VYPR
Vendor

Seacms

Products
1
CVEs
116
Across products
116
Status
Private

Products

1

Recent CVEs

116
View all 116 CVEs →
  • CVE-2018-16822CriSep 21, 2018
    risk 0.64cvss 9.8epss 0.01

    SeaCMS 6.64 allows SQL Injection via the upload/admin/admin_video.php order parameter.

  • CVE-2018-16445CriSep 4, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in SeaCMS through 6.61. SQL injection exists via the tid parameter in an adm1n/admin_topic_vod.php request.

  • CVE-2018-16444CriSep 4, 2018
    risk 0.59cvss 9.1epss 0.01

    An issue was discovered in SeaCMS 6.61. adm1n/admin_reslib.php has SSRF via the url parameter.

  • CVE-2018-14910HigAug 3, 2018
    risk 0.57cvss 8.8epss 0.01

    SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF.

  • CVE-2018-14421HigJul 20, 2018
    risk 0.57cvss 8.8epss 0.01

    SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF.

  • CVE-2018-13445HigJul 8, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in SeaCMS 6.61. There is a CSRF vulnerability that can add a user account via adm1n/admin_manager.php?action=add.

  • CVE-2018-13444HigJul 8, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in SeaCMS 6.61. There is a CSRF vulnerability that can add an admin account via adm1n/admin_manager.php?action=save&id=2.

  • CVE-2018-17365HigSep 26, 2018
    risk 0.49cvss 7.5epss 0.02

    SeaCMS 6.64 and 7.2 allows remote attackers to delete arbitrary files via the filedir parameter.

  • CVE-2018-16446HigSep 4, 2018
    risk 0.49cvss 7.5epss 0.02

    An issue was discovered in SeaCMS through 6.61. adm1n/admin_database.php allows remote attackers to delete arbitrary files via directory traversal sequences in the bakfiles parameter. This can allow the product to be reinstalled by deleting install_lock.txt.

  • CVE-2025-15002HigDec 21, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in SeaCMS up to 13.3. The affected element is an unknown function of the file js/player/dmplayer/dmku/class/mysqli.class.php. Such manipulation of the argument page/limit leads to sql injection. The attack can be executed remotely. The exploit has…

  • CVE-2018-16343HigSep 2, 2018
    risk 0.47cvss 7.2epss 0.03

    SeaCMS 6.61 allows remote attackers to execute arbitrary code because parseIf() in include/main.class.php does not block use of $GLOBALS.

  • CVE-2017-17561HigDec 12, 2017
    risk 0.47cvss 7.2epss 0.01

    SeaCMS 6.56 allows remote authenticated administrators to execute arbitrary PHP code via a crafted token field to admin/admin_ping.php, which interacts with data/admin/ping.php.

  • CVE-2018-17321MedSep 22, 2018
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action.

  • CVE-2018-17062MedSep 16, 2018
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in SeaCMS 6.64. XSS exists in admin_video.php via the action, area, type, yuyan, jqtype, v_isunion, v_recycled, v_ismoney, or v_ispsd parameter.

  • CVE-2018-14517MedJul 23, 2018
    risk 0.40cvss 6.1epss 0.01

    SeaCMS 6.61 has two XSS issues in the admin_config.php file via certain form fields.

  • CVE-2018-11583MedMay 31, 2018
    risk 0.40cvss 6.1epss 0.01

    SeaCMS 6.61 has stored XSS in admin_collect.php via the siteurl parameter.

  • CVE-2018-16821MedSep 21, 2018
    risk 0.35cvss 5.3epss 0.01

    SeaCMS 6.64 allows arbitrary directory listing via upload/admin/admin_template.php?path=../templets/../../ requests.

  • CVE-2025-15003MedDec 22, 2025
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was found in SeaCMS up to 13.3. The impacted element is an unknown function of the file admin_video.php. Performing a manipulation of the argument e_id results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public…

  • CVE-2025-11071MedSep 27, 2025
    risk 0.31cvss 4.7epss 0.00

    A security vulnerability has been detected in SeaCMS 13.3.20250820. Impacted is an unknown function of the file /admin_cron.php of the component Cron Task Management Module. The manipulation of the argument resourcefrom/collectID leads to sql injection. The attack can be…

  • CVE-2025-10662MedSep 18, 2025
    risk 0.31cvss 4.7epss 0.00

    A vulnerability has been found in SeaCMS up to 13.3. The impacted element is an unknown function of the file /admin_members.php?ac=editsave. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the…