VYPR

Vendor CVEs

E107

All CVEs

89 total · sorted by risk
  • CVE-2021-47937HigMay 10, 2026
    risk 0.57cvss 8.8epss 0.01

    e107 CMS 2.3.0 contains a remote code execution vulnerability that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files. Attackers can upload a crafted theme package through the theme.php endpoint that…

  • CVE-2016-10753HigMay 24, 2019
    risk 0.57cvss 8.8epss 0.02

    e107 2.1.2 allows PHP Object Injection with resultant SQL injection, because usersettings.php uses unserialize without an HMAC.

  • CVE-2018-15901HigAug 28, 2018
    risk 0.57cvss 8.8epss 0.01

    e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators.

  • CVE-2008-2020HigApr 30, 2008
    risk 0.49cvss 7.5epss 0.02

    The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tkShop e-Commerce-Suite (aka 123tkShop) 0.9.1, (3) phpMyBitTorrent 1.2.2, (4) TorrentFlux 2.3, (5) e107 0.7.11, (6) WebZE 0.5.9, (7) Open Media Collectors Database (aka OpenDb) 1.5.0b4, and…

  • CVE-2016-10378HigMay 29, 2017
    risk 0.47cvss 7.2epss 0.01

    e107 2.1.1 allows SQL injection by remote authenticated administrators via the pagelist parameter to e107_admin/menus.php, related to the menuSaveVisibility function.

  • CVE-2026-43935HigMay 26, 2026
    risk 0.46cvss 8.1epss 0.00

    e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks,…

  • CVE-2026-46620MedMay 26, 2026
    risk 0.42cvss 6.5epss 0.00

    e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check() handles CSRF tokens. Instead of requiring a token on every state-changing…

  • CVE-2018-11127MedMay 15, 2018
    risk 0.42cvss 6.5epss 0.01

    e107 2.1.7 has CSRF resulting in arbitrary user deletion.

  • CVE-2017-8098MedApr 24, 2017
    risk 0.42cvss 6.5epss 0.01

    e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker.

  • CVE-2018-11734MedJul 10, 2019
    risk 0.40cvss 6.1epss 0.01

    In e107 v2.1.7, output without filtering results in XSS.

  • CVE-2018-16381MedSep 5, 2018
    risk 0.40cvss 6.1epss 0.01

    e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter.

  • CVE-2026-43934MedMay 26, 2026
    risk 0.35cvss 6.5epss 0.00

    e107 is a content management system (CMS). Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to edit comments posted by others. This stems from inadequate server-side access control validation, where the…

  • CVE-2025-11941MedOct 19, 2025
    risk 0.35cvss 5.4epss 0.01

    A vulnerability was detected in e107 CMS up to 2.3.3. This impacts an unknown function of the file /e107_admin/image.php?mode=main&action=avatar of the component Avatar Handler. Performing manipulation of the argument multiaction[] results in path traversal. It is possible to…

  • CVE-2023-43874MedSep 28, 2023
    risk 0.35cvss 5.4epss 0.01

    Multiple Cross Site Scripting (XSS) vulnerability in e017 CMS v.2.3.2 allows a local attacker to execute arbitrary code via a crafted script to the Copyright and Author fields in the Meta & Custom Tags Menu.

  • CVE-2023-43873MedSep 28, 2023
    risk 0.35cvss 5.4epss 0.00

    A Cross Site Scripting (XSS) vulnerability in e017 CMS v.2.3.2 allows a local attacker to execute arbitrary code via a crafted script to the Name filed in the Manage Menu.

  • CVE-2023-36121MedAug 2, 2023
    risk 0.35cvss 5.4epss 0.01

    Cross Site Scripting vulnerability in e107 v.2.3.2 allows a remote attacker to execute arbitrary code via the description function in the SEO project.

  • CVE-2018-17423MedJun 19, 2019
    risk 0.31cvss 4.8epss 0.01

    An issue was discovered in e107 v2.1.9. There is a XSS attack on e107_admin/comment.php.

  • CVE-2018-17081MedSep 26, 2018
    risk 0.28cvss 4.3epss 0.01

    e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&action=inline&ajax_used=1&id= for changing the title of an arbitrary page.

  • CVE-2026-43936MedMay 26, 2026
    risk 0.21cvss 4.3epss 0.00

    e107 is a content management system (CMS). Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from "Image/File URL:" of "From a remote location" in "Media Manager" on the administrator screen. This vulnerability is fixed in 2.3.4.

  • CVE-2004-2262Dec 31, 2004
    risk 0.04cvss epss 0.15

    ImageManager in e107 before 0.617 does not properly check the types of uploaded files, which allows remote attackers to execute arbitrary code by uploading a PHP file via the upload parameter to images.php.

  • CVE-2003-1191Oct 29, 2003
    risk 0.04cvss epss 0.08

    chatbox.php in e107 0.554 and 0.603 allows remote attackers to cause a denial of service (pages fail to load) via HTML in the Name field, which prevents the main.php form from being loaded.

  • CVE-2021-27885HigMar 2, 2021
    risk 0.03cvss 8.8epss 0.03

    usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism.

  • CVE-2015-1057Jan 16, 2015
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the "Real Name" value.

  • CVE-2013-2750Jan 22, 2014
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in e107_plugins/content/handlers/content_preset.php in e107 before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the query string.

  • CVE-2012-6434Jan 3, 2013
    risk 0.03cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) download_url, (2) download_url_extended, (3)…

  • CVE-2012-6433Jan 3, 2013
    risk 0.03cvss epss 0.02

    Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hijack the authentication of administrators for requests that conduct XSS attacks via the news_title parameter in a create action.

