VYPR

Vendor CVEs

Simple CMS

All CVEs

146 total · sorted by risk
  • CVE-2019-9055Mar 26, 2019
    risk 0.06cvss epss 0.13

    An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the…

  • CVE-2008-5642Dec 17, 2008
    risk 0.04cvss epss 0.09

    Directory traversal vulnerability in admin/login.php in CMS Made Simple 1.4.1 allows remote attackers to read arbitrary files via a .. (dot dot) in a cms_language cookie.

  • CVE-2005-2846Sep 8, 2005
    risk 0.04cvss epss 0.07

    PHP remote file inclusion vulnerability in lang.php in CMS Made Simple 0.10 and earlier allows remote attackers to execute arbitrary PHP code via the nls[file][vx][vxsfx] parameter.

  • CVE-2021-28935Mar 30, 2021
    risk 0.03cvss epss 0.02

    CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field.

  • CVE-2014-0334Mar 2, 2014
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple allow remote authenticated users to inject arbitrary web script or HTML via (1) the group parameter to admin/addgroup.php, (2) the htmlblob parameter to admin/addhtmlblob.php, the (3) title or (4) url…

  • CVE-2010-3884Oct 8, 2010
    risk 0.03cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in CMS Made Simple 1.8.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that reset the administrative password. NOTE: the provenance of this information is unknown; the details are…

  • CVE-2010-3742Oct 5, 2010
    risk 0.03cvss epss 0.02

    Multiple PHP remote file inclusion vulnerabilities in themes/default/index.php in Free Simple CMS 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) meta or (2) phpincdir parameter, a different issue than CVE-2010-3307.

  • CVE-2010-3307Oct 5, 2010
    risk 0.03cvss epss 0.02

    Multiple PHP remote file inclusion vulnerabilities in themes/default/index.php in Free Simple CMS 1.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) body, (2) footer, (3) header, (4) menu_left, or (5) menu_right parameter.

  • CVE-2009-2792Aug 17, 2009
    risk 0.03cvss epss 0.02

    Directory traversal vulnerability in plugings/pagecontent.php in Really Simple CMS (RSCMS) 0.3a allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the PT parameter.

  • CVE-2008-5058Nov 13, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in siteadmin/loginsucess.php in Pre Simple CMS allows remote attackers to execute arbitrary SQL commands via the user parameter, as reachable from siteadmin/adminlogin.php. NOTE: some of these details are obtained from third party information.

  • CVE-2008-2267May 16, 2008
    risk 0.03cvss epss 0.05

    Incomplete blacklist vulnerability in javaUpload.php in Postlet in the FileManager module in CMS Made Simple 1.2.4 and earlier allows remote attackers to execute arbitrary code by uploading a file with a name ending in (1) .jsp, (2) .php3, (3) .cgi, (4) .dhtml, (5) .phtml, (6)…

  • CVE-2008-0835Feb 20, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in indexen.php in Simple CMS 1.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the area parameter.

  • CVE-2007-6656Jan 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in content_css.php in the TinyMCE module for CMS Made Simple 1.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter.

  • CVE-2007-2473May 2, 2007
    risk 0.03cvss epss 0.04

    SQL injection vulnerability in stylesheet.php in CMS Made Simple 1.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter.

  • CVE-2006-6845Dec 31, 2006
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the cntnt01searchinput parameter in a Search action.

  • CVE-2005-3083Sep 27, 2005
    risk 0.03cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 0.10 allows remote attackers to inject arbitrary web script or HTML via the page parameter.

  • CVE-2022-23906Feb 28, 2022
    risk 0.01cvss epss 0.02

    CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file.

  • CVE-2019-9059Mar 26, 2019
    risk 0.01cvss epss 0.02

    An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable in Mail Settings, setting "sendmail" in the "Mailer" option, and launching the "Forgot your password"…

  • CVE-2010-2797Oct 8, 2010
    risk 0.01cvss epss 0.08

    Directory traversal vulnerability in lib/translation.functions.php in CMS Made Simple before 1.8.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the default_cms_lang parameter to an admin script, as demonstrated by…

  • CVE-2021-47919Feb 1, 2026
    risk 0.00cvss epss 0.00

    Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks.

  • CVE-2021-47917Feb 1, 2026
    risk 0.00cvss epss 0.00

    Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. Attackers can exploit the newUser and editUser modules to inject persistent scripts that execute on user list preview,…

  • CVE-2023-53927Dec 17, 2025
    risk 0.00cvss epss 0.00

    PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create sections with embedded JavaScript payloads that will execute when administrators…

  • CVE-2023-53926Dec 17, 2025
    risk 0.00cvss epss 0.01

    PHPJabbers Simple CMS 5.0 contains a SQL injection vulnerability in the 'column' parameter that allows remote attackers to manipulate database queries. Attackers can inject crafted SQL payloads through the 'column' parameter in the index.php endpoint to potentially extract or…

  • CVE-2025-63678Nov 10, 2025
    risk 0.00cvss epss 0.00

    An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file.

  • CVE-2025-5153May 25, 2025
    risk 0.00cvss epss 0.00

    A vulnerability, which was classified as problematic, has been found in CMS Made Simple 2.2.21. This issue affects some unknown processing of the component Design Manager Module. The manipulation of the argument Description leads to cross site scripting. The attack may be…

  • CVE-2024-1529Mar 12, 2024
    risk 0.00cvss epss 0.00

    Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/adduser.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially…

  • CVE-2024-1528Mar 12, 2024
    risk 0.00cvss epss 0.00

    CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/moduleinterface.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted…

  • CVE-2024-1527Mar 12, 2024
    risk 0.00cvss epss 0.01

    Unrestricted file upload vulnerability in CMS Made Simple, affecting version 2.2.14. This vulnerability allows an authenticated user to bypass the security measures of the upload functionality and potentially create a remote execution of commands via webshell.

  • CVE-2024-27622Mar 5, 2024
    risk 0.00cvss epss 0.02

    A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19 / 2.2.21. This vulnerability arises from inadequate sanitization of user-supplied input in the 'Code' section of the module. As a result, authenticated…

  • CVE-2024-27625Mar 5, 2024
    risk 0.00cvss epss 0.00

    CMS Made Simple Version 2.2.19 is vulnerable to Cross Site Scripting (XSS). This vulnerability resides in the File Manager module of the admin panel. Specifically, the issue arises due to inadequate sanitization of user input in the "New directory" field.

  • CVE-2024-27623Mar 5, 2024
    risk 0.00cvss epss 0.00

    CMS Made Simple version 2.2.19 is vulnerable to Server-Side Template Injection (SSTI). The vulnerability exists within the Design Manager, particularly when editing the Breadcrumbs.

  • CVE-2024-27559Mar 1, 2024
    risk 0.00cvss epss 0.00

    Stupid Simple CMS v1.2.4 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /save_settings.php

  • CVE-2024-27689Mar 1, 2024
    risk 0.00cvss epss 0.00

    Stupid Simple CMS v1.2.4 was discovered to contain a Cross-Site Request Forgery (CSRF) via /update-article.php.

  • CVE-2024-22715Jan 17, 2024
    risk 0.00cvss epss 0.00

    Stupid Simple CMS <=1.2.4 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin-edit.php.

  • CVE-2023-36970Jul 6, 2023
    risk 0.00cvss epss 0.00

    A Cross-site scripting (XSS) vulnerability in CMS Made Simple v2.2.17 allows remote attackers to inject arbitrary web script or HTML via the File Upload function.

  • CVE-2021-28998May 8, 2023
    risk 0.00cvss epss 0.01

    File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file.

  • CVE-2021-28999May 8, 2023
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php.

  • CVE-2021-40961Jun 9, 2022
    risk 0.00cvss epss 0.02

    CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '.

  • CVE-2021-43154Apr 13, 2022
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php.

  • CVE-2022-23907Feb 28, 2022
    risk 0.00cvss epss 0.01

    CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the parameter m1_fmmessage.

  • CVE-2020-23481Sep 22, 2021
    risk 0.00cvss epss 0.00

    CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field.

  • CVE-2019-9060Sep 17, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showmessage.php file, it is possible to read…

  • CVE-2020-22732Aug 5, 2021
    risk 0.00cvss epss 0.00

    CMS Made Simple (CMSMS) 2.2.14 allows stored XSS via the Extensions > Fie Picker..

  • CVE-2020-23241Jul 26, 2021
    risk 0.00cvss epss 0.00

    Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature.

  • CVE-2020-23240Jul 26, 2021
    risk 0.00cvss epss 0.00

    Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature.

  • CVE-2020-36416Jul 2, 2021
    risk 0.00cvss epss 0.00

    A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Design" parameter under the "Designs" module.

  • CVE-2020-36415Jul 2, 2021
    risk 0.00cvss epss 0.00

    A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Stylesheet" parameter under the "Stylesheets" module.

  • CVE-2020-36414Jul 2, 2021
    risk 0.00cvss epss 0.00

    A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "URL (slug)" or "Extra" fields under the "Add Article" feature.

  • CVE-2020-36413Jul 2, 2021
    risk 0.00cvss epss 0.00

    A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Exclude these IP addresses from the "Site Down" status" parameter under the "Maintenance Mode"…

  • CVE-2020-36412Jul 2, 2021
    risk 0.00cvss epss 0.00

    A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Search Text" field under the "Admin Search" module.