Skip to main content

Doracms

8 CVEs product

Monthly

CVE-2026-3795 LOW POC Monitor

DoraCMS 3.0.x contains a path traversal vulnerability in the createFileBypath function that allows authenticated attackers to read, write, or delete arbitrary files on the server. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.

Path Traversal Doracms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-3794 MEDIUM POC This Month

DoraCMS 3.0.x Email API endpoint /api/v1/mail/send contains an authentication bypass vulnerability that allows unauthenticated remote attackers to send emails and potentially access sensitive functionality. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. The flaw carries a CVSS score of 7.3 with moderate confidentiality, integrity, and availability impact.

Authentication Bypass Doracms
NVD VulDB
CVSS 4.0
5.5
EPSS
0.2%
CVE-2024-28715 HIGH This Week

Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows a remote attacker to execute arbitrary code via the markdown0 function in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS Doracms
NVD GitHub
CVSS 3.1
8.8
EPSS
1.1%
CVE-2023-49444 MEDIUM POC This Month

An arbitrary file upload vulnerability in DoraCMS v2.1.8 allow attackers to execute arbitrary code via uploading a crafted HTML or image file to the user avatar. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload XSS Doracms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-49443 CRITICAL POC Act Now

DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Doracms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-35147 CRITICAL POC Act Now

DoraCMS v2.18 and earlier allows attackers to bypass login authentication via a crafted HTTP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Doracms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-25464 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the component /admin/contenttemp of DoraCMS v2.1.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Doracms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.4%
CVE-2018-16622 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in /api/content/addOne in DoraCMS v2.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) discription or (2) comments. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Doracms
NVD GitHub
CVSS 3.0
5.4
EPSS
0.8%
EPSS 0% CVSS 2.1
LOW POC Monitor

DoraCMS 3.0.x contains a path traversal vulnerability in the createFileBypath function that allows authenticated attackers to read, write, or delete arbitrary files on the server. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.

Path Traversal Doracms
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

DoraCMS 3.0.x Email API endpoint /api/v1/mail/send contains an authentication bypass vulnerability that allows unauthenticated remote attackers to send emails and potentially access sensitive functionality. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. The flaw carries a CVSS score of 7.3 with moderate confidentiality, integrity, and availability impact.

Authentication Bypass Doracms
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows a remote attacker to execute arbitrary code via the markdown0 function in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS Doracms
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

An arbitrary file upload vulnerability in DoraCMS v2.1.8 allow attackers to execute arbitrary code via uploading a crafted HTML or image file to the user avatar. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload XSS +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Doracms
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

DoraCMS v2.18 and earlier allows attackers to bypass login authentication via a crafted HTTP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Doracms
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the component /admin/contenttemp of DoraCMS v2.1.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Doracms
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in /api/content/addOne in DoraCMS v2.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) discription or (2) comments. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Doracms
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy