VYPR
Vendor

Lepton CMS

Products
2
CVEs
11
Across products
11
Status
Private

Products

2

Recent CVEs

11
  • CVE-2020-29240Dec 2, 2020
    risk 0.03cvss epss 0.02

    Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacker can inject the XSS payload in the URL field of the admin page and each time an admin visits the Menu-Pages-Pages Overview section, the XSS will be triggered.

  • CVE-2020-12707May 7, 2020
    risk 0.03cvss epss 0.01

    An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT…

  • CVE-2025-56704Dec 9, 2025
    risk 0.00cvss epss 0.01

    LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code.

  • CVE-2024-29514Apr 2, 2024
    risk 0.00cvss epss 0.01

    File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file.

  • CVE-2020-24872Aug 11, 2023
    risk 0.00cvss epss 0.00

    Cross Site Scripting (XSS) vulnerability in backend/pages/modify.php in Lepton-CMS version 4.7.0, allows remote attackers to execute arbitrary code.

  • CVE-2022-4104Nov 28, 2022
    risk 0.00cvss epss 0.00

    A loop with an unreachable exit condition can be triggered by passing a crafted JPEG file to the Lepton image compression tool, resulting in a denial-of-service.

  • CVE-2020-12705May 7, 2020
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities exist in LeptonCMS before 4.6.0.

  • CVE-2012-1000Feb 24, 2012
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in LEPTON 1.1.3 and other versions before 1.1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) message parameter to admins/login/forgot/index.php, or the (2) display_name or (3) email parameter to…

  • CVE-2012-0999Feb 24, 2012
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in modules/news/rss.php in LEPTON before 1.1.4 allows remote attackers to execute arbitrary SQL commands via the group_id parameter.

  • CVE-2012-0998Feb 24, 2012
    risk 0.00cvss epss 0.02

    Directory traversal vulnerability in account/preferences.php in LEPTON before 1.1.4 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the language parameter.

  • CVE-2011-3385Sep 2, 2011
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in WebsiteBaker before 2.8, as used in LEPTON and possibly other products, allows remote attackers to inject arbitrary web script or HTML via unknown vectors, a different vulnerability than CVE-2006-2307.