Expressionengine

expressionengine

CVEs (14)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-59473 1Expressionengine 1Expressionengine Feb 13, 2026 Jan 26, 2026 N/A· v4 7.2 HIGH· v3 N/A· v2 SQL Injection vulnerability in the Structure for Admin authenticated user
CVE-2024-38454 1Expressionengine 1Expressionengine Mar 17, 2025 Jun 16, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 ExpressionEngine before 7.4.11 allows XSS.
CVE-2023-22953 1Expressionengine 1Expressionengine Nov 21, 2024 Feb 9, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user.
CVE-2020-8242 1Expressionengine 1Expressionengine Nov 21, 2024 Feb 18, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. The user needs member creation/admin control panel access to execute the attack.
CVE-2021-33199 1Expressionengine 1Expressionengine Nov 21, 2024 Aug 12, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg.
CVE-2021-27230 1Expressionengine 1Expressionengine Nov 21, 2024 Mar 15, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory.
CVE-2020-13443 1Expressionengine 1Expressionengine Nov 21, 2024 Jun 24, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges (member) is able to uplo...Show more ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges (member) is able to upload this. It is possible to bypass the MIME type check and file-extension check while uploading new files. Short aliases are not used for an attachment; instead, direct access is allowed to the uploaded files. It is possible to upload PHP only if one has member access, or registration/forum is enabled and one can create a member with the default group id of 5. To exploit this, one must to be able to send and compose messages (at least).Show less
CVE-2018-17874 1Expressionengine 1Expressionengine Nov 21, 2024 Oct 1, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 ExpressionEngine before 4.3.5 has reflected XSS.
CVE-2017-1000160 1Expressionengine 1Expressionengine May 13, 2026 Nov 17, 2017 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection
CVE-2017-0897 1Expressionengine 1Expressionengine May 13, 2026 Jun 22, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution.
CVE-2014-5387 2Ellislab Expressionengine 2Expressionengine Expressionengine May 6, 2026 Nov 4, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[] parameter to system/index.ph...Show more Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[] parameter to system/index.php or the (3) tbl_sort[0][] parameter in the comment module to system/index.php.Show less
CVE-2009-1070 1Expressionengine 1Expressionengine Apr 23, 2026 Mar 26, 2009 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 through 1.6.6, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the avatar parameter...Show more Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 through 1.6.6, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the avatar parameter.Show less
CVE-2008-0202 1Expressionengine 1Expressionengine Apr 23, 2026 Jan 10, 2008 N/A· v4 N/A· v3 4.3 MEDIUM· v2 CRLF injection vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the URL parameter.
CVE-2008-0201 1Expressionengine 1Expressionengine Apr 23, 2026 Jan 10, 2008 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL parameter.