← Back

Rpcms

rpcms

Vendor: Rpcms • 7 CVEs

CVEs (7)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2023-50565
1Rpcms
1Rpcms
Jun 17, 2026
Dec 14, 2023
N/A· v4
5.4 MEDIUM· v3
N/A· v2
A cross-site scripting (XSS) vulnerability in the component /logs/dopost.html in RPCMS v3.5.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2022-41475
1Rpcms
1Rpcms
Jun 17, 2026
Oct 13, 2022
N/A· v4
8.8 HIGH· v3
N/A· v2
RPCMS v3.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add an administrator account.
CVE-2022-41474
1Rpcms
1Rpcms
Jun 17, 2026
Oct 13, 2022
N/A· v4
6.5 MEDIUM· v3
N/A· v2
RPCMS v3.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily change the password of any account.
CVE-2022-41473
1Rpcms
1Rpcms
Jun 17, 2026
Oct 13, 2022
N/A· v4
6.1 MEDIUM· v3
N/A· v2
RPCMS v3.0.2 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the Search function.
CVE-2021-37394
1Rpcms
1Rpcms
Jun 17, 2026
Jul 26, 2021
N/A· v4
8.8 HIGH· v3
6.0 MEDIUM· v2
In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration.
CVE-2021-37393
1Rpcms
1Rpcms
Jun 17, 2026
Jul 26, 2021
N/A· v4
5.4 MEDIUM· v3
3.5 LOW· v2
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS...Show more
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user will trigger the XSS.Show less
CVE-2021-37392
1Rpcms
1Rpcms
Jun 17, 2026
Jul 26, 2021
N/A· v4
5.4 MEDIUM· v3
3.5 LOW· v2
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve...Show more
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve stored XSS. Users who view the articles published by the injected user will trigger the XSS.Show less