VYPR

Vendor CVEs

Statamic

All CVEs

82 total · sorted by risk
  • CVE-2026-27593Feb 24, 2026
    risk 0.00cvss epss 0.00

    Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email…

  • CVE-2026-27196Feb 21, 2026
    risk 0.00cvss epss 0.00

    Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious…

  • CVE-2026-25759Feb 11, 2026
    risk 0.00cvss epss 0.00

    Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by…

  • CVE-2026-25633Feb 11, 2026
    risk 0.00cvss epss 0.00

    Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are…

  • CVE-2021-47753Jan 15, 2026
    risk 0.00cvss epss 0.01

    phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted…

  • CVE-2022-50937Jan 13, 2026
    risk 0.00cvss epss 0.00

    Ametys CMS v4.4.1 contains a persistent cross-site scripting vulnerability in the link directory's input fields for external links. Attackers can inject malicious script code in link text and descriptions to execute persistent attacks that compromise user sessions and manipulate…

  • CVE-2022-50936Jan 13, 2026
    risk 0.00cvss epss 0.01

    WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute…

  • CVE-2022-50905Jan 13, 2026
    risk 0.00cvss epss 0.01

    e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject…

  • CVE-2022-50895Jan 13, 2026
    risk 0.00cvss epss 0.01

    Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially…

  • CVE-2025-67436Dec 22, 2025
    risk 0.00cvss epss 0.01

    Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php).

  • CVE-2025-67443Dec 22, 2025
    risk 0.00cvss epss 0.00

    Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel.

  • CVE-2023-53936Dec 18, 2025
    risk 0.00cvss epss 0.00

    Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title,…

  • CVE-2023-53909Dec 17, 2025
    risk 0.00cvss epss 0.00

    WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the…

  • CVE-2023-53901Dec 16, 2025
    risk 0.00cvss epss 0.00

    WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image…

  • CVE-2023-53891Dec 15, 2025
    risk 0.00cvss epss 0.00

    Blackcat CMS 1.4 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into page content. Attackers can insert JavaScript payloads in the page modification interface that execute when other users view the compromised…

  • CVE-2023-53890Dec 15, 2025
    risk 0.00cvss epss 0.00

    Perch CMS 3.2 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags that execute when the file is viewed, potentially stealing user session…

  • CVE-2023-53889Dec 15, 2025
    risk 0.00cvss epss 0.01

    Perch CMS 3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload arbitrary PHP files through the assets management interface. Attackers can upload a malicious .phar file with embedded system command execution capabilities to execute…

  • CVE-2023-53884Dec 15, 2025
    risk 0.00cvss epss 0.00

    Webedition CMS v2.9.8.8 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the media upload feature to inject and execute arbitrary scripts…

  • CVE-2024-32643Dec 3, 2025
    risk 0.00cvss epss 0.00

    Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13,…

  • CVE-2025-40661Jun 10, 2025
    risk 0.00cvss epss 0.00

    An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/selectionnode/selection.asp.

  • CVE-2025-40658Jun 10, 2025
    risk 0.00cvss epss 0.00

    An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/selectionnode/framesSelection.asp.

  • CVE-2025-5432Jun 2, 2025
    risk 0.00cvss epss 0.00

    A vulnerability has been found in AssamLook CMS 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /view_tender.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit…

  • CVE-2025-5430Jun 2, 2025
    risk 0.00cvss epss 0.00

    A vulnerability, which was classified as critical, has been found in AssamLook CMS 1.0. This issue affects some unknown processing of the file /product.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been…

  • CVE-2025-5381May 31, 2025
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as problematic, was found in Yifang CMS up to 2.0.2. Affected is the function downloadFile of the file /api/File/downloadFile of the component Admin Panel. The manipulation of the argument File leads to path traversal. It is possible to…

  • CVE-2024-24570Feb 1, 2024
    risk 0.00cvss epss 0.01

    Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the…

  • CVE-2023-48701Nov 21, 2023
    risk 0.00cvss epss 0.01

    Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an…

  • CVE-2023-48217Nov 14, 2023
    risk 0.00cvss epss 0.01

    Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and…

  • CVE-2023-47129Nov 10, 2023
    risk 0.00cvss epss 0.01

    Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_…

  • CVE-2023-36828Jul 5, 2023
    risk 0.00cvss epss 0.01

    Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the…

  • CVE-2022-24784Mar 25, 2022
    risk 0.00cvss epss 0.01

    Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually…

  • CVE-2021-45364Feb 10, 2022
    risk 0.00cvss epss 0.02

    A Code Execution vulnerability exists in Statamic Version through 3.2.26 via SettingsController.php. NOTE: the vendor indicates that there was an error in publishing this CVE Record, and that all parties agree that the affected code was not used in any Statamic product

  • CVE-2018-19598Dec 19, 2018
    risk 0.00cvss epss 0.01

    Statamic 2.10.3 allows XSS via First Name or Last Name to the /users URI in an 'Add new user' request.

Page 2 of 2