Vendor CVEs
Havalite
All CVEs
27 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-27179 | 0.10 | — | 0.61 | Apr 11, 2023 | GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary file download vulenrability via the filename parameter at /_admin/imgdownload.php. | |||
| CVE-2022-46020 | 0.07 | — | 0.39 | Dec 20, 2022 | WBCE CMS v1.5.4 can implement getshell by modifying the upload file type. | |||
| CVE-2019-25137 | 0.04 | — | 0.04 | May 18, 2023 | Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx. | |||
| CVE-2013-0161 | 0.03 | — | 0.01 | Jan 29, 2020 | Havalite CMS 1.1.7 has a stored XSS vulnerability | |||
| CVE-2012-5919 | 0.03 | — | 0.02 | Nov 19, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) find or (2) replace fields to havalite/findReplace.php; (3) username parameter to havalite/hava_login.php, (4) the Edit… | |||
| CVE-2012-5894 | 0.03 | — | 0.01 | Nov 17, 2012 | SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the postId parameter. | |||
| CVE-2025-70866 | 0.00 | — | 0.00 | Feb 13, 2026 | LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share… | |||
| CVE-2025-71177 | 0.00 | — | 0.00 | Jan 23, 2026 | LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later… | |||
| CVE-2024-31828 | 0.00 | — | 0.01 | Apr 26, 2024 | Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL. | |||
| CVE-2024-27668 | 0.00 | — | 0.00 | Mar 4, 2024 | Flusity-CMS v2.33 is affected by: Cross Site Scripting (XSS) in 'Custom Blocks.' | |||
| CVE-2023-36983 | 0.00 | — | 0.01 | Aug 1, 2023 | LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure. | |||
| CVE-2023-36984 | 0.00 | — | 0.01 | Aug 1, 2023 | LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure. | |||
| CVE-2023-36291 | 0.00 | — | 0.00 | Jul 3, 2023 | Cross Site Scripting vulnerability in Maxsite CMS v.108.7 allows a remote attacker to execute arbitrary code via the f_content parameter in the admin/page_new file. | |||
| CVE-2023-27082 | 0.00 | — | 0.01 | Jun 26, 2023 | Cross Site Scripting (XSS) vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file. | |||
| CVE-2023-31903 | 0.00 | — | 0.02 | May 17, 2023 | GuppY CMS 6.00.10 is vulnerable to Unrestricted File Upload which allows remote attackers to execute arbitrary code by uploading a php file. | |||
| CVE-2023-27237 | 0.00 | — | 0.01 | May 12, 2023 | LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack. | |||
| CVE-2023-27238 | 0.00 | — | 0.01 | May 12, 2023 | LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning. | |||
| CVE-2023-27178 | 0.00 | — | 0.01 | Apr 10, 2023 | An arbitrary file upload vulnerability in the upload function of GDidees CMS 3.9.1 allows attackers to execute arbitrary code via a crafted file. | |||
| CVE-2023-27180 | 0.00 | — | 0.01 | Apr 7, 2023 | GDidees CMS v3.9.1 was discovered to contain a source code disclosure vulnerability by the backup feature which is accessible via /_admin/backup.php. | |||
| CVE-2023-25828 | 0.00 | — | 0.02 | Mar 27, 2023 | Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Albums are used to create collections of images that can be inserted into web pages across the site. Albums allow the upload of various filetypes, which… | |||
| CVE-2022-38329 | 0.00 | — | 0.00 | Sep 13, 2022 | A CSRF vulnerability in Shopxian CMS 3.0.0 could allow an unauthenticated, remote attacker to craft a malicious link, potentially causing the administrator to perform unintended actions on an affected system. The vulnerability could allow attackers to modify or delete specific… | |||
| CVE-2020-36544 | 0.00 | — | 0.01 | Jun 4, 2022 | A vulnerability has been found in SialWeb CMS and classified as problematic. This vulnerability affects unknown code of the component Search Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the… | |||
| CVE-2020-36543 | 0.00 | — | 0.01 | Jun 4, 2022 | A vulnerability, which was classified as critical, was found in SialWeb CMS. This affects an unknown part of the file /about.php. The manipulation of the argument Id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the… | |||
| CVE-2019-18883 | 0.00 | — | 0.01 | Nov 13, 2019 | XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field. | |||
| CVE-2019-17434 | 0.00 | — | 0.01 | Oct 10, 2019 | LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen. | |||
| CVE-2012-5893 | 0.00 | — | 0.03 | Nov 17, 2012 | Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitrary code by uploading a file with a .php;.gif extension, then accessing it via a direct request to the file in tmp/files/. | |||
| CVE-2012-5892 | 0.00 | — | 0.01 | Nov 17, 2012 | Havalite CMS 1.1.0 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the configuration database via a direct request for data/havalite.db3. |
- CVE-2023-27179Apr 11, 2023risk 0.10cvss —epss 0.61
GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary file download vulenrability via the filename parameter at /_admin/imgdownload.php.
