汇总 flatpress 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
历史漏洞主要涉及 跨站脚本与CSRF 等问题,部分漏洞可能导致 会话劫持,并影响 生产负载与软件部署 相关场景。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2025-44108 | A stored Cross-Site Scripting (XSS) vulnerability exists in the administration panel of Flatpress CMS before 1.4 via the gallery captions component. An attacker with admin privileges can inject a malicious JavaScript payload into the system, which is then stored persistently. | [email protected] | 4.8 | 0.31% | 2025-05-19 | 2025-06-12 |
| CVE-2025-29602 | flatpress 1.3.1 is vulnerable to Cross Site Scripting (XSS) in Administration area via Manage categories. | [email protected] | 6.1 | 0.18% | 2025-05-07 | 2025-06-16 |
| CVE-2024-9847 | FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. The attacker can craft a malicious link or script that, when clicked by an authenticated user, will send a request to the FlatPress CMS server to perform the desired action on behalf of the victim user. Since the request is authenticated, the server will process it as if it were initiated by the legitimate user, effectively allowi | [email protected] | 8.0 | 0.20% | 2025-03-20 | 2025-06-24 |
| CVE-2024-9699 | A vulnerability in the file upload functionality of the FlatPress CMS admin panel (version latest) allows an attacker to upload a file with a JavaScript payload disguised as a filename. This can lead to a Cross-Site Scripting (XSS) attack if the uploaded file is accessed by other users. The issue is fixed in version 1.4.dev. | [email protected] | 5.4 | 0.18% | 2025-03-20 | 2025-06-24 |
| CVE-2024-4023 | A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. When a user uploads a file with a `.xsig` extension and directly accesses this file, the server responds with a Content-type of application/octet-stream, leading to the file being processed as an HTML file. This allows an attacker to execute arbitrary JavaScript code, which can be used to steal user cookies, perform HTTP requests, and access content of the same origin. | [email protected] | 8.1 | 0.35% | 2025-03-20 | 2025-06-23 |
| CVE-2025-25460 | A stored Cross-Site Scripting (XSS) vulnerability was identified in FlatPress 1.3.1 within the "Add Entry" feature. This vulnerability allows authenticated attackers to inject malicious JavaScript payloads into blog posts, which are executed when other users view the posts. The issue arises due to improper input sanitization of the "TextArea" field in the blog entry submission form. | [email protected] | 4.8 | 1.97% | 2025-02-24 | 2025-06-12 |
| CVE-2024-41290 | FlatPress CMS v1.3.1 1.3 was discovered to use insecure methods to store authentication data via the cookie's component. | [email protected] | 8.1 | 1.88% | 2024-10-02 | 2025-04-23 |
| CVE-2024-33210 | A cross-site scripting (XSS) vulnerability has been identified in Flatpress 1.3. This vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users. | [email protected] | 5.4 | 2.91% | 2024-10-02 | 2025-07-03 |
| CVE-2024-33209 | FlatPress v1.3 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript code into the "Add New Entry" section, which allows them to execute arbitrary code in the context of a victim's web browser. | [email protected] | 5.4 | 6.24% | 2024-10-02 | 2025-03-14 |
| CVE-2024-31835 | Cross Site Scripting vulnerability in flatpress CMS Flatpress v1.3 allows a remote attacker to execute arbitrary code via a crafted payload to the file name parameter. | [email protected] | 4.8 | 23.15% | 2024-10-01 | 2024-11-21 |
| CVE-2024-25412 | A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email field. | [email protected] | 6.1 | 32.53% | 2024-09-27 | 2025-03-13 |
| CVE-2024-25411 | A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter in setup.php. | [email protected] | 6.1 | 19.68% | 2024-09-27 | 2025-07-10 |
| CVE-2023-1148 | Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3. | [email protected] | 4.8 | 0.37% | 2023-03-02 | 2024-11-21 |
| CVE-2023-1147 | Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3. | [email protected] | 5.4 | 0.32% | 2023-03-02 | 2024-11-21 |
| CVE-2023-1146 | Cross-site Scripting (XSS) - Generic in GitHub repository flatpressblog/flatpress prior to 1.3. | [email protected] | 5.4 | 0.20% | 2023-03-02 | 2024-11-21 |
| CVE-2023-1107 | Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3. | [email protected] | 5.4 | 0.32% | 2023-03-02 | 2024-11-21 |
| CVE-2023-1106 | Cross-site Scripting (XSS) - Reflected in GitHub repository flatpressblog/flatpress prior to 1.3. | [email protected] | 6.1 | 0.42% | 2023-03-02 | 2024-11-21 |
| CVE-2023-1105 | External Control of File Name or Path in GitHub repository flatpressblog/flatpress prior to 1.3. | [email protected] | 8.1 | 0.33% | 2023-03-01 | 2024-11-21 |
| CVE-2023-1104 | Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3. | [email protected] | 5.4 | 0.33% | 2023-03-01 | 2024-11-21 |
| CVE-2023-0947 | Path Traversal in GitHub repository flatpressblog/flatpress prior to 1.3. | [email protected] | 9.8 | 52.98% | 2023-02-22 | 2024-11-21 |