Socialengine
Products
1- 11 CVEs
Recent CVEs
11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41460 | Cri | 0.64 | 9.8 | 0.01 | Apr 23, 2026 | SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can… | ||
| CVE-2026-41461 | Hig | 0.55 | 8.5 | 0.00 | Apr 23, 2026 | SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated… | ||
| CVE-2013-4898 | 0.03 | — | 0.03 | Jan 29, 2014 | Unrestricted file upload vulnerability in the user profile page feature in the Timeline Plugin 4.2.5p9 for SocialEngine allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the… | |||
| CVE-2009-0400 | 0.03 | — | 0.01 | Feb 3, 2009 | SQL injection vulnerability in blog.php in SocialEngine 3.06 trial allows remote attackers to execute arbitrary SQL commands via the category_id parameter. | |||
| CVE-2007-6581 | 0.03 | — | 0.04 | Dec 28, 2007 | Multiple directory traversal vulnerabilities in Social Engine 2.0 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the global_lang parameter to (1) header_album.php, (2) header_blog.php, or (3) header_group.php; or (4)… | |||
| CVE-2012-6720 | 0.00 | — | 0.01 | Feb 11, 2020 | Multiple cross-site scripting (XSS) vulnerabilities in SocialEngine before 4.2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to music/create, (2) location parameter to events/create, or (3) search parameter to… | |||
| CVE-2012-6721 | 0.00 | — | 0.00 | Feb 11, 2020 | Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) Forum, (2) Event, and (3) Classifieds plugins in SocialEngine before 4.2.4. | |||
| CVE-2008-6121 | 0.00 | — | 0.01 | Feb 11, 2009 | CRLF injection vulnerability in SocialEngine (SE) 2.7 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the PHPSESSID cookie. | |||
| CVE-2008-6120 | 0.00 | — | 0.01 | Feb 11, 2009 | SQL injection vulnerability in profile_comments.php in SocialEngine (SE) 2.7 and earlier allows remote attackers to execute arbitrary SQL commands via the comment_secure parameter. | |||
| CVE-2008-3297 | 0.00 | — | 0.02 | Jul 25, 2008 | Multiple SQL injection vulnerabilities in SocialEngine (SE) before 2.83 allow remote attackers to execute arbitrary SQL commands via (1) an se_user cookie to include/class_user.php or (2) an se_admin cookie to include/class_admin.php. | |||
| CVE-2008-3298 | 0.00 | — | 0.01 | Jul 25, 2008 | SocialEngine (SE) before 2.83 grants certain write privileges for templates, which allows remote authenticated administrators to execute arbitrary PHP code. |
- risk 0.64cvss 9.8epss 0.01
SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can…
- risk 0.55cvss 8.5epss 0.00
SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated…
- CVE-2013-4898Jan 29, 2014risk 0.03cvss —epss 0.03
Unrestricted file upload vulnerability in the user profile page feature in the Timeline Plugin 4.2.5p9 for SocialEngine allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the…
- CVE-2009-0400Feb 3, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in blog.php in SocialEngine 3.06 trial allows remote attackers to execute arbitrary SQL commands via the category_id parameter.
- CVE-2007-6581Dec 28, 2007risk 0.03cvss —epss 0.04
Multiple directory traversal vulnerabilities in Social Engine 2.0 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the global_lang parameter to (1) header_album.php, (2) header_blog.php, or (3) header_group.php; or (4)…
- CVE-2012-6720Feb 11, 2020risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in SocialEngine before 4.2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to music/create, (2) location parameter to events/create, or (3) search parameter to…
- CVE-2012-6721Feb 11, 2020risk 0.00cvss —epss 0.00
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) Forum, (2) Event, and (3) Classifieds plugins in SocialEngine before 4.2.4.
- CVE-2008-6121Feb 11, 2009risk 0.00cvss —epss 0.01
CRLF injection vulnerability in SocialEngine (SE) 2.7 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the PHPSESSID cookie.
- CVE-2008-6120Feb 11, 2009risk 0.00cvss —epss 0.01
SQL injection vulnerability in profile_comments.php in SocialEngine (SE) 2.7 and earlier allows remote attackers to execute arbitrary SQL commands via the comment_secure parameter.
- CVE-2008-3297Jul 25, 2008risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in SocialEngine (SE) before 2.83 allow remote attackers to execute arbitrary SQL commands via (1) an se_user cookie to include/class_user.php or (2) an se_admin cookie to include/class_admin.php.
- CVE-2008-3298Jul 25, 2008risk 0.00cvss —epss 0.01
SocialEngine (SE) before 2.83 grants certain write privileges for templates, which allows remote authenticated administrators to execute arbitrary PHP code.