Skip to main content

Timeline

5 CVEs product

Monthly

CVE-2026-8857 NONE PATCH Awaiting Data

Code injection in the Wikimedia Foundation Timeline extension (EasyTimeline) allows authenticated wiki editors to execute arbitrary server-side code via crafted timeline syntax processed by the Perl-based EasyTimeline.Pl script and its PHP integration layer Timeline.Php. The vulnerability stems from CWE-94 improper code generation control, where user-supplied timeline markup is passed to the backend Perl interpreter without sufficient sanitization, enabling remote code execution on the MediaWiki server. No public exploit code has been identified at time of analysis, but the RCE tag and network-accessible attack vector make this a high-priority patching target for any publicly editable or semi-public MediaWiki instance.

Code Injection PHP RCE Timeline
NVD VulDB
EPSS
0.3%
CVE-2026-58038 NONE PATCH Awaiting Data

Stored cross-site scripting in the Wikimedia Foundation Timeline extension exposes MediaWiki installations to session hijacking and credential theft. The flaw exists in Timeline.php and EasyTimeline.pl, where user-supplied timeline markup syntax is not properly neutralized before HTML output, allowing an authenticated wiki editor to inject arbitrary JavaScript executed in other users' browsers. No public exploit has been identified at time of analysis, and KEV listing is absent, but the network-accessible nature and low-privilege entry point make this a credible risk on publicly editable wikis.

XSS PHP Timeline
NVD VulDB
EPSS
0.2%
CVE-2014-2042 HIGH This Week

Unrestricted file upload vulnerability in the Manage Project functionality in Livetecs Timelive before 6.5.1 allows remote authenticated users to execute arbitrary code by uploading a file with an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Timeline
NVD VulDB
CVSS 2.0
7.5
EPSS
1.5%
CVE-2014-1217 HIGH This Week

Livetecs Timelive before 6.2.8 does not properly restrict access to systemsetting.aspx, which allows remote attackers to change configurations and obtain the database connection string and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Timeline
NVD VulDB
CVSS 2.0
7.5
EPSS
0.6%
CVE-2013-4898 MEDIUM POC This Month

Unrestricted file upload vulnerability in the user profile page feature in the Timeline Plugin 4.2.5p9 for SocialEngine allows remote authenticated users to execute arbitrary code by uploading a file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE Timeline
NVD Exploit-DB
CVSS 2.0
6.5
EPSS
8.8%
EPSS 0%
NONE PATCH Awaiting Data

Code injection in the Wikimedia Foundation Timeline extension (EasyTimeline) allows authenticated wiki editors to execute arbitrary server-side code via crafted timeline syntax processed by the Perl-based EasyTimeline.Pl script and its PHP integration layer Timeline.Php. The vulnerability stems from CWE-94 improper code generation control, where user-supplied timeline markup is passed to the backend Perl interpreter without sufficient sanitization, enabling remote code execution on the MediaWiki server. No public exploit code has been identified at time of analysis, but the RCE tag and network-accessible attack vector make this a high-priority patching target for any publicly editable or semi-public MediaWiki instance.

Code Injection PHP RCE +1
NVD VulDB
EPSS 0%
NONE PATCH Awaiting Data

Stored cross-site scripting in the Wikimedia Foundation Timeline extension exposes MediaWiki installations to session hijacking and credential theft. The flaw exists in Timeline.php and EasyTimeline.pl, where user-supplied timeline markup syntax is not properly neutralized before HTML output, allowing an authenticated wiki editor to inject arbitrary JavaScript executed in other users' browsers. No public exploit has been identified at time of analysis, and KEV listing is absent, but the network-accessible nature and low-privilege entry point make this a credible risk on publicly editable wikis.

XSS PHP Timeline
NVD VulDB
EPSS 2% CVSS 7.5
HIGH This Week

Unrestricted file upload vulnerability in the Manage Project functionality in Livetecs Timelive before 6.5.1 allows remote authenticated users to execute arbitrary code by uploading a file with an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Timeline
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Livetecs Timelive before 6.2.8 does not properly restrict access to systemsetting.aspx, which allows remote attackers to change configurations and obtain the database connection string and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Timeline
NVD VulDB
EPSS 9% CVSS 6.5
MEDIUM POC This Month

Unrestricted file upload vulnerability in the user profile page feature in the Timeline Plugin 4.2.5p9 for SocialEngine allows remote authenticated users to execute arbitrary code by uploading a file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE Timeline
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy