This page lists publicly disclosed CVE vulnerabilities affecting lavalite lavalite (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-70866 | LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider without role-based access control verification. | [email protected] | 8.8 | 0.01% | 2026-02-13 | 2026-02-19 |
| CVE-2025-71177 | LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacki | [email protected] | 5.1 | 0.02% | 2026-01-23 | 2026-01-29 |
| CVE-2024-31828 | Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL. | [email protected] | 6.1 | 0.22% | 2024-04-26 | 2025-04-18 |
| CVE-2023-36984 | LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure. | [email protected] | 7.5 | 0.15% | 2023-08-01 | 2024-11-21 |
| CVE-2023-36983 | LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure. | [email protected] | 7.5 | 0.16% | 2023-08-01 | 2024-11-21 |
| CVE-2023-30124 | LavaLite v9.0.0 is vulnerable to Cross Site Scripting (XSS). | [email protected] | 5.4 | 0.20% | 2023-05-18 | 2025-01-23 |
| CVE-2023-27238 | LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning. | [email protected] | 9.8 | 0.63% | 2023-05-12 | 2025-01-27 |
| CVE-2023-27237 | LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack. | [email protected] | 6.1 | 0.55% | 2023-05-12 | 2025-01-24 |
| CVE-2022-42188 | In Lavalite 9.0.0, the XSRF-TOKEN cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. | [email protected] | 7.5 | 0.45% | 2022-10-18 | 2025-05-13 |
| CVE-2020-23234 | Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS 5.8.0 via the Menu Blocks feature, which can be bypassed by using HTML event handlers, such as "ontoggle,". | [email protected] | 4.8 | 0.16% | 2021-07-26 | 2024-11-21 |
| CVE-2020-23700 | Cross Site Scripting (XSS) vulnerability in LavaLite-CMS 5.8.0 via the Menu Links feature. | [email protected] | 4.8 | 0.24% | 2021-07-07 | 2024-11-21 |
| CVE-2020-36397 | A stored cross site scripting (XSS) vulnerability in the /admin/contact/contact component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter. | [email protected] | 5.4 | 0.35% | 2021-07-02 | 2024-11-21 |
| CVE-2020-36396 | A stored cross site scripting (XSS) vulnerability in the /admin/roles/role component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter. | [email protected] | 5.4 | 0.35% | 2021-07-02 | 2024-11-21 |
| CVE-2020-36395 | A stored cross site scripting (XSS) vulnerability in the /admin/user/team component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter. | [email protected] | 5.4 | 0.35% | 2021-07-02 | 2024-11-21 |
| CVE-2020-28124 | Cross Site Scripting (XSS) in LavaLite 5.8.0 via the Address field. | [email protected] | 5.4 | 0.26% | 2021-04-14 | 2024-11-21 |
| CVE-2019-18883 | XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field. | [email protected] | 6.1 | 0.33% | 2019-11-13 | 2024-11-21 |
| CVE-2019-17434 | LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen. | [email protected] | 5.4 | 0.19% | 2019-10-10 | 2024-11-21 |
| CVE-2018-16551 | LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/job/Zy8PWBekrJ/edit. | [email protected] | 5.4 | 0.21% | 2018-09-05 | 2024-11-21 |
| CVE-2017-1000467 | LavaLite version 5.2.4 is vulnerable to stored cross-site scripting vulnerability, within the blog creation page, which can result in disruption of service and execution of javascript code. | [email protected] | 5.4 | 0.30% | 2018-01-03 | 2024-11-21 |