Aggregates CVE and security vulnerability intelligence across all phpipam-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk sql injection and vendor risk csrf and related problems; some flaws may lead to vendor impact session compromise, affecting vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-61078 | Cross-site scripting (XSS) vulnerability in Request IP form in phpIPAM v1.7.3 allows remote attackers to inject arbitrary web script or HTML via the instructions parameter for the /app/admin/instructions/edit-result.php endpoint. | [email protected] | 6.1 | 0.22% | 2025-12-09 | 2025-12-12 |
| CVE-2025-60912 | phpIPAM v1.7.3 contains a Cross-Site Request Forgery (CSRF) vulnerability in the database export functionality. The generate-mysql.php function, located in the /app/admin/import-export/ endpoint, allows remote attackers to trigger large database dump downloads via crafted HTTP GET requests if an administrator has an active session. | [email protected] | 3.3 | 0.17% | 2025-12-08 | 2025-12-10 |
| CVE-2024-55093 | phpIPAM through 1.7.3 has a reflected Cross-Site Scripting (XSS) vulnerability in the install scripts. | [email protected] | 5.4 | 0.19% | 2025-03-31 | 2025-04-23 |
| CVE-2024-10727 | A reflected cross-site scripting (XSS) vulnerability exists in phpipam/phpipam versions 1.5.0 through 1.6.0. The vulnerability arises when the application receives data in an HTTP request and includes that data within the immediate response in an unsafe manner. This allows an attacker to execute arbitrary JavaScript in the context of the user's browser, potentially leading to full compromise of the user. | [email protected] | 6.1 | 0.30% | 2025-03-20 | 2025-04-01 |
| CVE-2024-10725 | A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the application, which are then executed in the context of other users who view the affected pages. The issue occurs when editing the NAT destination address, where user input is not properly sanitized. This can lead to data theft, account compromise, and other malicious activities. The vulnerability is fixed in version 1.7.0. | [email protected] | 5.4 | 0.29% | 2025-03-20 | 2025-05-28 |
| CVE-2024-10724 | A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2, specifically in the Subnet NAT translations section when editing the Destination address. This vulnerability allows an attacker to execute malicious code. The issue is fixed in version 1.7.0. | [email protected] | 5.4 | 0.29% | 2025-03-20 | 2025-05-28 |
| CVE-2024-10723 | A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the destination address field of the NAT tool, which can be executed when a user interacts with the field. The impact of this vulnerability includes the potential theft of user cookies, unauthorized access to user accounts, and redirection to malicious websites. The issue has been fixed in version 1.7.0. | [email protected] | 5.4 | 0.29% | 2025-03-20 | 2025-05-28 |
| CVE-2024-10722 | A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. The vulnerability allows attackers to inject malicious scripts into the 'Description' field of custom fields in the 'IP RELATED MANAGEMENT' section. This can lead to data theft, account compromise, distribution of malware, website defacement, content manipulation, and phishing attacks. The issue is fixed in version 1.7.0. | [email protected] | 5.4 | 0.29% | 2025-03-20 | 2025-05-28 |
| CVE-2024-10721 | A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the application, which can be executed in the context of other users who view the affected page. The issue occurs in the circuits options page (https://demo.phpipam.net/tools/circuits/options/). An attacker can exploit this vulnerability to steal cookies, gain unauthorized access to user accounts, or redirect users to malicious | [email protected] | 5.4 | 0.29% | 2025-03-20 | 2025-04-01 |
| CVE-2024-10720 | A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. The vulnerability occurs in the 'Device Management' section under 'Administration' where an attacker can inject malicious scripts into the 'Name' and 'Description' fields when adding a new device type. This can lead to data theft, account compromise, distribution of malware, website defacement, and phishing attacks. The issue is fixed in version 1.7.0. | [email protected] | 6.1 | 0.34% | 2025-03-20 | 2025-05-28 |
| CVE-2024-10719 | A stored cross-site scripting (XSS) vulnerability exists in phpipam version 1.5.2, specifically in the circuits options functionality. This vulnerability allows an attacker to inject malicious scripts via the 'option' parameter in the POST request to /phpipam/app/admin/circuits/edit-options-submit.php. The injected script can be executed in the context of the user's browser, leading to potential cookie theft and end-user file disclosure. The issue is fixed in version 1.7.0. | [email protected] | 5.4 | 0.29% | 2025-03-20 | 2025-05-28 |
| CVE-2024-10718 | In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the user agent to send those cookies in plaintext over an HTTP session, potentially exposing sensitive information. The issue is fixed in version 1.7.0. | [email protected] | 7.5 | 0.29% | 2025-03-20 | 2025-06-27 |
| CVE-2024-0787 | phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the 'X-Forwarded-For' header. The issue lies in the 'get_user_ip()' function in 'class.Common.php' at lines 1044 and 1045, where the presence of the 'X-Forwarded-For' header is checked and used instead of 'REMOTE_ADDR'. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in v | [email protected] | 5.9 | 0.45% | 2024-11-15 | 2024-11-19 |
| CVE-2022-1226 | A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be | [email protected] | 4.8 | 0.40% | 2024-11-15 | 2024-11-19 |
| CVE-2024-41358 | phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\import-export\import-load-data.php. | [email protected] | 6.1 | 1.51% | 2024-08-29 | 2026-01-26 |
| CVE-2024-41354 | phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/widgets/edit.php | [email protected] | 7.1 | 0.28% | 2024-07-26 | 2025-04-23 |
| CVE-2024-41353 | phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\groups\edit-group.php | [email protected] | 7.1 | 0.28% | 2024-07-26 | 2025-04-23 |
| CVE-2024-41357 | phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/powerDNS/record-edit.php. | [email protected] | 7.1 | 1.06% | 2024-07-26 | 2025-04-23 |
| CVE-2024-41356 | phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\firewall-zones\zones-edit-network.php. | [email protected] | 4.7 | 0.41% | 2024-07-26 | 2025-04-23 |
| CVE-2024-41355 | phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/tools/request-ip/index.php. | [email protected] | 6.5 | 0.36% | 2024-07-26 | 2026-02-13 |