VYPR

Vendor CVEs

Havalite

All CVEs

27 total · sorted by risk
  • CVE-2023-27179Apr 11, 2023
    risk 0.10cvss epss 0.61

    GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary file download vulenrability via the filename parameter at /_admin/imgdownload.php.

  • CVE-2022-46020Dec 20, 2022
    risk 0.07cvss epss 0.39

    WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.

  • CVE-2019-25137May 18, 2023
    risk 0.04cvss epss 0.04

    Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.

  • CVE-2013-0161Jan 29, 2020
    risk 0.03cvss epss 0.01

    Havalite CMS 1.1.7 has a stored XSS vulnerability

  • CVE-2012-5919Nov 19, 2012
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) find or (2) replace fields to havalite/findReplace.php; (3) username parameter to havalite/hava_login.php, (4) the Edit…

  • CVE-2012-5894Nov 17, 2012
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the postId parameter.

  • CVE-2025-70866Feb 13, 2026
    risk 0.00cvss epss 0.00

    LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share…

  • CVE-2025-71177Jan 23, 2026
    risk 0.00cvss epss 0.00

    LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later…

  • CVE-2024-31828Apr 26, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL.

  • CVE-2024-27668Mar 4, 2024
    risk 0.00cvss epss 0.00

    Flusity-CMS v2.33 is affected by: Cross Site Scripting (XSS) in 'Custom Blocks.'

  • CVE-2023-36983Aug 1, 2023
    risk 0.00cvss epss 0.01

    LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure.

  • CVE-2023-36984Aug 1, 2023
    risk 0.00cvss epss 0.01

    LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure.

  • CVE-2023-36291Jul 3, 2023
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in Maxsite CMS v.108.7 allows a remote attacker to execute arbitrary code via the f_content parameter in the admin/page_new file.

  • CVE-2023-27082Jun 26, 2023
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file.

  • CVE-2023-31903May 17, 2023
    risk 0.00cvss epss 0.02

    GuppY CMS 6.00.10 is vulnerable to Unrestricted File Upload which allows remote attackers to execute arbitrary code by uploading a php file.

  • CVE-2023-27237May 12, 2023
    risk 0.00cvss epss 0.01

    LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack.

  • CVE-2023-27238May 12, 2023
    risk 0.00cvss epss 0.01

    LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning.

  • CVE-2023-27178Apr 10, 2023
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the upload function of GDidees CMS 3.9.1 allows attackers to execute arbitrary code via a crafted file.

  • CVE-2023-27180Apr 7, 2023
    risk 0.00cvss epss 0.01

    GDidees CMS v3.9.1 was discovered to contain a source code disclosure vulnerability by the backup feature which is accessible via /_admin/backup.php.

  • CVE-2023-25828Mar 27, 2023
    risk 0.00cvss epss 0.02

    Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Albums are used to create collections of images that can be inserted into web pages across the site. Albums allow the upload of various filetypes, which…

  • CVE-2022-38329Sep 13, 2022
    risk 0.00cvss epss 0.00

    A CSRF vulnerability in Shopxian CMS 3.0.0 could allow an unauthenticated, remote attacker to craft a malicious link, potentially causing the administrator to perform unintended actions on an affected system. The vulnerability could allow attackers to modify or delete specific…

  • CVE-2020-36544Jun 4, 2022
    risk 0.00cvss epss 0.01

    A vulnerability has been found in SialWeb CMS and classified as problematic. This vulnerability affects unknown code of the component Search Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the…

  • CVE-2020-36543Jun 4, 2022
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as critical, was found in SialWeb CMS. This affects an unknown part of the file /about.php. The manipulation of the argument Id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the…

  • CVE-2019-18883Nov 13, 2019
    risk 0.00cvss epss 0.01

    XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field.

  • CVE-2019-17434Oct 10, 2019
    risk 0.00cvss epss 0.01

    LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen.

  • CVE-2012-5893Nov 17, 2012
    risk 0.00cvss epss 0.03

    Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitrary code by uploading a file with a .php;.gif extension, then accessing it via a direct request to the file in tmp/files/.

  • CVE-2012-5892Nov 17, 2012
    risk 0.00cvss epss 0.01

    Havalite CMS 1.1.0 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the configuration database via a direct request for data/havalite.db3.