Lepton Cms

lepton-cms

13 CVEs • 3 products

Products (3)

Click to collapse

Toggle

CVEs (13)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-56704 1Lepton Cms 1Leptoncms Dec 11, 2025 Dec 9, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specia...Show more LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code.Show less
CVE-2024-29514 1Lepton Cms 1Leptoncms May 1, 2025 Apr 2, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2024-29515 1Lepton Cms 1Leptoncms May 1, 2025 Mar 25, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file to the save.php and config.php component.
CVE-2024-24520 1Lepton Cms 1Leptoncms May 1, 2025 Mar 21, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 An issue in Lepton CMS v.7.0.0 allows a local attacker to execute arbitrary code via the upgrade.php file in the languages place.
CVE-2024-24399 1Lepton Cms 1Leptoncms Jun 5, 2025 Jan 25, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An arbitrary file upload vulnerability in LEPTON v7.0.0 allows authenticated attackers to execute arbitrary PHP code by uploading this code to the backend/languages/index.php languages area.
CVE-2020-24872 1Lepton Cms 1Leptoncms Nov 21, 2024 Aug 11, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross Site Scripting (XSS) vulnerability in backend/pages/modify.php in Lepton-CMS version 4.7.0, allows remote attackers to execute arbitrary code.
CVE-2020-29240 1Lepton Cms 1Leptoncms Nov 21, 2024 Dec 2, 2020 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacker can inject the XSS payload in the URL field of the admin page and each time an admin visits the Menu-Pages-Pages Overview section, the XSS will be t...Show more Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacker can inject the XSS payload in the URL field of the admin page and each time an admin visits the Menu-Pages-Pages Overview section, the XSS will be triggered.Show less
CVE-2020-12707 1Lepton Cms 1Lepton Cms Nov 21, 2024 May 7, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor can use HTML eve...Show more An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT elements.Show less
CVE-2020-12705 1Lepton Cms 1Leptoncms Nov 21, 2024 May 7, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities exist in LeptonCMS before 4.6.0.
CVE-2012-1000 1Lepton Cms 1Lepton Apr 29, 2026 Feb 24, 2012 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in LEPTON 1.1.3 and other versions before 1.1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) message parameter to admins/login/forgot/index...Show more Multiple cross-site scripting (XSS) vulnerabilities in LEPTON 1.1.3 and other versions before 1.1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) message parameter to admins/login/forgot/index.php, or the (2) display_name or (3) email parameter to account/preferences.php.Show less
CVE-2012-0999 1Lepton Cms 1Lepton Apr 29, 2026 Feb 24, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in modules/news/rss.php in LEPTON before 1.1.4 allows remote attackers to execute arbitrary SQL commands via the group_id parameter.
CVE-2012-0998 1Lepton Cms 1Lepton Apr 29, 2026 Feb 24, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 Directory traversal vulnerability in account/preferences.php in LEPTON before 1.1.4 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the language parameter.
CVE-2011-3385 2Lepton Cms Websitebaker2 2Lepton Websitebaker Apr 29, 2026 Sep 2, 2011 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in WebsiteBaker before 2.8, as used in LEPTON and possibly other products, allows remote attackers to inject arbitrary web script or HTML via unknown vectors, a different vulnerab...Show more Cross-site scripting (XSS) vulnerability in WebsiteBaker before 2.8, as used in LEPTON and possibly other products, allows remote attackers to inject arbitrary web script or HTML via unknown vectors, a different vulnerability than CVE-2006-2307.Show less