汇总 idreamsoft 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
常见弱点模式包括 路径处理缺陷、跨站脚本、SQL 注入与SSRF,在 生产负载与软件部署 使用场景中可能带来 文件覆盖、会话劫持与数据泄露 等风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2026-30661 | iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters. | [email protected] | 6.1 | 0.06% | 2026-03-24 | 2026-03-25 |
| CVE-2025-15394 | A vulnerability was detected in iCMS up to 8.0.0. Affected is the function Save of the file app/config/ConfigAdmincp.php of the component POST Parameter Handler. The manipulation of the argument config results in code injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.0 | 0.03% | 2025-12-31 | 2026-04-29 |
| CVE-2023-40953 | icms 7.0.16 is vulnerable to Cross Site Request Forgery (CSRF). | [email protected] | 8.8 | 0.06% | 2023-09-08 | 2024-11-21 |
| CVE-2023-39806 | iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the bakupdata function. | [email protected] | 9.8 | 0.07% | 2023-08-10 | 2024-11-21 |
| CVE-2023-39805 | iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the where parameter at admincp.php. | [email protected] | 9.8 | 0.07% | 2023-08-10 | 2024-11-21 |
| CVE-2022-41496 | iCMS v7.0.16 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at admincp.php. | [email protected] | 9.8 | 0.38% | 2022-10-13 | 2025-05-15 |
| CVE-2021-44978 | iCMS <= 8.0.0 allows users to add and render a comtom template, which has a SSTI vulnerability which causes remote code execution. | [email protected] | 9.8 | 2.67% | 2022-02-04 | 2024-11-21 |
| CVE-2021-44977 | In iCMS <=8.0.0, a directory traversal vulnerability allows an attacker to read arbitrary files. | [email protected] | 7.5 | 0.43% | 2022-02-04 | 2024-11-21 |
| CVE-2020-21141 | iCMS v7.0.15 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admincp.php?app=members&do=add. | [email protected] | 8.8 | 0.14% | 2021-11-12 | 2024-11-21 |
| CVE-2020-26641 | A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts. | [email protected] | 8.8 | 0.14% | 2021-05-28 | 2024-11-21 |
| CVE-2020-18070 | Path Traversal in iCMS v7.0.13 allows remote attackers to delete folders by injecting commands into a crafted HTTP request to the "do_del()" method of the component "database.admincp.php". | [email protected] | 9.1 | 4.31% | 2021-04-30 | 2024-11-21 |
| CVE-2020-19527 | iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php. | [email protected] | 9.8 | 0.39% | 2020-12-10 | 2024-11-21 |
| CVE-2020-19142 | iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php. | [email protected] | 9.8 | 0.39% | 2020-12-10 | 2024-11-21 |
| CVE-2020-24739 | A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted. | [email protected] | 6.5 | 0.06% | 2020-09-10 | 2024-11-21 |
| CVE-2019-17583 | idreamsoft iCMS 7.0.15 allows remote attackers to cause a denial of service (resource consumption) via a query for many comments, as demonstrated by the admincp.php?app=comment&perpage= substring followed by a large positive integer. | [email protected] | 7.5 | 0.81% | 2019-10-14 | 2024-11-21 |
| CVE-2019-17552 | An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload. | [email protected] | 9.8 | 0.31% | 2019-10-14 | 2024-11-21 |
| CVE-2019-16677 | An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF. | [email protected] | 6.5 | 0.15% | 2019-09-21 | 2024-11-21 |
| CVE-2019-11427 | An XSS issue was discovered in app/search/search.app.php in idreamsoft iCMS 7.0.14 via the public/api.php?app=search q parameter. | [email protected] | 6.1 | 0.24% | 2019-04-22 | 2024-11-21 |
| CVE-2019-11426 | An XSS issue was discovered in app/admincp/template/admincp.header.php in idreamsoft iCMS 7.0.14 via the admincp.php?app=config tab parameter. | [email protected] | 6.1 | 0.24% | 2019-04-22 | 2024-11-21 |
| CVE-2019-8902 | An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI. | [email protected] | 5.7 | 0.05% | 2019-02-18 | 2024-11-21 |