This page aggregates publicly disclosed CVE and security risk information related to php_fusion, with CVSS, EPSS, publication dates, and vulnerability intelligence data to help assess potential risk and remediation priority.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2005-2074 | Cross-site scripting (XSS) vulnerability in PHP-Fusion 6.0.105 allows remote attackers to inject arbitrary web script or HTML via a news or article post, possibly involving the (1) news_body, (2) article_description, or (3) article_body parameters to submit.php. | [email protected] | 4.3 | 0.35% | 2005-06-29 | 2026-04-16 |
| CVE-2005-0829 | Cross-site scripting (XSS) vulnerability in setuser.php of the Digitanium addon to PHP-Fusion 5.01 allows remote attackers to inject arbitrary web script or HTML via the (1) user_name or (2) user_pass parameters. | [email protected] | 4.3 | 0.44% | 2005-05-02 | 2026-04-16 |
| CVE-2005-0345 | viewthread.php in php-fusion 4.x does not check the (1) forum_id or (2) forum_cat parameters, which allows remote attackers to view protected forums via the thread_id parameter. | [email protected] | 5.0 | 4.03% | 2005-05-02 | 2026-04-16 |
| CVE-2005-0692 | Cross-site scripting (XSS) vulnerability in fusion_core.php for PHP-Fusion 5.x allows remote attackers to inject arbitrary web script or HTML via a message with IMG bbcode containing character-encoded Javascript. | [email protected] | 4.3 | 0.34% | 2005-03-06 | 2026-04-16 |
| CVE-2004-2438 | Cross-site scripting (XSS) vulnerability in PHP-Fusion 4.01 allows remote attackers to inject arbitrary web script or HTML via the (1) Submit News, (2) Submit Link or (3) Submit Article field. | [email protected] | 4.3 | 0.35% | 2004-12-31 | 2026-04-16 |
| CVE-2004-2437 | SQL injection vulnerability in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the rowstart parameter to (1) index.php or (2) members.php, or (3) the comment_id parameter to comments.php. | [email protected] | 7.5 | 0.62% | 2004-12-31 | 2026-04-16 |
| CVE-2004-1723 | The (1) updateuser.php and (2) forums_prune.php scripts in PHP-Fusion 4.00 allow remote attackers to obtain sensitive information via a direct HTTP request, which reveals the installation path in an error message. | [email protected] | 5.0 | 0.35% | 2004-12-31 | 2026-04-16 |
| CVE-2004-1724 | The ReadMe First.txt file in PHP-Fusion 4.0 instructs users to set the permissions on the fusion_admin/db_backups directory to world read/write/execute (777), which allows remote attackers to download or view database backups, which have easily guessable filenames and contain the administrator username and password. | [email protected] | 7.5 | 3.63% | 2004-08-18 | 2026-04-16 |