Fuel Cms

fuel_cms

CVEs (40)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-30459 1Thedaylightstudio 1Fuel Cms Apr 23, 2026 Apr 16, 2026 N/A· v4 7.1 HIGH· v3 N/A· v2 An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.
CVE-2026-30461 1Thedaylightstudio 1Fuel Cms Apr 20, 2026 Apr 15, 2026 N/A· v4 8.3 HIGH· v3 N/A· v2 Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.
CVE-2026-30460 1Thedaylightstudio 1Fuel Cms Apr 9, 2026 Apr 7, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module.
CVE-2026-30463 1Thedaylightstudio 1Fuel Cms Mar 30, 2026 Mar 26, 2026 N/A· v4 7.7 HIGH· v3 N/A· v2 Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component.
CVE-2026-30458 1Thedaylightstudio 1Fuel Cms Mar 30, 2026 Mar 26, 2026 N/A· v4 9.1 CRITICAL· v3 N/A· v2 An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack.
CVE-2026-30457 1Thedaylightstudio 2Dwoo Fuel Cms Mar 30, 2026 Mar 26, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code.
CVE-2024-57605 1Thedaylightstudio 1Fuel Cms Jul 9, 2025 Feb 12, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Cross Site Scripting vulnerability in Daylight Studio Fuel CMS v.1.5.2 allows an attacker to escalate privileges via the /fuel/blocks/ and /fuel/pages components.
CVE-2024-25369 1Thedaylightstudio 1Fuel Cms Apr 3, 2025 Feb 22, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A reflected Cross-Site Scripting (XSS) vulnerability in FUEL CMS 1.5.2allows attackers to run arbitrary code via crafted string after the group_id parameter.
CVE-2020-24950 1Thedaylightstudio 1Fuel Cms Nov 21, 2024 Aug 11, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 SQL Injection vulnerability in file Base_module_model.php in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute arbitrary code via the col parameter to function list_items.
CVE-2020-22153 1Thedaylightstudio 1Fuel Cms Nov 21, 2024 Jul 3, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 File Upload vulnerability in FUEL-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted .php file to the upload parameter in the navigation function.
CVE-2020-22152 1Thedaylightstudio 1Fuel Cms Nov 21, 2024 Jul 3, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Cross Site Scripting vulnerability in daylight studio FUEL- CMS v.1.4.6 allows a remote attacker to execute arbitrary code via the page title, meta description and meta keywords of the pages function.
CVE-2020-22151 1Thedaylightstudio 1Fuel Cms Nov 25, 2024 Jul 3, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Permissions vulnerability in Fuel-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted zip file to the assests parameter of the upload function.
CVE-2023-33557 1Thedaylightstudio 1Fuel Cms Jan 6, 2025 Jun 9, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Fuel CMS v1.5.2 was discovered to contain a SQL injection vulnerability via the id parameter at /controllers/Blocks.php.
CVE-2021-36570 1Thedaylightstudio 1Fuel Cms Mar 26, 2025 Feb 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /permissions/delete/2---.
CVE-2021-36569 1Thedaylightstudio 1Fuel Cms Mar 26, 2025 Feb 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /users/delete/2.
CVE-2021-44117 1Thedaylightstudio 1Fuel Cms Nov 21, 2024 Jun 10, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4.
CVE-2022-28599 1Thedaylightstudio 1Fuel Cms Nov 21, 2024 May 3, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by...Show more A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.Show less
CVE-2022-27156 1Thedaylightstudio 1Fuel Cms Nov 21, 2024 Apr 11, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Daylight Studio Fuel CMS 1.5.1 is vulnerable to HTML Injection.
CVE-2021-44607 1Thedaylightstudio 1Fuel Cms Nov 21, 2024 Feb 24, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A Cross Site Scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 in the Assets page via an SVG file.
CVE-2021-38727 1Thedaylightstudio 1Fuel Cms Nov 21, 2024 Sep 9, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/logs/items

12 Next