VYPR

Vendor CVEs

Maccms

All CVEs

26 total · sorted by risk
  • CVE-2017-17733CriDec 18, 2017
    risk 0.67cvss 9.8epss 0.44

    Maccms 8.x allows remote command execution via the wd parameter in an index.php?m=vod-search request.

  • CVE-2018-12114HigJun 14, 2018
    risk 0.60cvss 8.8epss 0.03

    Maccms 10 allows CSRF via admin.php/admin/admin/info.html to add user accounts.

  • CVE-2026-4562HigMar 23, 2026
    risk 0.47cvss 7.3epss 0.01

    A security flaw has been discovered in MacCMS 2025.1000.4052. This affects an unknown part of the file application/api/controller/Timming.php of the component Timming API Endpoint. The manipulation results in missing authentication. The attack may be performed from remote. The…

  • CVE-2026-7578MedMay 1, 2026
    risk 0.31cvss 4.7epss 0.00

    A weakness has been identified in MacCMS Pro up to 2022.1.3. This vulnerability affects the function install of the file /admi.php/admin/addon/add.html of the component Plugin Installation Handler. Executing a manipulation can lead to unrestricted upload. The attack may be…

  • CVE-2025-10397MedSep 14, 2025
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was identified in Magicblack MacCMS 2025.1000.4050. This affects an unknown part of the component API Handler. The manipulation of the argument cjurl leads to server-side request forgery. The attack can be initiated remotely. The exploit is publicly available and…

  • CVE-2025-10122MedSep 9, 2025
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was found in Maccms10 2025.1000.4050. Affected is the function rep of the file application/admin/controller/Database.php. Performing manipulation of the argument where results in sql injection. The attack can be initiated remotely. The exploit has been made…

  • CVE-2026-4563MedMar 23, 2026
    risk 0.28cvss 4.3epss 0.00

    A weakness has been identified in MacCMS up to 2025.1000.4052. This vulnerability affects the function order_info of the file application/index/controller/User.php of the component Member Order Detail Interface. This manipulation of the argument order_id causes authorization…

  • CVE-2025-10395Sep 14, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was found in Magicblack MacCMS 2025.1000.4050. Affected by this vulnerability is the function col_url of the component Scheduled Task Handler. Performing manipulation of the argument cjurl results in server-side request forgery. It is possible to initiate the…

  • CVE-2025-45474May 29, 2025
    risk 0.00cvss epss 0.00

    maccms10 v2025.1000.4047 is vulnerable to Server-side request forgery (SSRF) in Email Settings.

  • CVE-2025-45475May 27, 2025
    risk 0.00cvss epss 0.00

    maccms10 v2025.1000.4047 is vulnerable to Server-Side request forgery (SSRF) in Friend Link Management.

  • CVE-2025-28090Mar 28, 2025
    risk 0.00cvss epss 0.00

    maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) in the Collection Custom Interface feature.

  • CVE-2025-28089Mar 28, 2025
    risk 0.00cvss epss 0.00

    maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) via the Scheduled Task function.

  • CVE-2024-46654Sep 20, 2024
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the Add Scheduled Task module of Maccms10 v2024.1000.4040 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2024-32391Apr 19, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in MacCMS v.10 v.2024.1000.3000 allows a remote attacker to execute arbitrary code via a crafted payload.

  • CVE-2022-47872Feb 1, 2023
    risk 0.00cvss epss 0.01

    A Server-Side Request Forgery (SSRF) in maccms10 v2021.1000.2000 allows attackers to force the application to make arbitrary requests via a crafted payload injected into the Name parameter under the Interface address module.

  • CVE-2022-31303Jun 21, 2022
    risk 0.00cvss epss 0.00

    maccms10 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Server Group text field.

  • CVE-2022-31302Jun 21, 2022
    risk 0.00cvss epss 0.00

    maccms8 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Server Group text field.

  • CVE-2021-43707Mar 31, 2022
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability exists in Maccms v10 via link_Name parameter.

  • CVE-2022-27886Mar 25, 2022
    risk 0.00cvss epss 0.01

    Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/ulog/index.html via the wd parameter.

  • CVE-2022-27887Mar 25, 2022
    risk 0.00cvss epss 0.01

    Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/vod/data.html via the repeat parameter.

  • CVE-2022-27884Mar 25, 2022
    risk 0.00cvss epss 0.01

    Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/plog/index.html via the wd parameter.

  • CVE-2022-27885Mar 25, 2022
    risk 0.00cvss epss 0.01

    Maccms v10 was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities in /admin.php/admin/website/data.html via the select and input parameters.

  • CVE-2020-21434Oct 4, 2021
    risk 0.00cvss epss 0.01

    Maccms 10 contains a cross-site scripting (XSS) vulnerability in the Editing function under the Member module. This vulnerability is exploited via a crafted payload in the nickname text field.

  • CVE-2020-21081Sep 14, 2021
    risk 0.00cvss epss 0.00

    A cross-site request forgery (CSRF) in Maccms 8.0 causes administrators to add and modify articles without their knowledge via clicking on a crafted URL.

  • CVE-2018-19465Jun 7, 2019
    risk 0.00cvss epss 0.01

    Maccms through 8.0 allows XSS via the site_keywords field to index.php?m=system-config because of tpl/module/system.php and tpl/html/system_config.html, related to template/paody/html/vod_index.html.

  • CVE-2019-9829Mar 15, 2019
    risk 0.00cvss epss 0.02

    Maccms 10 allows remote attackers to execute arbitrary PHP code by entering this code in a template/default_pc/html/art Edit action. This occurs because template rendering uses an include operation on a cache file, which bypasses the prohibition of .php files as templates.