Skip to main content

Leptoncms

7 CVEs product

Monthly

CVE-2025-56704 HIGH POC This Week

Arbitrary code execution in LeptonCMS 7.3.0 lets an authenticated attacker upload a crafted ZIP or PHP file that bypasses the application's missing file-type validation and runs as server-side PHP. Publicly available exploit code (three PoC write-ups) exists, though the flaw is not listed in CISA KEV and EPSS is low (0.66%, 47th percentile), indicating no evidence of widespread active exploitation yet. Exploitation requires a valid low-privilege account (PR:L), placing this in the post-authentication RCE category.

PHP RCE File Upload Leptoncms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-29514 HIGH POC This Week

File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Leptoncms
NVD GitHub
CVSS 3.1
8.8
EPSS
1.3%
CVE-2024-29515 HIGH POC This Week

File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file to the save.php and config.php component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Leptoncms
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2024-24520 HIGH POC This Week

An issue in Lepton CMS v.7.0.0 allows a local attacker to execute arbitrary code via the upgrade.php file in the languages place. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE PHP Leptoncms
NVD GitHub Exploit-DB VulDB
CVSS 3.1
7.8
EPSS
0.4%
CVE-2024-24399 HIGH POC THREAT This Week

An arbitrary file upload vulnerability in LEPTON v7.0.0 allows authenticated attackers to execute arbitrary PHP code by uploading this code to the backend/languages/index.php languages area. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Leptoncms
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
15.6%
CVE-2020-29240 MEDIUM POC This Month

Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Leptoncms
NVD Exploit-DB
CVSS 3.1
4.8
EPSS
1.7%
CVE-2020-12705 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities exist in LeptonCMS before 4.6.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Leptoncms
NVD
CVSS 3.1
6.1
EPSS
0.6%
EPSS 1% CVSS 8.8
HIGH POC This Week

Arbitrary code execution in LeptonCMS 7.3.0 lets an authenticated attacker upload a crafted ZIP or PHP file that bypasses the application's missing file-type validation and runs as server-side PHP. Publicly available exploit code (three PoC write-ups) exists, though the flaw is not listed in CISA KEV and EPSS is low (0.66%, 47th percentile), indicating no evidence of widespread active exploitation yet. Exploitation requires a valid low-privilege account (PR:L), placing this in the post-authentication RCE category.

PHP RCE File Upload +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file to the save.php and config.php component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC This Week

An issue in Lepton CMS v.7.0.0 allows a local attacker to execute arbitrary code via the upgrade.php file in the languages place. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE PHP +1
NVD GitHub Exploit-DB VulDB
EPSS 16% CVSS 7.2
HIGH POC THREAT This Week

An arbitrary file upload vulnerability in LEPTON v7.0.0 allows authenticated attackers to execute arbitrary PHP code by uploading this code to the backend/languages/index.php languages area. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Leptoncms
NVD GitHub Exploit-DB
EPSS 2% CVSS 4.8
MEDIUM POC This Month

Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Leptoncms
NVD Exploit-DB
EPSS 1% CVSS 6.1
MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities exist in LeptonCMS before 4.6.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Leptoncms
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy