Fork Cms

fork-cms

25 CVEs • 1 product

Products (1)

Click to collapse

Toggle

Fork Cms

fork_cms

25 CVEs

CVEs (25)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-35590 1Fork Cms 1Fork Cms Jun 17, 2026 Aug 12, 2022 N/A· v4 4.8 MEDIUM· v3 N/A· v2 A cross-site scripting (XSS) issue in the ForkCMS version 5.9.3 allows remote attackers to inject JavaScript via the "end_date" Parameter
CVE-2022-35589 1Fork Cms 1Fork Cms Jun 17, 2026 Aug 12, 2022 N/A· v4 4.8 MEDIUM· v3 N/A· v2 A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish_on_time" Parameter.
CVE-2022-35587 1Fork Cms 1Fork Cms Jun 17, 2026 Aug 12, 2022 N/A· v4 4.8 MEDIUM· v3 N/A· v2 A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish_on_date" Parameter
CVE-2022-35585 1Fork Cms 1Fork Cms Jun 17, 2026 Aug 12, 2022 N/A· v4 4.8 MEDIUM· v3 N/A· v2 A stored cross-site scripting (XSS) issue in the ForkCMS version 5.9.3 allows remote attackers to inject JavaScript via the "start_date" Parameter
CVE-2022-1064 1Fork Cms 1Fork Cms Jun 17, 2026 Mar 25, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SQL injection through marking blog comments on bulk as spam in GitHub repository forkcms/forkcms prior to 5.11.1.
CVE-2022-0153 1Fork Cms 1Fork Cms Jun 17, 2026 Mar 24, 2022 N/A· v4 7.5 HIGH· v3 4.3 MEDIUM· v2 SQL Injection in GitHub repository forkcms/forkcms prior to 5.11.1.
CVE-2022-0145 1Fork Cms 1Fork Cms Jun 17, 2026 Mar 24, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site Scripting (XSS) - Stored in GitHub repository forkcms/forkcms prior to 5.11.1.
CVE-2020-23049 1Fork Cms 1Fork Cms Jun 17, 2026 Oct 22, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Fork CMS Content Management System v5.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the `Displayname` field when using the `Add`, `Edit` or `Register' functions. This vulnerability allows at...Show more Fork CMS Content Management System v5.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the `Displayname` field when using the `Add`, `Edit` or `Register' functions. This vulnerability allows attackers to execute arbitrary web scripts or HTML.Show less
CVE-2021-28931 1Fork Cms 1Fork Cms Jun 17, 2026 Jul 7, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Arbitrary file upload vulnerability in Fork CMS 5.9.2 allows attackers to create or replace arbitrary files in the /themes directory via a crafted zip file uploaded to the Themes panel.
CVE-2020-23264 1Fork Cms 1Fork Cms Jun 17, 2026 May 6, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.
CVE-2020-23263 1Fork Cms 1Fork Cms Jun 17, 2026 May 6, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add.
CVE-2020-24036 1Fork Cms 1Fork Cms Jun 17, 2026 Mar 4, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.
CVE-2020-23960 1Fork Cms 1Fork Cms Jun 17, 2026 Jan 11, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to (1) approve the mass of the user's comments...Show more Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to (1) approve the mass of the user's comments, (2) restoring a deleted user, (3) installing or running modules, (4) resetting the analytics, (5) pinging the mailmotor api, (6) uploading things to the media library, (7) exporting locale.Show less
CVE-2020-13633 1Fork Cms 1Fork Cms Jun 17, 2026 May 27, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Fork before 5.8.3 allows XSS via navigation_title or title.
CVE-2014-9470 1Fork Cms 1Fork Cms Nov 21, 2024 Feb 8, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the loadForm function in Frontend/Modules/Search/Actions/Index.php in Fork CMS before 3.8.4 allows remote attackers to inject arbitrary web script or HTML via the q_widget para...Show more Cross-site scripting (XSS) vulnerability in the loadForm function in Frontend/Modules/Search/Actions/Index.php in Fork CMS before 3.8.4 allows remote attackers to inject arbitrary web script or HTML via the q_widget parameter to en/search.Show less
CVE-2019-15521 2Fork Cms Spoon Library 2Fork Cms Spoon Library Jun 17, 2026 Aug 26, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object.
CVE-2018-20682 1Fork Cms 1Fork Cms Nov 21, 2024 Jan 9, 2019 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Fork CMS 5.0.6 allows stored XSS via the private/en/settings facebook_admin_ids parameter (aka "Admin ids" input in the Facebook section).
CVE-2018-17595 1Fork Cms 1Fork Cms Nov 21, 2024 Oct 2, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In the 5.4.0 version of the Fork CMS software, HTML Injection and Stored XSS vulnerabilities were discovered via the /backend/ajax URI.
CVE-2018-5215 1Fork Cms 1Fork Cms Nov 21, 2024 Jan 4, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Fork CMS 5.0.7 has XSS in /private/en/pages/edit via the title parameter.
CVE-2015-1467 1Fork Cms 1Fork Cms May 6, 2026 Feb 6, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple SQL injection vulnerabilities in Translations in Fork CMS before 3.8.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) language[] or (2) type[] parameter to private/en/locale/index...Show more Multiple SQL injection vulnerabilities in Translations in Fork CMS before 3.8.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) language[] or (2) type[] parameter to private/en/locale/index.Show less

12 Next