Vendor CVEs
Maccms
All CVEs
26 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-17733 | Cri | 0.67 | 9.8 | 0.44 | Dec 18, 2017 | Maccms 8.x allows remote command execution via the wd parameter in an index.php?m=vod-search request. | ||
| CVE-2018-12114 | Hig | 0.60 | 8.8 | 0.03 | Jun 14, 2018 | Maccms 10 allows CSRF via admin.php/admin/admin/info.html to add user accounts. | ||
| CVE-2026-4562 | Hig | 0.47 | 7.3 | 0.01 | Mar 23, 2026 | A security flaw has been discovered in MacCMS 2025.1000.4052. This affects an unknown part of the file application/api/controller/Timming.php of the component Timming API Endpoint. The manipulation results in missing authentication. The attack may be performed from remote. The… | ||
| CVE-2026-7578 | Med | 0.31 | 4.7 | 0.00 | May 1, 2026 | A weakness has been identified in MacCMS Pro up to 2022.1.3. This vulnerability affects the function install of the file /admi.php/admin/addon/add.html of the component Plugin Installation Handler. Executing a manipulation can lead to unrestricted upload. The attack may be… | ||
| CVE-2025-10397 | Med | 0.31 | 4.7 | 0.00 | Sep 14, 2025 | A vulnerability was identified in Magicblack MacCMS 2025.1000.4050. This affects an unknown part of the component API Handler. The manipulation of the argument cjurl leads to server-side request forgery. The attack can be initiated remotely. The exploit is publicly available and… | ||
| CVE-2025-10122 | Med | 0.31 | 4.7 | 0.00 | Sep 9, 2025 | A vulnerability was found in Maccms10 2025.1000.4050. Affected is the function rep of the file application/admin/controller/Database.php. Performing manipulation of the argument where results in sql injection. The attack can be initiated remotely. The exploit has been made… | ||
| CVE-2026-4563 | Med | 0.28 | 4.3 | 0.00 | Mar 23, 2026 | A weakness has been identified in MacCMS up to 2025.1000.4052. This vulnerability affects the function order_info of the file application/index/controller/User.php of the component Member Order Detail Interface. This manipulation of the argument order_id causes authorization… | ||
| CVE-2025-10395 | 0.00 | — | 0.00 | Sep 14, 2025 | A vulnerability was found in Magicblack MacCMS 2025.1000.4050. Affected by this vulnerability is the function col_url of the component Scheduled Task Handler. Performing manipulation of the argument cjurl results in server-side request forgery. It is possible to initiate the… | |||
| CVE-2025-45474 | 0.00 | — | 0.00 | May 29, 2025 | maccms10 v2025.1000.4047 is vulnerable to Server-side request forgery (SSRF) in Email Settings. | |||
| CVE-2025-45475 | 0.00 | — | 0.00 | May 27, 2025 | maccms10 v2025.1000.4047 is vulnerable to Server-Side request forgery (SSRF) in Friend Link Management. | |||
| CVE-2025-28090 | 0.00 | — | 0.00 | Mar 28, 2025 | maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) in the Collection Custom Interface feature. | |||
| CVE-2025-28089 | 0.00 | — | 0.00 | Mar 28, 2025 | maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) via the Scheduled Task function. | |||
| CVE-2024-46654 | 0.00 | — | 0.00 | Sep 20, 2024 | A stored cross-site scripting (XSS) vulnerability in the Add Scheduled Task module of Maccms10 v2024.1000.4040 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2024-32391 | 0.00 | — | 0.01 | Apr 19, 2024 | Cross Site Scripting vulnerability in MacCMS v.10 v.2024.1000.3000 allows a remote attacker to execute arbitrary code via a crafted payload. | |||
| CVE-2022-47872 | 0.00 | — | 0.01 | Feb 1, 2023 | A Server-Side Request Forgery (SSRF) in maccms10 v2021.1000.2000 allows attackers to force the application to make arbitrary requests via a crafted payload injected into the Name parameter under the Interface address module. | |||
| CVE-2022-31303 | 0.00 | — | 0.00 | Jun 21, 2022 | maccms10 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Server Group text field. | |||
| CVE-2022-31302 | 0.00 | — | 0.00 | Jun 21, 2022 | maccms8 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Server Group text field. | |||
| CVE-2021-43707 | 0.00 | — | 0.01 | Mar 31, 2022 | Cross Site Scripting (XSS) vulnerability exists in Maccms v10 via link_Name parameter. | |||
| CVE-2022-27886 | 0.00 | — | 0.01 | Mar 25, 2022 | Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/ulog/index.html via the wd parameter. | |||
| CVE-2022-27887 | 0.00 | — | 0.01 | Mar 25, 2022 | Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/vod/data.html via the repeat parameter. | |||
| CVE-2022-27884 | 0.00 | — | 0.01 | Mar 25, 2022 | Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/plog/index.html via the wd parameter. | |||
| CVE-2022-27885 | 0.00 | — | 0.01 | Mar 25, 2022 | Maccms v10 was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities in /admin.php/admin/website/data.html via the select and input parameters. | |||
| CVE-2020-21434 | 0.00 | — | 0.01 | Oct 4, 2021 | Maccms 10 contains a cross-site scripting (XSS) vulnerability in the Editing function under the Member module. This vulnerability is exploited via a crafted payload in the nickname text field. | |||
| CVE-2020-21081 | 0.00 | — | 0.00 | Sep 14, 2021 | A cross-site request forgery (CSRF) in Maccms 8.0 causes administrators to add and modify articles without their knowledge via clicking on a crafted URL. | |||
| CVE-2018-19465 | 0.00 | — | 0.01 | Jun 7, 2019 | Maccms through 8.0 allows XSS via the site_keywords field to index.php?m=system-config because of tpl/module/system.php and tpl/html/system_config.html, related to template/paody/html/vod_index.html. | |||
| CVE-2019-9829 | 0.00 | — | 0.02 | Mar 15, 2019 | Maccms 10 allows remote attackers to execute arbitrary PHP code by entering this code in a template/default_pc/html/art Edit action. This occurs because template rendering uses an include operation on a cache file, which bypasses the prohibition of .php files as templates. |
- risk 0.67cvss 9.8epss 0.44
Maccms 8.x allows remote command execution via the wd parameter in an index.php?m=vod-search request.
