A vulnerability, which was classified as problematic, has been found in DedeCMS 5.7.116. Affected by this issue is some unknown functionality of the file /member/soft_add.php. The manipulation of the argument body leads to cross site scripting. The attack may be launched…

  • CVE-2024-12181Dec 4, 2024
    risk 0.00cvss epss 0.00

    A vulnerability classified as problematic was found in DedeCMS 5.7.116. Affected by this vulnerability is an unknown functionality of the file /member/uploads_add.php of the component SWF File Handler. The manipulation of the argument mediatype leads to cross site scripting. The…

  • CVE-2024-12180Dec 4, 2024
    risk 0.00cvss epss 0.00

    A vulnerability classified as problematic has been found in DedeCMS 5.7.116. Affected is an unknown function of the file /member/article_add.php. The manipulation of the argument body leads to cross site scripting. It is possible to launch the attack remotely. The exploit has…

  • CVE-2024-11138Nov 12, 2024
    risk 0.00cvss epss 0.02

    A vulnerability classified as problematic has been found in DedeCMS 5.7.116. This affects an unknown part of the file /dede/uploads/dede/friendlink_add.php. The manipulation of the argument logoimg leads to unrestricted upload. It is possible to initiate the attack remotely. The…

  • CVE-2024-9076Sep 22, 2024
    risk 0.00cvss epss 0.21

    A vulnerability was found in DedeCMS up to 5.7.115. It has been rated as critical. This issue affects some unknown processing of the file /dede/article_string_mix.php. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been…

  • CVE-2024-46373Sep 18, 2024
    risk 0.00cvss epss 0.00

    Dedecms V5.7.115 contains an arbitrary code execution via file upload vulnerability in the backend.

  • CVE-2024-46372Sep 18, 2024
    risk 0.00cvss epss 0.00

    DedeCMS 5.7.115 is vulnerable to Cross Site Scripting (XSS) via the advertisement code box in the advertisement management module.

  • CVE-2024-42636Aug 23, 2024
    risk 0.00cvss epss 0.01

    DedeCMS V5.7.115 has a command execution vulnerability via file_manage_view.php?fmdo=newfile&activepath.

Page 1 of 4