Aggregates CVE and security vulnerability intelligence across all friendica-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting and vendor risk path handling and related problems; some flaws may lead to vendor impact session compromise and vendor impact file overwrite.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-39094 | Friendica 2024.03 is vulnerable to Cross Site Scripting (XSS) in settings/profile via the homepage, xmpp, and matrix parameters. | [email protected] | 5.4 | 0.32% | 2024-08-20 | 2026-06-17 |
| CVE-2024-27731 | Cross Site Scripting vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information via the lack of file type filtering in the file attachment parameter. | [email protected] | 6.1 | 0.30% | 2024-08-15 | 2026-06-17 |
| CVE-2024-27730 | Insecure Permissions vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information and execute arbitrary code via the cid parameter of the calendar event feature. | [email protected] | 9.8 | 0.80% | 2024-08-15 | 2026-06-17 |
| CVE-2024-27729 | Cross Site Scripting vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information via the location parameter of the calendar event feature. | [email protected] | 6.1 | 0.37% | 2024-08-15 | 2026-06-17 |
| CVE-2024-27728 | Cross Site Scripting vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information via the text parameter of the babel debug feature. | [email protected] | 6.1 | 0.31% | 2024-08-15 | 2026-06-17 |
| CVE-2024-26495 | Cross Site Scripting (XSS) vulnerability in Friendica versions after v.2023.12, allows a remote attacker to execute arbitrary code and obtain sensitive information via the BBCode tags in the post content and post comments function. | [email protected] | 6.1 | 0.50% | 2024-04-02 | 2026-06-17 |
| CVE-2021-30141 | Module/Settings/UserExport.php in Friendica through 2021.01 allows settings/userexport to be used by anonymous users, as demonstrated by an attempted access to an array offset on a value of type null, and excessive memory consumption. NOTE: the vendor states "the feature still requires a valid authentication cookie even if the route is accessible to non-logged users. | [email protected] | 7.5 | 1.52% | 2021-04-05 | 2026-06-16 |