Vendor
Expressionengine
Products
3
CVEs
10
Across products
11
Status
Private
Products
3- 7 CVEs
- 3 CVEs
- 1 CVE
Recent CVEs
10| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-1000160 | Med | 0.35 | 5.4 | 0.00 | Nov 17, 2017 | EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection | |
| CVE-2006-0461 | 0.04 | — | 0.09 | Jan 27, 2006 | Cross-site scripting (XSS) vulnerability in core.input.php in ExpressionEngine 1.4.1 allows remote attackers to inject arbitrary web script or HTML via HTTP_REFERER (referer). | ||
| CVE-2009-1070 | 0.03 | — | 0.03 | Mar 26, 2009 | Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 through 1.6.6, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the avatar parameter. | ||
| CVE-2008-0334 | 0.03 | — | 0.00 | Jan 17, 2008 | Cross-site scripting (XSS) vulnerability in pm/language/spanish/preferences.php in PMachine Pro 2.4.1 allows remote attackers to inject arbitrary web script or HTML via the L_PREF_NAME[855] parameter. | ||
| CVE-2005-0513 | 0.03 | — | 0.02 | Feb 19, 2005 | PHP remote file inclusion vulnerability in mail_autocheck.php in the Email This Entry add-on for pMachine Pro 2.4, and possibly other versions including pMachine Free, allows remote attackers to execute arbitrary PHP code by directly requesting mail_autocheck.php and modifying the pm_path parameter to reference a URL on a remote web server that contains the code, a different vulnerability than CVE-2003-1086. | ||
| CVE-2003-1086 | 0.03 | — | 0.04 | Jun 17, 2003 | PHP remote file inclusion vulnerability in pm/lib.inc.php in pMachine Free and pMachine Pro 2.2 and 2.2.1 allows remote attackers to execute arbitrary PHP code by modifying the pm_path parameter to reference a URL on a remote web server that contains the code. | ||
| CVE-2025-59473 | 0.00 | — | 0.00 | Jan 26, 2026 | SQL Injection vulnerability in the Structure for Admin authenticated user | ||
| CVE-2014-5387 | 0.00 | — | 0.00 | Nov 4, 2014 | Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[] parameter to system/index.php or the (3) tbl_sort[0][] parameter in the comment module to system/index.php. | ||
| CVE-2008-0201 | 0.00 | — | 0.01 | Jan 10, 2008 | Cross-site scripting (XSS) vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL parameter. | ||
| CVE-2008-0202 | 0.00 | — | 0.01 | Jan 10, 2008 | CRLF injection vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the URL parameter. |