- CVE-2022-46020Dec 20, 2022risk 0.07cvss —epss 0.39
WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
- CVE-2019-25137May 18, 2023risk 0.04cvss —epss 0.04
Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.
- CVE-2013-0161Jan 29, 2020risk 0.03cvss —epss 0.01
Havalite CMS 1.1.7 has a stored XSS vulnerability
- CVE-2012-5919Nov 19, 2012risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) find or (2) replace fields to havalite/findReplace.php; (3) username parameter to havalite/hava_login.php, (4) the Edit…
- CVE-2012-5894Nov 17, 2012risk 0.03cvss —epss 0.01
SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the postId parameter.
- CVE-2025-70866Feb 13, 2026risk 0.00cvss —epss 0.00
LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share…
- CVE-2025-71177Jan 23, 2026risk 0.00cvss —epss 0.00
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later…
- CVE-2024-31828Apr 26, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL.
- CVE-2024-27668Mar 4, 2024risk 0.00cvss —epss 0.00
Flusity-CMS v2.33 is affected by: Cross Site Scripting (XSS) in 'Custom Blocks.'
- CVE-2023-36983Aug 1, 2023risk 0.00cvss —epss 0.01
LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure.
- CVE-2023-36984Aug 1, 2023risk 0.00cvss —epss 0.01
LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure.
- CVE-2023-36291Jul 3, 2023risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in Maxsite CMS v.108.7 allows a remote attacker to execute arbitrary code via the f_content parameter in the admin/page_new file.
- CVE-2023-27082Jun 26, 2023risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file.
- CVE-2023-31903May 17, 2023risk 0.00cvss —epss 0.02
GuppY CMS 6.00.10 is vulnerable to Unrestricted File Upload which allows remote attackers to execute arbitrary code by uploading a php file.
- CVE-2023-27237May 12, 2023risk 0.00cvss —epss 0.01
LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack.
- CVE-2023-27238May 12, 2023risk 0.00cvss —epss 0.01
LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning.
- CVE-2023-27178Apr 10, 2023risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the upload function of GDidees CMS 3.9.1 allows attackers to execute arbitrary code via a crafted file.
- CVE-2023-27180Apr 7, 2023risk 0.00cvss —epss 0.01
GDidees CMS v3.9.1 was discovered to contain a source code disclosure vulnerability by the backup feature which is accessible via /_admin/backup.php.
- CVE-2023-25828Mar 27, 2023risk 0.00cvss —epss 0.02
Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Albums are used to create collections of images that can be inserted into web pages across the site. Albums allow the upload of various filetypes, which…
- CVE-2022-38329Sep 13, 2022risk 0.00cvss —epss 0.00
A CSRF vulnerability in Shopxian CMS 3.0.0 could allow an unauthenticated, remote attacker to craft a malicious link, potentially causing the administrator to perform unintended actions on an affected system. The vulnerability could allow attackers to modify or delete specific…
- CVE-2020-36544Jun 4, 2022risk 0.00cvss —epss 0.01
A vulnerability has been found in SialWeb CMS and classified as problematic. This vulnerability affects unknown code of the component Search Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the…
- CVE-2020-36543Jun 4, 2022risk 0.00cvss —epss 0.01
A vulnerability, which was classified as critical, was found in SialWeb CMS. This affects an unknown part of the file /about.php. The manipulation of the argument Id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the…
- CVE-2019-18883Nov 13, 2019risk 0.00cvss —epss 0.01
XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field.
- CVE-2019-17434Oct 10, 2019risk 0.00cvss —epss 0.01
LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen.
- CVE-2012-5893Nov 17, 2012risk 0.00cvss —epss 0.03
Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitrary code by uploading a file with a .php;.gif extension, then accessing it via a direct request to the file in tmp/files/.
- CVE-2012-5892Nov 17, 2012risk 0.00cvss —epss 0.01
Havalite CMS 1.1.0 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the configuration database via a direct request for data/havalite.db3.