VYPR

Vendor CVEs

Simple Machines

All CVEs

68 total · sorted by risk
  • CVE-2018-10305CriApr 24, 2018
    risk 0.64cvss 9.8epss 0.01

    The MessageSearch2 function in PersonalMessage.php in Simple Machines Forum (SMF) before 2.0.15 does not properly use the possible_users variable in a query, which might allow attackers to bypass intended access restrictions.

  • CVE-2016-5726CriFeb 9, 2017
    risk 0.64cvss 9.8epss 0.02

    Packages.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the themechanges array parameter.

  • CVE-2016-5727HigFeb 9, 2017
    risk 0.57cvss 8.8epss 0.02

    LogInOut.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via vectors related to variables derived from user input in a foreach loop.

  • CVE-2022-26982Apr 5, 2022
    risk 0.04cvss epss 0.09

    SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator. NOTE: the vendor's position is that administrators are intended to have the…

  • CVE-2008-6971Aug 13, 2009
    risk 0.04cvss epss 0.07

    The password reset functionality in Simple Machines Forum (SMF) 1.0.x before 1.0.14, 1.1.x before 1.1.6, and 2.0 before 2.0 beta 4 includes clues about the random number generator state within a hidden form field and generates predictable validation codes, which allows remote…

  • CVE-2013-0192Feb 7, 2020
    risk 0.03cvss epss 0.04

    File Disclosure in SMF (SimpleMachines Forum) <= 2.0.3: Forum admin can read files such as the database config.

  • CVE-2009-5068Jan 15, 2020
    risk 0.03cvss epss 0.02

    There is a file disclosure vulnerability in SMF (Simple Machines Forum) affecting versions through v2.0.3. On some configurations a SMF deployment is shared by several "co-admins" that are not trusted beyond the SMF deployment. This vulnerability allows them to read arbitrary…

  • CVE-2005-4891Jan 15, 2020
    risk 0.03cvss epss 0.02

    Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject arbitrary SQL statements.

  • CVE-2012-5903Nov 17, 2012
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF) 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the scheduled parameter to index.php.

  • CVE-2008-6741Apr 21, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in Load.php in Simple Machines Forum (SMF) 1.1.4 and earlier allows remote attackers to execute arbitrary SQL commands by setting the db_character_set parameter to a multibyte character set such as big5, which causes the addslashes PHP function to…

  • CVE-2008-6659Apr 7, 2009
    risk 0.03cvss epss 0.03

    Directory traversal vulnerability in index.php in Simple Machines Forum (SMF) 1.0 before 1.0.15 and 1.1 before 1.1.7 allows remote authenticated users to configure arbitrary local files for execution via directory traversal sequences in the value of the theme_dir field during a…

  • CVE-2008-6658Apr 7, 2009
    risk 0.03cvss epss 0.02

    Directory traversal vulnerability in index.php in Simple Machines Forum (SMF) 1.0 before 1.0.15 and 1.1 before 1.1.7 allows remote authenticated administrators to install packages from arbitrary directories via a .. (dot dot) in the package parameter during an install2 action,…

  • CVE-2008-6657Apr 7, 2009
    risk 0.03cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in index.php in Simple Machines Forum (SMF) 1.0 before 1.0.15 and 1.1 before 1.1.7 allows remote attackers to hijack the authentication of admins for requests that install packages via the package parameter in an install2 action.

  • CVE-2008-6544Mar 30, 2009
    risk 0.03cvss epss 0.03

    Multiple PHP remote file inclusion vulnerabilities in Simple Machines Forum (SMF) 1.1.4 allow remote attackers to execute arbitrary PHP code via a URL in the (1) settings[default_theme_dir] parameter to Sources/Subs-Graphics.php and (2) settings[default_theme_dir] parameter to…

  • CVE-2007-5646Oct 23, 2007
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in Sources/Search.php in Simple Machines Forum (SMF) 1.1.3, when MySQL 5 is used, allows remote attackers to execute arbitrary SQL commands via the userspec parameter in a search2 action to index.php.

