Lepton CMS
Products
2- 8 CVEs
- 3 CVEs
Recent CVEs
11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-29240 | 0.03 | — | 0.02 | Dec 2, 2020 | Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacker can inject the XSS payload in the URL field of the admin page and each time an admin visits the Menu-Pages-Pages Overview section, the XSS will be triggered. | |||
| CVE-2020-12707 | 0.03 | — | 0.01 | May 7, 2020 | An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT… | |||
| CVE-2025-56704 | 0.00 | — | 0.01 | Dec 9, 2025 | LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code. | |||
| CVE-2024-29514 | 0.00 | — | 0.01 | Apr 2, 2024 | File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file. | |||
| CVE-2020-24872 | 0.00 | — | 0.00 | Aug 11, 2023 | Cross Site Scripting (XSS) vulnerability in backend/pages/modify.php in Lepton-CMS version 4.7.0, allows remote attackers to execute arbitrary code. | |||
| CVE-2022-4104 | 0.00 | — | 0.00 | Nov 28, 2022 | A loop with an unreachable exit condition can be triggered by passing a crafted JPEG file to the Lepton image compression tool, resulting in a denial-of-service. | |||
| CVE-2020-12705 | 0.00 | — | 0.01 | May 7, 2020 | Multiple cross-site scripting (XSS) vulnerabilities exist in LeptonCMS before 4.6.0. | |||
| CVE-2012-1000 | 0.00 | — | 0.01 | Feb 24, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in LEPTON 1.1.3 and other versions before 1.1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) message parameter to admins/login/forgot/index.php, or the (2) display_name or (3) email parameter to… | |||
| CVE-2012-0999 | 0.00 | — | 0.01 | Feb 24, 2012 | SQL injection vulnerability in modules/news/rss.php in LEPTON before 1.1.4 allows remote attackers to execute arbitrary SQL commands via the group_id parameter. | |||
| CVE-2012-0998 | 0.00 | — | 0.02 | Feb 24, 2012 | Directory traversal vulnerability in account/preferences.php in LEPTON before 1.1.4 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the language parameter. | |||
| CVE-2011-3385 | 0.00 | — | 0.01 | Sep 2, 2011 | Cross-site scripting (XSS) vulnerability in WebsiteBaker before 2.8, as used in LEPTON and possibly other products, allows remote attackers to inject arbitrary web script or HTML via unknown vectors, a different vulnerability than CVE-2006-2307. |
- CVE-2020-29240Dec 2, 2020risk 0.03cvss —epss 0.02
Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacker can inject the XSS payload in the URL field of the admin page and each time an admin visits the Menu-Pages-Pages Overview section, the XSS will be triggered.
- CVE-2020-12707May 7, 2020risk 0.03cvss —epss 0.01
An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT…
- CVE-2025-56704Dec 9, 2025risk 0.00cvss —epss 0.01
LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code.
- CVE-2024-29514Apr 2, 2024risk 0.00cvss —epss 0.01
File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2020-24872Aug 11, 2023risk 0.00cvss —epss 0.00
Cross Site Scripting (XSS) vulnerability in backend/pages/modify.php in Lepton-CMS version 4.7.0, allows remote attackers to execute arbitrary code.
- CVE-2022-4104Nov 28, 2022risk 0.00cvss —epss 0.00
A loop with an unreachable exit condition can be triggered by passing a crafted JPEG file to the Lepton image compression tool, resulting in a denial-of-service.
- CVE-2020-12705May 7, 2020risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities exist in LeptonCMS before 4.6.0.
- CVE-2012-1000Feb 24, 2012risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in LEPTON 1.1.3 and other versions before 1.1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) message parameter to admins/login/forgot/index.php, or the (2) display_name or (3) email parameter to…
- CVE-2012-0999Feb 24, 2012risk 0.00cvss —epss 0.01
SQL injection vulnerability in modules/news/rss.php in LEPTON before 1.1.4 allows remote attackers to execute arbitrary SQL commands via the group_id parameter.
- CVE-2012-0998Feb 24, 2012risk 0.00cvss —epss 0.02
Directory traversal vulnerability in account/preferences.php in LEPTON before 1.1.4 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the language parameter.
- CVE-2011-3385Sep 2, 2011risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebsiteBaker before 2.8, as used in LEPTON and possibly other products, allows remote attackers to inject arbitrary web script or HTML via unknown vectors, a different vulnerability than CVE-2006-2307.