This page lists publicly disclosed CVE vulnerabilities affecting cksource ckfinder (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2016-20023 | In CKSource CKFinder before 2.5.0.1 for ASP.NET, authenticated users could download any file from the server if the correct path to a file was provided. | [email protected] | 5.0 | 0.29% | 2025-12-05 | 2025-12-17 |
| CVE-2025-63830 | CKFinder 1.4.3 is vulnerable to Cross Site Scripting (XSS) in the File Upload function. An attacker can upload a crafted SVG containing active content. | [email protected] | 6.1 | 0.23% | 2025-11-14 | 2025-11-19 |
| CVE-2019-15891 | An issue was discovered in CKFinder through 2.6.2.1 and 3.x through 3.5.0. The documentation has misleading information that could lead to a conclusion that the application has a built-in bulletproof content sniffing protection. | [email protected] | 5.3 | 1.09% | 2019-09-26 | 2024-11-21 |
| CVE-2019-15862 | An issue was discovered in CKFinder through 2.6.2.1. Improper checks of file names allows remote attackers to upload files without any extension (even if the application was configured to accept files only with a defined set of extensions). This affects CKFinder for ASP, CKFinder for ASP.NET, CKFinder for ColdFusion, and CKFinder for PHP. | [email protected] | 7.5 | 1.52% | 2019-09-26 | 2024-11-21 |