  • CVE-2007-0399Jan 22, 2007
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in index.php in Simple Machines Forum (SMF) 1.1 RC3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) recipient or (2) BCC field when selecting send in a pm action.

  • CVE-2006-5503Oct 25, 2006
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in index.php in Simple Machines Forum (SMF) 1.1 RC2 allows remote attackers to inject arbitrary web script or HTML via the action parameter.

  • CVE-2004-1996May 5, 2004
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF) 1.0 allows remote attackers to inject arbitrary web script via the size tag.

  • CVE-2004-1827Mar 15, 2004
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in YaBB 1 Gold(SP1.3) and YaBB SE 1.5.1 Final allows remote attackers to inject arbitrary web script via the background:url property in (1) glow or (2) shadow tags.

  • CVE-2026-26025Feb 24, 2026
    risk 0.00cvss epss 0.00

    free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805)…

  • CVE-2026-26024Feb 24, 2026
    risk 0.00cvss epss 0.00

    free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805)…

  • CVE-2026-25501Feb 24, 2026
    risk 0.00cvss epss 0.00

    free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics due to nil pointer dereference and the SMF process terminates. This is triggered by a malformed…

  • CVE-2025-69232Feb 23, 2026
    risk 0.00cvss epss 0.00

    free5GC is an open-source project for 5th generation (5G) mobile core networks. free5GC go-upf versions up to and including 1.2.6, corresponding to free5gc smf up to and including 1.4.0, have an Improper Input Validation and Protocol Compliance vulnerability leading to Denial of…

  • CVE-2026-1683Jan 30, 2026
    risk 0.00cvss epss 0.01

    A vulnerability has been found in Free5GC SMF up to 4.1.0. Affected by this vulnerability is the function HandlePfcpSessionReportRequest of the file internal/pfcp/handler/handler.go of the component PFCP. The manipulation leads to denial of service. Remote exploitation of the…

  • CVE-2026-1682Jan 30, 2026
    risk 0.00cvss epss 0.01

    A flaw has been found in Free5GC SMF up to 4.1.0. Affected is the function HandlePfcpAssociationReleaseRequest of the file internal/pfcp/handler/handler.go of the component PFCP UDP Endpoint. Executing a manipulation can lead to null pointer dereference. The attack may be…

  • CVE-2025-67163Dec 18, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in Simple Machines Forum v2.1.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Forum Name parameter.

  • CVE-2025-2583Mar 21, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was found in SimpleMachines SMF 2.1.4. It has been classified as problematic. This affects an unknown part of the file ManageNews.php. The manipulation of the argument subject/message leads to cross site scripting. It is possible to initiate the attack remotely.…

  • CVE-2025-2582Mar 21, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this issue is some unknown functionality of the file ManageAttachments.php. The manipulation of the argument Notice leads to cross site scripting. The attack may be launched…

  • CVE-2024-7438Aug 3, 2024
    risk 0.00cvss epss 0.00

    A vulnerability has been found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?action=profile;u=2;area=showalerts;do=read of the component User Alert Read Status Handler. The…

  • CVE-2024-7437Aug 3, 2024
    risk 0.00cvss epss 0.00

    A vulnerability, which was classified as critical, was found in SimpleMachines SMF 2.1.4. Affected is an unknown function of the file /index.php?action=profile;u=2;area=showalerts;do=remove of the component Delete User Handler. The manipulation of the argument aid leads to…

  • CVE-2019-11574Mar 20, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Simple Machines Forum (SMF) before release 2.0.17. There is SSRF related to Subs-Package.php and Subs.php because user-supplied data is used directly in curl calls.

  • CVE-2013-4395Feb 12, 2020
    risk 0.00cvss epss 0.01

    Simple Machines Forum (SMF) through 2.0.5 has XSS

  • CVE-2019-12490Jan 22, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in Simple Machines Forum (SMF) before 2.0.16. Reverse tabnabbing can occur because of use of _blank for external links.

  • CVE-2013-7468Mar 7, 2019
    risk 0.00cvss epss 0.02

    Simple Machines Forum (SMF) 2.0.4 allows PHP Code Injection via the index.php?action=admin;area=languages;sa=editlang dictionary parameter.

  • CVE-2013-7466Mar 7, 2019
    risk 0.00cvss epss 0.04

    Simple Machines Forum (SMF) 2.0.4 allows local file inclusion, with resultant remote code execution, in install.php via ../ directory traversal in the db_type parameter if install.php remains present after installation.

  • CVE-2013-7467Mar 7, 2019
    risk 0.00cvss epss 0.01

    Simple Machines Forum (SMF) 2.0.4 allows XSS via the index.php?action=pm;sa=settings;save sa parameter.

  • CVE-2013-7236Apr 29, 2014
    risk 0.00cvss epss 0.02

    Simple Machines Forum (SMF) 2.0.6, 1.1.19, and earlier allows remote attackers to impersonate arbitrary users via a Unicode homoglyph character in a username.

  • CVE-2013-7235Apr 29, 2014
    risk 0.00cvss epss 0.02

    Simple Machines Forum (SMF) before 1.1.19 and 2.x before 2.0.6 allows remote attackers to impersonate arbitrary users via multiple space characters characters.

  • CVE-2013-7234Apr 29, 2014
    risk 0.00cvss epss 0.01

    Simple Machines Forum (SMF) before 1.1.19 and 2.x before 2.0.6 allows remote attackers to conduct clickjacking attacks via an X-Frame-Options header.

  • CVE-2013-4465Oct 25, 2013
    risk 0.00cvss epss 0.02

    Unrestricted file upload vulnerability in the avatar upload functionality in Simple Machines Forum before 2.0.6 and 2.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the…

  • CVE-2011-4173Oct 24, 2011
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Simple Machines Forum (SMF) 2.x before 2.0.1 allows remote attackers to hijack the authentication of administrators or moderators via vectors involving image files, a different vulnerability than CVE-2011-3615. NOTE: some of…

  • CVE-2011-3615Oct 24, 2011
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in Simple Machines Forum (SMF) before 1.1.15 and 2.x before 2.0.1 allow remote attackers to execute arbitrary SQL commands via vectors involving a (1) HTML entity or (2) display name. NOTE: some of these details are obtained from third…

  • CVE-2011-1131Jun 21, 2011
    risk 0.00cvss epss 0.01

    The PlushSearch2 function in Search.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, uses certain cached data in a situation where a temporary table has been created, even though this cached data is intended only for situations where a temporary table…

  • CVE-2011-1130Jun 21, 2011
    risk 0.00cvss epss 0.01

    Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, does not properly validate the start parameter, which might allow remote attackers to conduct SQL injection attacks, obtain sensitive information, or cause a denial of service via a crafted value, related to the…

  • CVE-2011-1129Jun 21, 2011
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the EditNews function in ManageNews.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, might allow remote authenticated users to inject arbitrary web script or HTML via a save_items action.

  • CVE-2011-1128Jun 21, 2011
    risk 0.00cvss epss 0.01

    The loadUserSettings function in Load.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, does not properly handle invalid login attempts, which might make it easier for remote attackers to obtain access or cause a denial of service via a brute-force attack.

  • CVE-2011-1127Jun 21, 2011
    risk 0.00cvss epss 0.02

    SSI.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, does not properly restrict guest access, which allows remote attackers to have an unspecified impact via unknown vectors.

  • CVE-2008-7035Aug 24, 2009
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in an unspecified component in Simple Machines phpRaider 1.0.7 allows remote attackers to inject arbitrary web script or HTML via the resistance field. NOTE: the provenance of this information is unknown; the details are obtained solely…

  • CVE-2008-3130Jul 10, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in index.php in OpenCart 0.7.7 allow remote attackers to inject arbitrary web script or HTML via the (1) firstname and (2) search parameters. NOTE: the provenance of this information is unknown; the details are obtained solely…

  • CVE-2008-3073Jul 8, 2008
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in Simple Machines Forum (SMF) 1.1.x before 1.1.5 and 1.0.x before 1.0.13 has unknown impact and attack vectors, probably cross-site scripting (XSS), related to "use of the html-tag."

Page 1 of 2