- risk 0.60cvss 8.8epss 0.03
Maccms 10 allows CSRF via admin.php/admin/admin/info.html to add user accounts.
- risk 0.47cvss 7.3epss 0.01
A security flaw has been discovered in MacCMS 2025.1000.4052. This affects an unknown part of the file application/api/controller/Timming.php of the component Timming API Endpoint. The manipulation results in missing authentication. The attack may be performed from remote. The…
- risk 0.31cvss 4.7epss 0.00
A weakness has been identified in MacCMS Pro up to 2022.1.3. This vulnerability affects the function install of the file /admi.php/admin/addon/add.html of the component Plugin Installation Handler. Executing a manipulation can lead to unrestricted upload. The attack may be…
- risk 0.31cvss 4.7epss 0.00
A vulnerability was identified in Magicblack MacCMS 2025.1000.4050. This affects an unknown part of the component API Handler. The manipulation of the argument cjurl leads to server-side request forgery. The attack can be initiated remotely. The exploit is publicly available and…
- risk 0.31cvss 4.7epss 0.00
A vulnerability was found in Maccms10 2025.1000.4050. Affected is the function rep of the file application/admin/controller/Database.php. Performing manipulation of the argument where results in sql injection. The attack can be initiated remotely. The exploit has been made…
- risk 0.28cvss 4.3epss 0.00
A weakness has been identified in MacCMS up to 2025.1000.4052. This vulnerability affects the function order_info of the file application/index/controller/User.php of the component Member Order Detail Interface. This manipulation of the argument order_id causes authorization…
- CVE-2025-10395Sep 14, 2025risk 0.00cvss —epss 0.00
A vulnerability was found in Magicblack MacCMS 2025.1000.4050. Affected by this vulnerability is the function col_url of the component Scheduled Task Handler. Performing manipulation of the argument cjurl results in server-side request forgery. It is possible to initiate the…
- CVE-2025-45474May 29, 2025risk 0.00cvss —epss 0.00
maccms10 v2025.1000.4047 is vulnerable to Server-side request forgery (SSRF) in Email Settings.
- CVE-2025-45475May 27, 2025risk 0.00cvss —epss 0.00
maccms10 v2025.1000.4047 is vulnerable to Server-Side request forgery (SSRF) in Friend Link Management.
- CVE-2025-28090Mar 28, 2025risk 0.00cvss —epss 0.00
maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) in the Collection Custom Interface feature.
- CVE-2025-28089Mar 28, 2025risk 0.00cvss —epss 0.00
maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) via the Scheduled Task function.
- CVE-2024-46654Sep 20, 2024risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the Add Scheduled Task module of Maccms10 v2024.1000.4040 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-32391Apr 19, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in MacCMS v.10 v.2024.1000.3000 allows a remote attacker to execute arbitrary code via a crafted payload.
- CVE-2022-47872Feb 1, 2023risk 0.00cvss —epss 0.01
A Server-Side Request Forgery (SSRF) in maccms10 v2021.1000.2000 allows attackers to force the application to make arbitrary requests via a crafted payload injected into the Name parameter under the Interface address module.
- CVE-2022-31303Jun 21, 2022risk 0.00cvss —epss 0.00
maccms10 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Server Group text field.
- CVE-2022-31302Jun 21, 2022risk 0.00cvss —epss 0.00
maccms8 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Server Group text field.
- CVE-2021-43707Mar 31, 2022risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability exists in Maccms v10 via link_Name parameter.
- CVE-2022-27886Mar 25, 2022risk 0.00cvss —epss 0.01
Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/ulog/index.html via the wd parameter.
- CVE-2022-27887Mar 25, 2022risk 0.00cvss —epss 0.01
Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/vod/data.html via the repeat parameter.
- CVE-2022-27884Mar 25, 2022risk 0.00cvss —epss 0.01
Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/plog/index.html via the wd parameter.
- CVE-2022-27885Mar 25, 2022risk 0.00cvss —epss 0.01
Maccms v10 was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities in /admin.php/admin/website/data.html via the select and input parameters.
- CVE-2020-21434Oct 4, 2021risk 0.00cvss —epss 0.01
Maccms 10 contains a cross-site scripting (XSS) vulnerability in the Editing function under the Member module. This vulnerability is exploited via a crafted payload in the nickname text field.
- CVE-2020-21081Sep 14, 2021risk 0.00cvss —epss 0.00
A cross-site request forgery (CSRF) in Maccms 8.0 causes administrators to add and modify articles without their knowledge via clicking on a crafted URL.
- CVE-2018-19465Jun 7, 2019risk 0.00cvss —epss 0.01
Maccms through 8.0 allows XSS via the site_keywords field to index.php?m=system-config because of tpl/module/system.php and tpl/html/system_config.html, related to template/paody/html/vod_index.html.
- CVE-2019-9829Mar 15, 2019risk 0.00cvss —epss 0.02
Maccms 10 allows remote attackers to execute arbitrary PHP code by entering this code in a template/default_pc/html/art Edit action. This occurs because template rendering uses an include operation on a cache file, which bypasses the prohibition of .php files as templates.