VYPR
Vendor

E107

Products
1
CVEs
89
Across products
89
Status
Private

Products

1

Recent CVEs

89
View all 89 CVEs →
  • CVE-2021-47937HigMay 10, 2026
    risk 0.57cvss 8.8epss 0.01

    e107 CMS 2.3.0 contains a remote code execution vulnerability that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files. Attackers can upload a crafted theme package through the theme.php endpoint that…

  • CVE-2018-15901HigAug 28, 2018
    risk 0.57cvss 8.8epss 0.01

    e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators.

  • CVE-2008-2020HigApr 30, 2008
    risk 0.49cvss 7.5epss 0.02

    The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tkShop e-Commerce-Suite (aka 123tkShop) 0.9.1, (3) phpMyBitTorrent 1.2.2, (4) TorrentFlux 2.3, (5) e107 0.7.11, (6) WebZE 0.5.9, (7) Open Media Collectors Database (aka OpenDb) 1.5.0b4, and…

  • CVE-2016-10378HigMay 29, 2017
    risk 0.47cvss 7.2epss 0.01

    e107 2.1.1 allows SQL injection by remote authenticated administrators via the pagelist parameter to e107_admin/menus.php, related to the menuSaveVisibility function.

  • CVE-2026-43935HigMay 26, 2026
    risk 0.46cvss 8.1epss 0.00

    e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks,…

  • CVE-2026-46620MedMay 26, 2026
    risk 0.42cvss 6.5epss 0.00

    e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check() handles CSRF tokens. Instead of requiring a token on every state-changing…

  • CVE-2018-11127MedMay 15, 2018
    risk 0.42cvss 6.5epss 0.01

    e107 2.1.7 has CSRF resulting in arbitrary user deletion.

  • CVE-2017-8098MedApr 24, 2017
    risk 0.42cvss 6.5epss 0.01

    e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker.

  • CVE-2018-16381MedSep 5, 2018
    risk 0.40cvss 6.1epss 0.01

    e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter.

  • CVE-2026-43934MedMay 26, 2026
    risk 0.35cvss 6.5epss 0.00

    e107 is a content management system (CMS). Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to edit comments posted by others. This stems from inadequate server-side access control validation, where the…

  • CVE-2025-11941MedOct 19, 2025
    risk 0.35cvss 5.4epss 0.01

    A vulnerability was detected in e107 CMS up to 2.3.3. This impacts an unknown function of the file /e107_admin/image.php?mode=main&action=avatar of the component Avatar Handler. Performing manipulation of the argument multiaction[] results in path traversal. It is possible to…

  • CVE-2018-17081MedSep 26, 2018
    risk 0.28cvss 4.3epss 0.01

    e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&action=inline&ajax_used=1&id= for changing the title of an arbitrary page.

  • CVE-2026-43936MedMay 26, 2026
    risk 0.21cvss 4.3epss 0.00

    e107 is a content management system (CMS). Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from "Image/File URL:" of "From a remote location" in "Media Manager" on the administrator screen. This vulnerability is fixed in 2.3.4.

  • CVE-2004-2262Dec 31, 2004
    risk 0.04cvss epss 0.15

    ImageManager in e107 before 0.617 does not properly check the types of uploaded files, which allows remote attackers to execute arbitrary code by uploading a PHP file via the upload parameter to images.php.

  • CVE-2003-1191Oct 29, 2003
    risk 0.04cvss epss 0.08

    chatbox.php in e107 0.554 and 0.603 allows remote attackers to cause a denial of service (pages fail to load) via HTML in the Name field, which prevents the main.php form from being loaded.

  • CVE-2021-27885Mar 2, 2021
    risk 0.03cvss epss 0.03

    usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism.

  • CVE-2015-1057Jan 16, 2015
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the "Real Name" value.

  • CVE-2013-2750Jan 22, 2014
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in e107_plugins/content/handlers/content_preset.php in e107 before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the query string.

  • CVE-2012-6434Jan 3, 2013
    risk 0.03cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) download_url, (2) download_url_extended, (3)…

  • CVE-2012-6433Jan 3, 2013
    risk 0.03cvss epss 0.02

    Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hijack the authentication of administrators for requests that conduct XSS attacks via the news_title parameter in a create action.