VYPR
Vendor

Totaljs

Products
6
CVEs
20
Across products
20
Status
Private

Products

6

Recent CVEs

20
  • CVE-2025-50881HigMar 16, 2026
    risk 0.57cvss 8.8epss 0.01

    The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs insufficient validation, and incorporates…

  • CVE-2026-5077MedMay 2, 2026
    risk 0.35cvss 5.4epss 0.00

    The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering the_title() inside HTML attribute context in the home blog section template. This makes it…

  • CVE-2025-11655MedOct 13, 2025
    risk 0.31cvss 4.7epss 0.00

    A security flaw has been discovered in Total.js Flow up to 673ef9144dd25d4f4fd4fdfda5af27f230198924. The impacted element is an unknown function of the component SVG File Handler. Performing manipulation results in unrestricted upload. The attack can be initiated remotely. The…

  • CVE-2025-11019LowSep 26, 2025
    risk 0.16cvss 2.4epss 0.00

    A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

  • CVE-2025-10940LowSep 25, 2025
    risk 0.16cvss 2.4epss 0.00

    A vulnerability was found in Total.js CMS 1.0.0. Affected by this vulnerability is the function layouts_save of the file /admin/ of the component Layout Page. Performing manipulation of the argument HTML results in cross site scripting. It is possible to initiate the attack…

  • CVE-2019-8903Feb 18, 2019
    risk 0.02cvss epss 0.72

    index.js in Total.js Platform before 3.2.3 allows path traversal.

  • CVE-2025-20972May 7, 2025
    risk 0.00cvss epss 0.00

    Improper verification of intent by broadcast receiver in Samsung Flow prior to version 4.9.17.6 allows local attackers to modify Samsung Flow configuration.

  • CVE-2025-20971May 7, 2025
    risk 0.00cvss epss 0.00

    Improper input validation in Samsung Flow prior to version 4.9.17.6 allows local attackers to access data within Samsung Flow.

  • CVE-2024-48655Oct 25, 2024
    risk 0.00cvss epss 0.01

    An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file.

  • CVE-2023-30094May 4, 2023
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability in TotalJS Flow v10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field in the settings module.

  • CVE-2023-27069Mar 14, 2023
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the account name field.

  • CVE-2023-27070Mar 14, 2023
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field.

  • CVE-2022-44019Oct 29, 2022
    risk 0.00cvss epss 0.02

    In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter.

  • CVE-2022-41392Oct 7, 2022
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in TotalJS commit 8c2c8909 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website name text field under Main Settings.

  • CVE-2022-30013May 16, 2022
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability in the upload function of totaljs CMS 3.4.5 allows attackers to execute arbitrary web scripts via a JavaScript embedded PDF file.

  • CVE-2022-26565Apr 1, 2022
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in Totaljs all versions before commit 95f54a5commit, allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page Name text field when creating a new page.

  • CVE-2021-32831Aug 30, 2021
    risk 0.00cvss epss 0.01

    Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to…

  • CVE-2020-9381Feb 24, 2020
    risk 0.00cvss epss 0.02

    controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.

  • CVE-2019-15955Sep 5, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Total.js CMS 12.0.0. A low privilege user can perform a simple transformation of a cookie to obtain the random values inside it. If an attacker can discover a session cookie owned by an admin, then it is possible to brute force it with O(n)=2n instead…

  • CVE-2019-10260Mar 28, 2019
    risk 0.00cvss epss 0.01

    Total.js CMS 12.0.0 has XSS related to themes/admin/views/index.html (item.message) and themes/admin/public/ui.js (column.format).