SeaCMS 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk cross-site scripting and パス処理の欠陥 などに関し、一部は vendor impact session compromise を招き、vendor surface production workloads and vendor surface software deployment 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2020-36932 | SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuser parameter of the admin settings page. Attackers can inject malicious JavaScript payloads that will execute in users' browsers when the page is loaded. | [email protected] | 5.1 | 0.01% | 2026-01-25 | 2026-02-02 |
| CVE-2025-15003 | A vulnerability was found in SeaCMS up to 13.3. The impacted element is an unknown function of the file admin_video.php. Performing a manipulation of the argument e_id results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | [email protected] | 2.0 | 0.03% | 2025-12-22 | 2026-04-29 |
| CVE-2025-15002 | A vulnerability has been found in SeaCMS up to 13.3. The affected element is an unknown function of the file js/player/dmplayer/dmku/class/mysqli.class.php. Such manipulation of the argument page/limit leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 5.5 | 0.02% | 2025-12-21 | 2026-04-29 |
| CVE-2025-60449 | An information disclosure vulnerability has been discovered in SeaCMS 13.1. The vulnerability exists in the admin_safe.php component located in the /btcoan/ directory. This security flaw allows authenticated administrators to scan and download not only the application’s source code but also potentially any file accessible on the server’s root directory. | [email protected] | 4.9 | 0.05% | 2025-10-03 | 2025-10-08 |
| CVE-2025-11071 | A security vulnerability has been detected in SeaCMS 13.3.20250820. Impacted is an unknown function of the file /admin_cron.php of the component Cron Task Management Module. The manipulation of the argument resourcefrom/collectID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | [email protected] | 2.0 | 0.03% | 2025-09-27 | 2026-04-29 |
| CVE-2025-10662 | A vulnerability has been found in SeaCMS up to 13.3. The impacted element is an unknown function of the file /admin_members.php?ac=editsave. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This affects another injection point than CVE-2025-25513. | [email protected] | 2.0 | 0.06% | 2025-09-18 | 2026-04-29 |
| CVE-2025-50592 | Cross site scripting vulnerability in seacms before 13.2 via the vid parameter to Upload/js/player/dmplayer/player. | [email protected] | 5.4 | 0.19% | 2025-08-05 | 2025-08-15 |
| CVE-2025-6864 | A vulnerability, which was classified as problematic, has been found in SeaCMS up to 13.2. Affected by this issue is some unknown functionality of the file /admin_type.php. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 2.1 | 0.16% | 2025-06-29 | 2026-04-29 |
| CVE-2024-40570 | SQL Injection vulnerability in SeaCMS v.12.9 allows a remote attacker to obtain sensitive information via the admin_datarelate.php component. | [email protected] | 6.5 | 0.23% | 2025-06-17 | 2025-06-23 |
| CVE-2025-44073 | SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_comment_news.php. | [email protected] | 9.8 | 0.27% | 2025-05-06 | 2025-06-12 |
| CVE-2025-44074 | SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_topic.php. | [email protected] | 9.8 | 0.27% | 2025-05-05 | 2025-05-13 |
| CVE-2025-44072 | SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_manager.php. | [email protected] | 9.8 | 0.27% | 2025-05-05 | 2025-05-13 |
| CVE-2025-44071 | SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component phomebak.php. This vulnerability allows attackers to execute arbitrary code via a crafted request. | [email protected] | 9.8 | 3.90% | 2025-05-05 | 2025-05-13 |
| CVE-2025-4257 | A vulnerability, which was classified as problematic, has been found in SeaCMS 13.2. This issue affects some unknown processing of the file /admin_pay.php. The manipulation of the argument cstatus leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 5.1 | 0.16% | 2025-05-05 | 2025-10-06 |
| CVE-2025-4256 | A vulnerability classified as problematic was found in SeaCMS 13.2. This vulnerability affects unknown code of the file /admin_paylog.php. The manipulation of the argument cstatus leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 5.1 | 0.16% | 2025-05-05 | 2025-06-12 |
| CVE-2025-3797 | A vulnerability classified as critical was found in SeaCMS up to 13.3. This vulnerability affects unknown code of the file /admin_topic.php?action=delall. The manipulation of the argument e_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 5.1 | 0.05% | 2025-04-19 | 2025-07-15 |
| CVE-2025-3792 | A vulnerability, which was classified as critical, has been found in SeaCMS up to 13.3. This issue affects some unknown processing of the file /admin_link.php?action=delall. The manipulation of the argument e_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 5.1 | 0.06% | 2025-04-18 | 2025-07-15 |
| CVE-2025-29647 | SeaCMS v13.3 has a SQL injection vulnerability in the component admin_tempvideo.php. | [email protected] | 9.8 | 0.35% | 2025-04-03 | 2025-04-08 |
| CVE-2025-25813 | SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component admin_files.php. | [email protected] | 5.1 | 0.57% | 2025-02-26 | 2025-03-28 |
| CVE-2025-25802 | SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component admin_ip.php. | [email protected] | 5.1 | 0.74% | 2025-02-26 | 2025-03-28 |