Aggregates CVE and security vulnerability intelligence across all cuppacms-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk sql injection, vendor risk file inclusion, vendor risk cross-site scripting, and vendor risk path handling and related problems; some flaws may lead to vendor impact file overwrite.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2023-47990 | SQL Injection vulnerability in components/table_manager/html/edit_admin_table.php in CuppaCMS V1.0 allows attackers to run arbitrary SQL commands via the table parameter. | [email protected] | 9.8 | 0.78% | 2023-12-20 | 2026-06-17 |
| CVE-2023-39681 | Cuppa CMS v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the email_outgoing parameter at /Configuration.php. This vulnerability is triggered via a crafted payload. | [email protected] | 9.8 | 1.39% | 2023-09-05 | 2026-06-17 |
| CVE-2021-29368 | Session fixation vulnerability in CuppaCMS thru commit 4c9b742b23b924cf4c1f943f48b278e06a17e297 on November 12, 2019 allows attackers to gain access to arbitrary user sessions. | [email protected] | 8.8 | 0.71% | 2023-01-20 | 2026-06-16 |
| CVE-2022-37191 | The component "cuppa/api/index.php" of CuppaCMS v1.0 is Vulnerable to LFI. An authenticated user can read system files via crafted POST request using [function] parameter value as LFI payload. | [email protected] | 6.5 | 2.43% | 2022-09-13 | 2026-06-17 |
| CVE-2022-37190 | CuppaCMS 1.0 is vulnerable to Remote Code Execution (RCE). An authenticated user can control both parameters (action and function) from "/api/index.php. | [email protected] | 8.8 | 45.77% | 2022-09-13 | 2026-06-17 |
| CVE-2022-38296 | Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager. | [email protected] | 9.8 | 3.77% | 2022-09-12 | 2026-06-17 |
| CVE-2022-38295 | Cuppa CMS v1.0 was discovered to contain a cross-site scripting vulnerability at /table_manager/view/cu_user_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field under the Add New Group function. | [email protected] | 6.1 | 1.03% | 2022-09-12 | 2026-06-17 |
| CVE-2022-34121 | Cuppa CMS v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the component /templates/default/html/windows/right.php. | [email protected] | 7.5 | 2.96% | 2022-07-27 | 2026-06-17 |
| CVE-2022-27985 | CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php. | [email protected] | 9.8 | 6.92% | 2022-04-26 | 2026-06-17 |
| CVE-2022-27984 | CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter at /administrator/templates/default/html/windows/right.php. | [email protected] | 9.8 | 6.92% | 2022-04-26 | 2026-06-17 |
| CVE-2022-25498 | CuppaCMS v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the saveConfigData function in /classes/ajax/Functions.php. | [email protected] | 9.8 | 2.89% | 2022-03-15 | 2026-06-17 |
| CVE-2022-25497 | CuppaCMS v1.0 was discovered to contain an arbitrary file read via the copy function. | [email protected] | 5.3 | 3.57% | 2022-03-15 | 2026-06-17 |
| CVE-2022-25495 | The component /jquery_file_upload/server/php/index.php of CuppaCMS v1.0 allows attackers to upload arbitrary files and execute arbitrary code via a crafted PHP file. | [email protected] | 9.8 | 2.04% | 2022-03-15 | 2026-06-17 |
| CVE-2022-25486 | CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertConfigField.php. | [email protected] | 7.8 | 9.97% | 2022-03-15 | 2026-06-17 |
| CVE-2022-25485 | CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertLightbox.php. | [email protected] | 7.8 | 7.93% | 2022-03-15 | 2026-06-17 |
| CVE-2022-25401 | The copy function of the file manager in Cuppa CMS v1.0 allows any file to be copied to the current directory, granting attackers read access to arbitrary files. | [email protected] | 7.5 | 2.22% | 2022-02-24 | 2026-06-17 |
| CVE-2022-24647 | Cuppa CMS v1.0 was discovered to contain an arbitrary file deletion vulnerability via the unlink() function. | [email protected] | 8.1 | 1.03% | 2022-02-10 | 2026-06-17 |
| CVE-2022-24266 | Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter. | [email protected] | 7.5 | 6.39% | 2022-01-31 | 2026-06-17 |
| CVE-2022-24265 | Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/&menu_filter=3 parameter. | [email protected] | 7.5 | 6.71% | 2022-01-31 | 2026-06-17 |
| CVE-2022-24264 | Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the search_word parameter. | [email protected] | 7.5 | 6.71% | 2022-01-31 | 2026-06-17 |