  • CVE-2011-5186Sep 20, 2012
    risk 0.03cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in jbshop.php in the jbShop plugin for e107 7 allows remote attackers to inject arbitrary web script or HTML via the item_id parameter.

  • CVE-2011-1513Nov 4, 2011
    risk 0.03cvss epss 0.06

    Static code injection vulnerability in install_.php in e107 CMS 0.7.24 and probably earlier versions, when the installation script is not removed, allows remote attackers to inject arbitrary PHP code into e107_config.php via a crafted MySQL server name.

  • CVE-2010-2099May 27, 2010
    risk 0.03cvss epss 0.05

    bbcode/php.bb in e107 0.7.20 and earlier does not perform access control checks for all inputs that could contain the php bbcode tag, which allows remote attackers to execute arbitrary PHP code, as demonstrated using the toEmail method in contact.php, related to invocations of…

  • CVE-2009-3444Sep 28, 2009
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in email.php in e107 0.7.16 and earlier allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header in a news.1 (aka news to email) action.

  • CVE-2009-1409Apr 24, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in usersettings.php in e107 0.7.15 and earlier, when "Extended User Fields" is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the hide parameter, a different vector than CVE-2005-4224 and…

  • CVE-2008-5320Dec 3, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in usersettings.php in e107 0.7.13 and earlier allows remote authenticated users to execute arbitrary SQL commands via the ue[] parameter.

  • CVE-2008-4906Nov 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in lyrics_song.php in the Lyrics (lyrics_menu) plugin 0.42 for e107 allows remote attackers to execute arbitrary SQL commands via the l_id parameter. NOTE: some of these details are obtained from third party information.

  • CVE-2008-4785Oct 29, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in newuser.php in the alternate_profiles plugin, possibly 0.2, for e107 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-1702Apr 8, 2008
    risk 0.03cvss epss 0.06

    Absolute path traversal vulnerability in dload.php in the my_gallery 2.3 plugin for e107 allows remote attackers to obtain sensitive information via a full pathname in the file parameter. NOTE: some of these details are obtained from third party information.

  • CVE-2007-3429Jun 27, 2007
    risk 0.03cvss epss 0.02

    Unrestricted file upload vulnerability in signup.php in e107 0.7.8 and earlier, when photograph upload is enabled, allows remote attackers to upload and execute arbitrary PHP code via a filename with a double extension such as .php.jpg.

  • CVE-2006-5786Nov 7, 2006
    risk 0.03cvss epss 0.02

    Directory traversal vulnerability in class2.php in e107 0.7.5 and earlier allows remote attackers to read and execute PHP code in arbitrary files via ".." sequences in the e107language_e107cookie cookie to gsitemap.php.

  • CVE-2006-4794Sep 14, 2006
    risk 0.03cvss epss 0.05

    Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.5 allow remote attackers to inject arbitrary web script or HTML via the query string (PATH_INFO) in (1) contact.php, (2) download.php, (3) admin.php, (4) fpw.php, (5) news.php, (6) search.php, (7) signup.php, (8)…

  • CVE-2006-3259Jun 27, 2006
    risk 0.03cvss epss 0.04

    Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.5 allow remote attackers to inject arbitrary web script or HTML via the (1) ep parameter to search.php and the (2) subject parameter in comment.php (aka the Subject field when posting a comment).

  • CVE-2006-0857Feb 23, 2006
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in Chatbox Plugin 1.0 in e107 0.7.2 allows remote attackers to inject arbitrary HTML or web script via a Chatbox, as demonstrated using a SCRIPT element.

  • CVE-2005-2327Jul 20, 2005
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in e107 0.617 and earlier allows remote attackers to inject arbitrary web script or HTML via nested [url] BBCode tags.

  • CVE-2004-2040May 29, 2004
    risk 0.03cvss epss 0.05

    Multiple cross-site scripting (XSS) vulnerabilities in e107 0.615 allow remote attackers to inject arbitrary web script or HTML via the (1) LAN_407 parameter to clock_menu.php, (2) "email article to a friend" field, (3) "submit news" field, or (4) avmsg parameter to…

  • CVE-2004-2028May 21, 2004
    risk 0.03cvss epss 0.04

    Cross-site scripting (XSS) vulnerability in stats.php in e107 allows remote attackers to inject arbitrary web script or HTML via the referer parameter to log.php.

  • CVE-2022-50939Jan 13, 2026
    risk 0.00cvss epss 0.01

    e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager's remote URL upload functionality (image.php) where the…

  • CVE-2022-50916Jan 13, 2026
    risk 0.00cvss epss 0.01

    e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. Attackers can exploit the upload mechanism by manipulating the upload URL parameter to overwrite existing…

  • CVE-2022-50907Jan 13, 2026
    risk 0.00cvss epss 0.01

    e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling…

  • CVE-2022-50906Jan 13, 2026
    risk 0.00cvss epss 0.00

    e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site…

  • CVE-2022-50905Jan 13, 2026
    risk 0.00cvss epss 0.01

    e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject…

  • CVE-2025-61505Oct 10, 2025
    risk 0.00cvss epss 0.00

    e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base64_decode())` without validation, allowing attackers to craft malicious serialized…

  • CVE-2018-16389MedSep 12, 2018
    risk 0.00cvss 6.5epss 0.01

    e107_admin/banlist.php in e107 2.1.8 allows SQL injection via the old_ip parameter.

Page 1 of 2