thedaylightstudio 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting、vendor risk sql injection, and vendor risk csrf に関連することが多く、vendor surface software deployment and vendor surface production workloads の文脈で vendor impact session compromise and vendor impact data exposure などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-30459 | An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message. | [email protected] | 7.1 | 0.31% | 2026-04-16 | 2026-04-23 |
| CVE-2026-30461 | Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule. | [email protected] | 8.3 | 0.61% | 2026-04-15 | 2026-04-20 |
| CVE-2026-30460 | Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module. | [email protected] | 8.8 | 0.92% | 2026-04-07 | 2026-04-09 |
| CVE-2026-30463 | Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component. | [email protected] | 7.7 | 0.37% | 2026-03-26 | 2026-03-30 |
| CVE-2026-30458 | An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack. | [email protected] | 9.1 | 0.41% | 2026-03-26 | 2026-03-30 |
| CVE-2026-30457 | An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code. | [email protected] | 9.8 | 0.73% | 2026-03-26 | 2026-03-30 |
| CVE-2024-57605 | Cross Site Scripting vulnerability in Daylight Studio Fuel CMS v.1.5.2 allows an attacker to escalate privileges via the /fuel/blocks/ and /fuel/pages components. | [email protected] | 5.4 | 0.29% | 2025-02-12 | 2025-07-09 |
| CVE-2024-25369 | A reflected Cross-Site Scripting (XSS) vulnerability in FUEL CMS 1.5.2allows attackers to run arbitrary code via crafted string after the group_id parameter. | [email protected] | 5.4 | 0.38% | 2024-02-22 | 2025-04-03 |
| CVE-2020-24950 | SQL Injection vulnerability in file Base_module_model.php in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute arbitrary code via the col parameter to function list_items. | [email protected] | 8.8 | 1.14% | 2023-08-11 | 2024-11-21 |
| CVE-2020-22153 | File Upload vulnerability in FUEL-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted .php file to the upload parameter in the navigation function. | [email protected] | 9.8 | 1.16% | 2023-07-03 | 2024-11-21 |
| CVE-2020-22152 | Cross Site Scripting vulnerability in daylight studio FUEL- CMS v.1.4.6 allows a remote attacker to execute arbitrary code via the page title, meta description and meta keywords of the pages function. | [email protected] | 5.4 | 0.51% | 2023-07-03 | 2024-11-21 |
| CVE-2020-22151 | Permissions vulnerability in Fuel-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted zip file to the assests parameter of the upload function. | [email protected] | 9.8 | 1.16% | 2023-07-03 | 2024-11-25 |
| CVE-2023-33557 | Fuel CMS v1.5.2 was discovered to contain a SQL injection vulnerability via the id parameter at /controllers/Blocks.php. | [email protected] | 8.8 | 0.80% | 2023-06-09 | 2025-01-06 |
| CVE-2021-36570 | Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /permissions/delete/2---. | [email protected] | 8.8 | 0.73% | 2023-02-03 | 2025-03-26 |
| CVE-2021-36569 | Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /users/delete/2. | [email protected] | 8.8 | 0.43% | 2023-02-03 | 2025-03-26 |
| CVE-2021-44117 | A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4. | [email protected] | 8.8 | 1.34% | 2022-06-10 | 2024-11-21 |
| CVE-2022-28599 | A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack. | [email protected] | 5.4 | 0.54% | 2022-05-03 | 2024-11-21 |
| CVE-2022-27156 | Daylight Studio Fuel CMS 1.5.1 is vulnerable to HTML Injection. | [email protected] | 5.4 | 0.47% | 2022-04-11 | 2024-11-21 |
| CVE-2021-44607 | A Cross Site Scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 in the Assets page via an SVG file. | [email protected] | 5.4 | 0.48% | 2022-02-24 | 2024-11-21 |
| CVE-2021-38727 | FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/logs/items | [email protected] | 9.8 | 1.56% | 2021-09-09 | 2024-11-21 |