Export CSV

Products

1 vendor
VendorProductsCVEsKEVAvg EPSSWorst Severity
119041.3%CRITICAL

Related CVEs

19
CVE IDDescriptionSeverityCVSSKEVEPSSPublished
CVE-2025-70866LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider without role-based access control verification.HIGH8.835.6%Feb 13, 2026
CVE-2025-71177LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.MEDIUM5.19.7%Jan 23, 2026
CVE-2024-31828Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL.MEDIUM6.139.0%Apr 26, 2024
CVE-2023-36984LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure.HIGH7.543.6%Aug 1, 2023
CVE-2023-36983LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure.HIGH7.543.6%Aug 1, 2023
CVE-2023-30124LavaLite v9.0.0 is vulnerable to Cross Site Scripting (XSS).MEDIUM5.430.2%May 18, 2023
CVE-2023-27238LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning.CRITICAL9.854.1%May 12, 2023
CVE-2023-27237LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack.MEDIUM6.143.7%May 12, 2023
CVE-2022-42188In Lavalite 9.0.0, the XSRF-TOKEN cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.HIGH7.5Oct 18, 2022
CVE-2020-23234Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS 5.8.0 via the Menu Blocks feature, which can be bypassed by using HTML event handlers, such as "ontoggle,".MEDIUM4.845.4%Jul 26, 2021
CVE-2020-23700Cross Site Scripting (XSS) vulnerability in LavaLite-CMS 5.8.0 via the Menu Links feature.MEDIUM4.843.7%Jul 7, 2021
CVE-2020-36397A stored cross site scripting (XSS) vulnerability in the /admin/contact/contact component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.MEDIUM5.439.7%Jul 2, 2021
CVE-2020-36396A stored cross site scripting (XSS) vulnerability in the /admin/roles/role component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.MEDIUM5.439.0%Jul 2, 2021
CVE-2020-36395A stored cross site scripting (XSS) vulnerability in the /admin/user/team component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.MEDIUM5.439.7%Jul 2, 2021
CVE-2020-28124Cross Site Scripting (XSS) in LavaLite 5.8.0 via the Address field.MEDIUM5.439.9%Apr 14, 2021
CVE-2019-18883XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field.MEDIUM6.154.4%Nov 13, 2019
CVE-2019-17434LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen.MEDIUM5.444.2%Oct 10, 2019
CVE-2018-16551LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/job/Zy8PWBekrJ/edit.NONE47.2%Sep 5, 2018
CVE-2017-1000467LavaLite version 5.2.4 is vulnerable to stored cross-site scripting vulnerability, within the blog creation page, which can result in disruption of service and execution of javascript code.NONE49.9%Jan 3, 2018