彙總 thedaylightstudio 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
已披露問題常與 跨站腳本、SQL 注入與CSRF 相關,可能在 軟體部署與生產負載 場景中帶來 工作階段劫持與資料外洩 等暴露風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2021-47980 | Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the 'col' parameter to extract database information based on response time delays. | [email protected] | 7.1 | 0.23% | 2026-05-16 | 2026-06-17 |
| CVE-2026-30459 | An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message. | [email protected] | 7.1 | 0.31% | 2026-04-16 | 2026-07-05 |
| CVE-2026-30461 | Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule. | [email protected] | 8.3 | 0.53% | 2026-04-15 | 2026-07-05 |
| CVE-2026-30460 | Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module. | [email protected] | 8.8 | 0.79% | 2026-04-07 | 2026-07-05 |
| CVE-2026-30463 | Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component. | [email protected] | 7.7 | 0.33% | 2026-03-26 | 2026-07-05 |
| CVE-2026-30458 | An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack. | [email protected] | 9.1 | 0.41% | 2026-03-26 | 2026-07-05 |
| CVE-2026-30457 | An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code. | [email protected] | 9.8 | 0.63% | 2026-03-26 | 2026-07-05 |
| CVE-2024-57605 | Cross Site Scripting vulnerability in Daylight Studio Fuel CMS v.1.5.2 allows an attacker to escalate privileges via the /fuel/blocks/ and /fuel/pages components. | [email protected] | 5.4 | 0.29% | 2025-02-12 | 2026-06-17 |
| CVE-2024-25369 | A reflected Cross-Site Scripting (XSS) vulnerability in FUEL CMS 1.5.2allows attackers to run arbitrary code via crafted string after the group_id parameter. | [email protected] | 5.4 | 0.38% | 2024-02-22 | 2026-06-17 |
| CVE-2020-24950 | SQL Injection vulnerability in file Base_module_model.php in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute arbitrary code via the col parameter to function list_items. | [email protected] | 8.8 | 1.14% | 2023-08-11 | 2026-06-16 |
| CVE-2020-22153 | File Upload vulnerability in FUEL-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted .php file to the upload parameter in the navigation function. | [email protected] | 9.8 | 1.45% | 2023-07-03 | 2026-06-16 |
| CVE-2020-22152 | Cross Site Scripting vulnerability in daylight studio FUEL- CMS v.1.4.6 allows a remote attacker to execute arbitrary code via the page title, meta description and meta keywords of the pages function. | [email protected] | 5.4 | 0.58% | 2023-07-03 | 2026-06-16 |
| CVE-2020-22151 | Permissions vulnerability in Fuel-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted zip file to the assests parameter of the upload function. | [email protected] | 9.8 | 1.45% | 2023-07-03 | 2026-06-16 |
| CVE-2023-33557 | Fuel CMS v1.5.2 was discovered to contain a SQL injection vulnerability via the id parameter at /controllers/Blocks.php. | [email protected] | 8.8 | 0.80% | 2023-06-09 | 2026-06-17 |
| CVE-2021-36570 | Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /permissions/delete/2---. | [email protected] | 8.8 | 0.73% | 2023-02-03 | 2026-06-16 |
| CVE-2021-36569 | Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /users/delete/2. | [email protected] | 8.8 | 0.43% | 2023-02-03 | 2026-06-16 |
| CVE-2021-44117 | A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4. | [email protected] | 8.8 | 1.34% | 2022-06-10 | 2026-06-17 |
| CVE-2022-28599 | A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack. | [email protected] | 5.4 | 0.54% | 2022-05-03 | 2026-06-17 |
| CVE-2022-27156 | Daylight Studio Fuel CMS 1.5.1 is vulnerable to HTML Injection. | [email protected] | 5.4 | 0.47% | 2022-04-11 | 2026-06-17 |
| CVE-2021-44607 | A Cross Site Scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 in the Assets page via an SVG file. | [email protected] | 5.4 | 0.48% | 2022-02-24 | 2026-06-17 |