VYPR

Vendor CVEs

XOOPS

All CVEs

107 total · sorted by risk
  • CVE-2007-1979Apr 12, 2007
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in index.php in the PopnupBlog 2.52 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the postid parameter, possibly involving the get_blogid_from_postid function in class/PopnupBlogUtils.php. NOTE: later…

  • CVE-2007-1974Apr 12, 2007
    risk 0.03cvss epss 0.06

    SQL injection vulnerability in the getArticle function in class/wfsarticle.php in WF-Section (aka WF-Sections) 1.0.1, as used in Xoops modules such as (1) Zmagazine 1.0, (2) Happy Linux XFsection 1.07 and earlier, and possibly other modules, allows remote attackers to execute…

  • CVE-2007-1962Apr 11, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the WF-Snippets 1.02 and earlier module for XOOPS allows remote attackers to execute arbitrary SQL commands via the c parameter in a cat action.

  • CVE-2007-1960Apr 11, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in visit.php in the Rha7 Downloads (rha7downloads) 1.0 module for XOOPS, and possibly other versions up to 1.10, allows remote attackers to execute arbitrary SQL commands via the lid parameter.

  • CVE-2007-1846Apr 3, 2007
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in index.php in the MyAds 2.04jp and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter, different vectors than CVE-2006-3341.

  • CVE-2007-1847Apr 3, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in viewcat.php in the Repository module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.

  • CVE-2007-1838Apr 3, 2007
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in view.php in the Friendfinder 3.3 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2007-1816Apr 2, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in viewcat.php in the Tutoriais module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.

  • CVE-2007-1810Apr 2, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in product_details.php in the Kshop 1.17 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2007-1813Apr 2, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in display.php in the eCal 2.24 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the katid parameter.

  • CVE-2007-1815Apr 2, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in viewcat.php in the Library module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.

  • CVE-2007-1808Apr 2, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in show.php in the Camportail 1.1 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the camid parameter in a showcam action.

  • CVE-2007-1811Apr 2, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the Tiny Event (tinyevent) 1.01 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action.

  • CVE-2007-1805Apr 2, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in genre.php in the debaser 0.92 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the genreid parameter.

  • CVE-2007-1814Apr 2, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in viewcat.php in the Core module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter, a different vector than CVE-2007-0377.

  • CVE-2006-5810Nov 8, 2006
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in modules/wfdownloads/newlist.php in XOOPS 1.0 allows remote attackers to inject arbitrary web script or HTML via the newdownloadshowdays parameter.

  • CVE-2006-3363Jul 6, 2006
    risk 0.03cvss epss 0.03

    PHP remote file inclusion vulnerability in index.php in the Glossaire module 1.7 for Xoops allows remote attackers to execute arbitrary PHP code via a URL in the pa parameter.

  • CVE-2006-0198Jan 13, 2006
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in a certain module, possibly poll or Pool, for XOOPS allows remote attackers to inject arbitrary web script or HTML via JavaScript in the SRC attribute of an IMG element in a comment.

  • CVE-2005-3681Nov 18, 2005
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in viewcat.php in XOOPS WF-Downloads module 2.05 allows remote attackers to execute arbitrary SQL commands via the list parameter.

  • CVE-2005-2113Jul 5, 2005
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the loginUser function in the XMLRPC server in XOOPS 2.0.11 and earlier allows remote attackers to execute arbitrary SQL commands and bypass authentication via crafted values in an XML file, as demonstrated using the blogger.getPost method.

  • CVE-2005-2112Jul 5, 2005
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) order parameter to edit.php or (2) cid parameter to comment_edit.php.

  • CVE-2004-2756Dec 31, 2004
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in viewtopic.php in Xoops 2.x, possibly 2 through 2.0.5, allows remote attackers to inject arbitrary web script or HTML via the (1) forum and (2) topic_id parameters.

  • CVE-2004-1640Aug 28, 2004
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 0.94 and 1.0 allow remote attackers to execute arbitrary web script and HTML via the (1) terme parameter to search.php or (2) letter parameter to letter.php.

  • CVE-2003-1550Dec 31, 2003
    risk 0.03cvss epss 0.03

    XOOPS 2.0, and possibly earlier versions, allows remote attackers to obtain sensitive information via an invalid xoopsOption parameter, which reveals the installation path in an error message.

  • CVE-2003-1453Dec 31, 2003
    risk 0.03cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the MytextSanitizer function in XOOPS 1.3.5 through 1.3.9 and XOOPS 2.0 through 2.0.1 allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in an IMG tag.

  • CVE-2002-1802Dec 31, 2002
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Xoops 1.0 RC3 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag when submitting news.

  • CVE-2026-46338May 19, 2026
    risk 0.00cvss epss 0.00

    # Summary `pymdownx.snippets` has a regression of the CVE-2023-32309 / GHSA-jh85-wwv9-24hv fix. With `restrict_base_path: True` (the default), the current `filename.startswith(base)` containment check does not enforce a directory boundary. As a result, a markdown snippet…

  • CVE-2023-36217Aug 3, 2023
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remote attacker to execute arbitrary code via the category name field of the image manager function.

  • CVE-2019-16684Sep 30, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes.

  • CVE-2019-16683Sep 30, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes.

  • CVE-2014-8999Nov 20, 2014
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in htdocs/modules/system/admin.php in XOOPS before 2.5.7 Final allows remote authenticated users to execute arbitrary SQL commands via the selgroups parameter.

  • CVE-2011-4565Nov 28, 2011
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.5.1.a, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to include/formdhtmltextarea_preview.php or (2) img BBCODE tag within the message…

  • CVE-2011-3822Sep 24, 2011
    risk 0.00cvss epss 0.01

    XOOPS 2.5.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/system/xoops_version.php and certain other files.

  • CVE-2009-4851May 7, 2010
    risk 0.00cvss epss 0.01

    The activation resend function in the Profiles module in XOOPS before 2.4.1 sends activation codes in response to arbitrary activation requests, which allows remote attackers to bypass administrative approval via a request involving activate.php.

  • CVE-2009-3963Nov 17, 2009
    risk 0.00cvss epss 0.02

    Multiple unspecified vulnerabilities in XOOPS before 2.4.0 Final have unknown impact and attack vectors.

  • CVE-2008-6885Jul 31, 2009
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in pmlite.php in XOOPS 2.3.1 and 2.3.2a allows remote attackers to inject arbitrary web script or HTML via a STYLE attribute in a URL BBcode tag in a private message.

  • CVE-2009-0805Mar 4, 2009
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in piCal 0.91h and earlier, a module for XOOPS, allows remote attackers to inject arbitrary web script or HTML via the event_id parameter in index.php.

  • CVE-2008-4433Oct 3, 2008
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in search.php in the RMSOFT MiniShop module 1.0 for Xoops might allow remote attackers to execute arbitrary SQL commands via the itemsxpag parameter.

  • CVE-2008-2035Apr 30, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Bluemoon, Inc. (1) BackPack 0.91 and earlier, (2) BmSurvey 0.84 and earlier, (3) newbb_fileup 1.83 and earlier, (4) News_embed (news_fileup) 1.44 and earlier, and (5) PopnupBlog 3.19 and earlier modules for XOOPS 2.0.x, XOOPS Cube…

  • CVE-2008-1064Feb 28, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in images.php in the Red Mexico RMSOFT Gallery System (GS) 2.0 module (aka rmgs) for XOOPS allows remote attackers to inject arbitrary web script or HTML via the q parameter.

  • CVE-2008-1065Feb 28, 2008
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in index.php in the XM-Memberstats (xmmemberstats) 2.0e module for XOOPS allow remote attackers to execute arbitrary SQL commands via the (1) letter or (2) sortby parameter. NOTE: the provenance of this information is unknown; the details…

  • CVE-2008-1063Feb 28, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability index.php in the XM-Memberstats (xmmemberstats) module for XOOPS allows remote attackers to inject arbitrary web script or HTML via the sortby parameter.

  • CVE-2007-6675Jan 8, 2008
    risk 0.00cvss epss 0.01

    The b_system_comments_show function in htdocs/modules/system/blocks/system_blocks.php in XOOPS before 2.0.18 does not check permissions, which allows remote attackers to read the comments in restricted modules.

  • CVE-2007-5188Oct 3, 2007
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in the XOOPS uploader class in Xoops 2.0.17.1-RC1 and earlier allows remote attackers to upload arbitrary files via unspecified vectors related to improper upload configuration settings in class/uploader.php and class/mimetypes.inc.php, possibly an…

  • CVE-2007-2107Apr 18, 2007
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in visit.php in the Rha7 Downloads (rha7downloads) 1.0 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter, a different vector than CVE-2007-1960. NOTE: the provenance of this information is unknown; the…

  • CVE-2007-1976Apr 12, 2007
    risk 0.00cvss epss 0.02

    PHP remote file inclusion vulnerability in index.php in the Virii Info 1.10 and earlier module for Xoops allows remote attackers to execute arbitrary PHP code via a URL in the xoopsConfig[root_path] parameter. NOTE: the issue has been disputed by a reliable third party, stating…

  • CVE-2007-0377Jan 19, 2007
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in Xoops 2.0.16 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in kernel/group.php in core, (2) the lid parameter in class/table_broken.php in the Weblinks module, and other unspecified vectors.

  • CVE-2006-5532Oct 26, 2006
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in rmgs/images.php in RMSOFT Gallery System 2.0 allows remote attackers to inject arbitrary web script or HTML via the kw parameter. NOTE: some of these details are obtained from third party information.

  • CVE-2006-4417Aug 28, 2006
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in edituser.php in Xoops before 2.0.15 allows remote attackers to execute arbitrary SQL commands via the user_avatar parameter.

  • CVE-2005-3680Nov 18, 2005
    risk 0.00cvss epss 0.02

    Directory traversal vulnerability in editor_registry.php in XOOPS 2.2.3 allows remote attackers to read or include arbitrary local files via a .. (dot dot) in the xoopsConfig[language] parameter.