Totaljs
Products
6- 6 CVEs
- 5 CVEs
- 5 CVEs
- 2 CVEs
- 2 CVEs
- 0 CVEs
Recent CVEs
20| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-50881 | Hig | 0.57 | 8.8 | 0.01 | Mar 16, 2026 | The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs insufficient validation, and incorporates… | ||
| CVE-2026-5077 | Med | 0.35 | 5.4 | 0.00 | May 2, 2026 | The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering the_title() inside HTML attribute context in the home blog section template. This makes it… | ||
| CVE-2025-11655 | Med | 0.31 | 4.7 | 0.00 | Oct 13, 2025 | A security flaw has been discovered in Total.js Flow up to 673ef9144dd25d4f4fd4fdfda5af27f230198924. The impacted element is an unknown function of the component SVG File Handler. Performing manipulation results in unrestricted upload. The attack can be initiated remotely. The… | ||
| CVE-2025-11019 | Low | 0.16 | 2.4 | 0.00 | Sep 26, 2025 | A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||
| CVE-2025-10940 | Low | 0.16 | 2.4 | 0.00 | Sep 25, 2025 | A vulnerability was found in Total.js CMS 1.0.0. Affected by this vulnerability is the function layouts_save of the file /admin/ of the component Layout Page. Performing manipulation of the argument HTML results in cross site scripting. It is possible to initiate the attack… | ||
| CVE-2019-8903 | 0.02 | — | 0.72 | Feb 18, 2019 | index.js in Total.js Platform before 3.2.3 allows path traversal. | |||
| CVE-2025-20972 | 0.00 | — | 0.00 | May 7, 2025 | Improper verification of intent by broadcast receiver in Samsung Flow prior to version 4.9.17.6 allows local attackers to modify Samsung Flow configuration. | |||
| CVE-2025-20971 | 0.00 | — | 0.00 | May 7, 2025 | Improper input validation in Samsung Flow prior to version 4.9.17.6 allows local attackers to access data within Samsung Flow. | |||
| CVE-2024-48655 | 0.00 | — | 0.01 | Oct 25, 2024 | An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file. | |||
| CVE-2023-30094 | 0.00 | — | 0.01 | May 4, 2023 | A stored cross-site scripting (XSS) vulnerability in TotalJS Flow v10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field in the settings module. | |||
| CVE-2023-27069 | 0.00 | — | 0.01 | Mar 14, 2023 | A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the account name field. | |||
| CVE-2023-27070 | 0.00 | — | 0.01 | Mar 14, 2023 | A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field. | |||
| CVE-2022-44019 | 0.00 | — | 0.02 | Oct 29, 2022 | In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter. | |||
| CVE-2022-41392 | 0.00 | — | 0.01 | Oct 7, 2022 | A cross-site scripting (XSS) vulnerability in TotalJS commit 8c2c8909 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website name text field under Main Settings. | |||
| CVE-2022-30013 | 0.00 | — | 0.01 | May 16, 2022 | A stored cross-site scripting (XSS) vulnerability in the upload function of totaljs CMS 3.4.5 allows attackers to execute arbitrary web scripts via a JavaScript embedded PDF file. | |||
| CVE-2022-26565 | 0.00 | — | 0.01 | Apr 1, 2022 | A cross-site scripting (XSS) vulnerability in Totaljs all versions before commit 95f54a5commit, allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page Name text field when creating a new page. | |||
| CVE-2021-32831 | 0.00 | — | 0.01 | Aug 30, 2021 | Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to… | |||
| CVE-2020-9381 | 0.00 | — | 0.02 | Feb 24, 2020 | controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954. | |||
| CVE-2019-15955 | 0.00 | — | 0.01 | Sep 5, 2019 | An issue was discovered in Total.js CMS 12.0.0. A low privilege user can perform a simple transformation of a cookie to obtain the random values inside it. If an attacker can discover a session cookie owned by an admin, then it is possible to brute force it with O(n)=2n instead… | |||
| CVE-2019-10260 | 0.00 | — | 0.01 | Mar 28, 2019 | Total.js CMS 12.0.0 has XSS related to themes/admin/views/index.html (item.message) and themes/admin/public/ui.js (column.format). |
- risk 0.57cvss 8.8epss 0.01
The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs insufficient validation, and incorporates…
- risk 0.35cvss 5.4epss 0.00
The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering the_title() inside HTML attribute context in the home blog section template. This makes it…
- risk 0.31cvss 4.7epss 0.00
A security flaw has been discovered in Total.js Flow up to 673ef9144dd25d4f4fd4fdfda5af27f230198924. The impacted element is an unknown function of the component SVG File Handler. Performing manipulation results in unrestricted upload. The attack can be initiated remotely. The…
- risk 0.16cvss 2.4epss 0.00
A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
- risk 0.16cvss 2.4epss 0.00
A vulnerability was found in Total.js CMS 1.0.0. Affected by this vulnerability is the function layouts_save of the file /admin/ of the component Layout Page. Performing manipulation of the argument HTML results in cross site scripting. It is possible to initiate the attack…
- CVE-2019-8903Feb 18, 2019risk 0.02cvss —epss 0.72
index.js in Total.js Platform before 3.2.3 allows path traversal.
- CVE-2025-20972May 7, 2025risk 0.00cvss —epss 0.00
Improper verification of intent by broadcast receiver in Samsung Flow prior to version 4.9.17.6 allows local attackers to modify Samsung Flow configuration.
- CVE-2025-20971May 7, 2025risk 0.00cvss —epss 0.00
Improper input validation in Samsung Flow prior to version 4.9.17.6 allows local attackers to access data within Samsung Flow.
- CVE-2024-48655Oct 25, 2024risk 0.00cvss —epss 0.01
An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file.
- CVE-2023-30094May 4, 2023risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability in TotalJS Flow v10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field in the settings module.
- CVE-2023-27069Mar 14, 2023risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the account name field.
- CVE-2023-27070Mar 14, 2023risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field.
- CVE-2022-44019Oct 29, 2022risk 0.00cvss —epss 0.02
In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter.
- CVE-2022-41392Oct 7, 2022risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability in TotalJS commit 8c2c8909 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website name text field under Main Settings.
- CVE-2022-30013May 16, 2022risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability in the upload function of totaljs CMS 3.4.5 allows attackers to execute arbitrary web scripts via a JavaScript embedded PDF file.
- CVE-2022-26565Apr 1, 2022risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability in Totaljs all versions before commit 95f54a5commit, allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page Name text field when creating a new page.
- CVE-2021-32831Aug 30, 2021risk 0.00cvss —epss 0.01
Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to…
- CVE-2020-9381Feb 24, 2020risk 0.00cvss —epss 0.02
controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.
- CVE-2019-15955Sep 5, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Total.js CMS 12.0.0. A low privilege user can perform a simple transformation of a cookie to obtain the random values inside it. If an attacker can discover a session cookie owned by an admin, then it is possible to brute force it with O(n)=2n instead…
- CVE-2019-10260Mar 28, 2019risk 0.00cvss —epss 0.01
Total.js CMS 12.0.0 has XSS related to themes/admin/views/index.html (item.message) and themes/admin/public/ui.js (column.format).