彙總 easycms 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 SQL 注入、跨站腳本與CSRF,在 軟體部署與生產負載 使用場景中可能帶來 工作階段劫持與資料外洩 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-3786 | A security flaw has been discovered in EasyCMS up to 1.6. The impacted element is an unknown function of the file /RbacuserAction.class.php of the component Request Parameter Handler. The manipulation of the argument _order results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.1 | 0.28% | 2026-03-08 | 2026-06-17 |
| CVE-2026-3785 | A vulnerability was identified in EasyCMS up to 1.6. The affected element is an unknown function of the file /RbacnodeAction.class.php of the component Request Parameter Handler. The manipulation of the argument _order leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.1 | 0.28% | 2026-03-08 | 2026-06-17 |
| CVE-2026-1105 | A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument _order leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 5.5 | 0.44% | 2026-01-17 | 2026-06-17 |
| CVE-2022-23358 | EasyCMS v1.6 allows for SQL injection via ArticlemAction.class.php. In the background, search terms provided by the user were not sanitized and were used directly to construct a SQL statement. | [email protected] | 9.8 | 1.19% | 2022-02-16 | 2026-06-17 |
| CVE-2020-24271 | A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=***&password=***. | [email protected] | 8.8 | 0.60% | 2021-02-01 | 2026-06-16 |
| CVE-2019-6294 | An issue was discovered in EasyCMS 1.5. There is CSRF via the index.php?s=/admin/articlem/insert/navTabId/listarticle/callbackType/closeCurrent URI. | [email protected] | 8.8 | 0.52% | 2019-01-15 | 2026-06-16 |
| CVE-2018-17113 | App/Modules/Admin/Tpl/default/Public/dwz/uploadify/scripts/uploadify.swf in EasyCMS 1.5 has XSS via the uploadifyID or movieName parameter, a related issue to CVE-2018-9173. | [email protected] | 6.1 | 0.64% | 2018-09-17 | 2026-06-16 |
| CVE-2018-16773 | EasyCMS 1.5 allows XSS via the index.php?s=/admin/fields/update/navTabId/listfields/callbackType/closeCurrent content field. | [email protected] | 4.8 | 0.55% | 2018-09-10 | 2026-06-16 |
| CVE-2018-16759 | The removeXSS function in App/Common/common.php (called from App/Modules/Index/Action/SearchAction.class.php) in EasyCMS v1.4 allows XSS via an onhashchange event. | [email protected] | 6.1 | 0.71% | 2018-09-09 | 2026-06-16 |
| CVE-2018-16345 | An issue was discovered in EasyCMS 1.5. There is a CSRF vulnerability that can update the admin password via index.php?s=/admin/rbacuser/update/navTabId/listusers/callbackType/closeCurrent. | [email protected] | 8.8 | 0.52% | 2018-09-02 | 2026-06-16 |
| CVE-2018-12971 | EasyCMS 1.3 has CSRF via the index.php?s=/admin/user/delAll URI to delete users. | [email protected] | 6.5 | 0.45% | 2018-06-29 | 2026-06-16 |
| CVE-2018-10374 | EasyCMS 1.3 has XSS via the s POST parameter (aka a search box value) in an index.php?s=/index/search/index.html request. | [email protected] | 6.1 | 0.69% | 2018-04-25 | 2026-06-16 |