This page lists publicly disclosed CVE vulnerabilities affecting flatcore flatcore-cms (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2022-43118 | A cross-site scripting (XSS) vulnerability in flatCore-CMS v2.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Username text field. | [email protected] | 6.1 | 0.41% | 2022-11-09 | 2025-05-01 |
| CVE-2021-41402 | flatCore-CMS v2.0.8 has a code execution vulnerability, which could let a remote malicious user execute arbitrary PHP code. | [email protected] | 8.8 | 1.33% | 2022-06-16 | 2024-11-21 |
| CVE-2021-41403 | flatCore-CMS version 2.0.8 calls dangerous functions, causing server-side request forgery vulnerabilities. | [email protected] | 9.8 | 17.25% | 2022-06-15 | 2024-11-21 |
| CVE-2021-40902 | flatCore-CMS version 2.0.8 is affected by Cross Site Scripting (XSS) in the "Create New Page" option through the index page. | [email protected] | 5.4 | 0.45% | 2022-06-13 | 2024-11-21 |
| CVE-2021-42245 | FlatCore-CMS 2.0.9 has a cross-site scripting (XSS) vulnerability in pages.edit.php through meta tags and content sections. | [email protected] | 6.1 | 0.66% | 2022-06-06 | 2024-11-21 |
| CVE-2021-3745 | flatcore-cms is vulnerable to Unrestricted Upload of File with Dangerous Type | [email protected] | 6.6 | 1.07% | 2021-10-28 | 2024-11-21 |
| CVE-2021-39609 | Cross Site Scripting (XSS) vulnerability exiss in FlatCore-CMS 2.0.7 via the upload image function. | [email protected] | 5.4 | 1.70% | 2021-08-23 | 2024-11-21 |
| CVE-2021-39608 | Remote Code Execution (RCE) vulnerabilty exists in FlatCore-CMS 2.0.7 via the upload addon plugin, which could let a remote malicious user exeuct arbitrary php code. | [email protected] | 7.2 | 46.87% | 2021-08-23 | 2024-11-21 |
| CVE-2017-1000428 | flatCore-CMS 1.4.6 is vulnerable to reflected XSS in user_management.php due to the use of $_SERVER['PHP_SELF'] to build links and a stored XSS in the admin log panel by specifying a malformed User-Agent string. | [email protected] | 6.1 | 0.85% | 2018-01-10 | 2024-11-21 |
| CVE-2017-8868 | acp/core/files.browser.php in flatCore 1.4.7 allows file deletion via directory traversal in the delete parameter to acp/acp.php. The risk might be limited to requests submitted through CSRF. | [email protected] | 7.5 | 1.85% | 2017-05-10 | 2026-05-13 |
| CVE-2017-7879 | SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read the content database. | [email protected] | 7.5 | 1.03% | 2017-04-14 | 2026-05-13 |
| CVE-2017-7878 | SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read and write to the users database. | [email protected] | 9.8 | 1.02% | 2017-04-14 | 2026-05-13 |
| CVE-2017-7877 | CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations. | [email protected] | 8.8 | 0.91% | 2017-04-14 | 2026-05-13 |