VYPR
Vendor

OutSystems

Products
7
CVEs
7
Across products
9
Status
Private

Products

7

Recent CVEs

7
  • CVE-2021-29357HigApr 12, 2021
    risk 0.56cvss 8.6epss 0.01

    The ECT Provider component in OutSystems Platform Server 10 before 10.0.1104.0 and 11 before 11.9.0 (and LifeTime management console before 11.7.0) allows SSRF for arbitrary outbound HTTP requests.

  • CVE-2022-47636HigAug 10, 2023
    risk 0.54cvss 7.8epss 0.01

    A DLL hijacking vulnerability has been discovered in OutSystems Service Studio 11 11.53.30 build 61739. When a user open a .oml file (OutSystems Modeling Language), the application will load the following DLLs from the same directory av_libGLESv2.dll, libcef.DLL, user32.dll, and…

  • CVE-2020-29441HigNov 30, 2020
    risk 0.47cvss 7.2epss 0.01

    An issue was discovered in the Upload Widget in OutSystems Platform 10 before 10.0.1019.0. An unauthenticated attacker can upload arbitrary files. In some cases, this attack may consume the available database space (Denial of Service), corrupt legitimate data if files are being…

  • CVE-2025-28168MedMay 5, 2025
    risk 0.42cvss 6.4epss 0.00

    The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass…

  • CVE-2019-12273MedDec 31, 2019
    risk 0.42cvss 6.5epss 0.00

    OutSystems Platform 10 through 11 allows ImageResourceDetail.aspx CSRF for content modifications and file uploads. NOTE: The product is self-hosted by the customer, even though it has a *.outsystemsenterprise.com domain name.) NOTE: The vendor claims that the independent…

  • CVE-2020-13639MedAug 31, 2021
    risk 0.40cvss 6.1epss 0.01

    A stored XSS vulnerability was discovered in the ECT Provider in OutSystems before 2020-09-04, affecting generated applications. It could allow an unauthenticated remote attacker to craft and store malicious Feedback content into /ECT_Provider/, such that when the content is…

  • CVE-2026-40127MedMay 25, 2026
    risk 0.34cvss epss 0.00

    OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application. This…