Skip to main content

Expressionengine

10 CVEs product

Monthly

CVE-2025-59473 HIGH This Week

SQL Injection vulnerability in the Structure for Admin authenticated user [CVSS 7.2 HIGH]

SQLi Expressionengine
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2024-38454 MEDIUM PATCH This Month

ExpressionEngine before 7.4.11 allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Expressionengine
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2023-22953 HIGH This Week

In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Expressionengine
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2021-33199 CRITICAL PATCH Act Now

In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP Information Disclosure Expressionengine
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2021-27230 HIGH POC This Week

ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection Expressionengine
NVD
CVSS 3.1
8.8
EPSS
2.8%
CVE-2020-13443 HIGH POC This Week

ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP Expressionengine
NVD GitHub
CVSS 3.1
8.8
EPSS
4.3%
CVE-2018-17874 MEDIUM This Month

ExpressionEngine before 4.3.5 has reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Expressionengine
NVD
CVSS 3.0
6.1
EPSS
0.6%
CVE-2017-1000160 MEDIUM This Month

EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP Expressionengine
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2017-0897 HIGH This Week

ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Expressionengine
NVD
CVSS 3.0
7.5
EPSS
0.7%
CVE-2014-5387 MEDIUM POC This Month

Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[]. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Expressionengine
NVD
CVSS 2.0
6.5
EPSS
0.5%
EPSS 0% CVSS 7.2
HIGH This Week

SQL Injection vulnerability in the Structure for Admin authenticated user [CVSS 7.2 HIGH]

SQLi Expressionengine
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

ExpressionEngine before 7.4.11 allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Expressionengine
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Expressionengine
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP Information Disclosure Expressionengine
NVD GitHub
EPSS 3% CVSS 8.8
HIGH POC This Week

ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +1
NVD
EPSS 4% CVSS 8.8
HIGH POC This Week

ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

ExpressionEngine before 4.3.5 has reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Expressionengine
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP Expressionengine
NVD
EPSS 1% CVSS 7.5
HIGH This Week

ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Expressionengine
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[]. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Expressionengine
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy