Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CMS — Vulnerabilities & Security Advisories 227

All 227 CVE vulnerabilities found in CMS, with AI-generated Chinese analysis, references, and POCs.

This page provides a comprehensive aggregation of Common Weakness Enumeration (CWE) vulnerabilities affecting the CMS product category. It serves as a centralized resource for tracking security issues across various Content Management Systems, offering insights into the most prevalent weakness types and their impact on different implementations. The content on this page collects reported vulnerabilities spanning from the early 2000s to the present day, covering a wide historical range of security incidents. It aggregates data from multiple vendors and open-source projects, ensuring a broad perspective on the evolving threat landscape for content management platforms. By compiling these records, the page highlights trends in coding errors, configuration mistakes, and design flaws that have been exploited or identified over time. Here, users can discover how to track a specific vendor's security advisories to stay informed about recent patches and known issues. Additionally, the page allows for a deeper understanding of a particular weakness class by showing its frequency and severity across different CMS environments. Users can also look up a product's vulnerability history to assess its long-term security posture and compare it against industry benchmarks. This structured approach aids security professionals, developers, and auditors in making informed decisions regarding risk management and remediation strategies for their content management systems.

Vendor: Mambo

CVE IDTitleCVSSSeverityPublished
CVE-2026-11511 Bolt CMS HTML Attribute TextType.php HTML injection CWE-80 3.5 Low2026-06-08
CVE-2026-45660 Statamic: Server-Side Request Forgery via Glide CWE-918 5.4 Medium2026-05-29
CVE-2026-44306 Statamic: Email enumeration via forgot password endpoint CWE-204 5.3 Medium2026-05-12
CVE-2026-44011 Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior CWE-479--2026-05-12
CVE-2026-44012 Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure CWE-862--2026-05-12
CVE-2026-44010 Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure CWE-862--2026-05-12
CVE-2026-7508 Bootstrap CMS Page Creation show.blade.php code injection CWE-94 6.3 Medium2026-04-30
CVE-2026-7317 Grav CMS Cache Value FileCache.php doGet deserialization CWE-502 5.0 Medium2026-04-28
CVE-2026-7016 MaxSite CMS ushki Plugin cross site scripting CWE-79 2.4 Low2026-04-26
CVE-2026-7015 MaxSite CMS Guestbook Plugin cross site scripting CWE-79 2.4 Low2026-04-26
CVE-2026-7014 MaxSite CMS down_count Plugin cross site scripting CWE-79 2.4 Low2026-04-26
CVE-2026-7013 MaxSite CMS mail_send Plugin cross site scripting CWE-79 2.4 Low2026-04-26
CVE-2026-7012 MaxSite CMS Redirect Plugin cross site scripting CWE-79 2.4 Low2026-04-26
CVE-2026-7011 MaxSite CMS Antispam Plugin plugin_antispam cross site scripting CWE-79 2.4 Low2026-04-26
CVE-2026-41175 Statamic: Unsafe method invocation via query value resolution allows data destruction CWE-470 8.1 High2026-04-22
CVE-2026-41130 Craft CMS has a host header injection leading to SSRF via resource-js endpoint CWE-918 10.0AICriticalAI2026-04-21
CVE-2026-41129 Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations CWE-918 8.3AIHighAI2026-04-21
CVE-2026-41128 Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action CWE-862 4.3AIMediumAI2026-04-21
CVE-2026-6652 Pagekit CMS StringStorage Template PhpEngine.php evaluate eval injection CWE-95 4.7 Medium2026-04-20
CVE-2026-6649 Qibo CMS headers server-side request forgery CWE-918 6.3 Medium2026-04-20
CVE-2026-6648 Qibo CMS Internal Message cross site scripting CWE-79 3.5 Low2026-04-20
CVE-2026-6633 Yifang CMS Extended Management L_rbac_admin.php store cross site scripting CWE-79 3.5 Low2026-04-20
CVE-2026-33887 Statamic allows unauthorized content access through missing authorization in its revision controllers CWE-862 5.4 Medium2026-03-27
CVE-2026-33886 Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields CWE-200 6.5 Medium2026-03-27
CVE-2026-33885 Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential CWE-601 6.1 Medium2026-03-27
CVE-2026-33884 Statamic's live preview token bypasses content protection for unrelated entries CWE-863 4.3 Medium2026-03-27
CVE-2026-33883 Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag CWE-79 6.1 Medium2026-03-27
CVE-2026-33882 Statamic's Markdown preview endpoint exposes sensitive user data CWE-20 6.5 Medium2026-03-27
CVE-2026-33162 Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions CWE-285 4.3 -2026-03-24
CVE-2026-33161 Craft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users CWE-200 5.4 -2026-03-24

All 227 known CVE vulnerabilities affecting CMS with full Chinese analysis, references, and POCs where available.