Affected Products

Vendor / product matrix with CVE counts sourced from the CPE catalog.

Export CSV

Products

1 vendor
VendorProductsCVEsKEVAvg EPSSWorst Severity
perfree
114034.9%CRITICAL

Related CVEs

14
CVE IDDescriptionSeverityCVSSKEVEPSSPublished
CVE-2025-60319PerfreeBlog v4.0.11 is vulnerable to Server-Side Request Forgery due to a missing authorization check in the uploadAttachByUrl API endpoint (AttachController.java).MEDIUM6.515.1%Oct 30, 2025
CVE-2025-60735PerfreeBlog v4.0.11 has a File Upload vulnerability in the installPlugin functionHIGH7.619.5%Oct 24, 2025
CVE-2025-60731PerfreeBlog v4.0.11 has a File Upload vulnerability in the installTheme functionHIGH7.619.5%Oct 24, 2025
CVE-2025-60730PerfreeBlog v4.0.11 has an arbitrary file deletion vulnerability in the unInstallTheme functionHIGH7.622.3%Oct 24, 2025
CVE-2025-60729PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the validThemeFilePath functionMEDIUM5.325.0%Oct 24, 2025
CVE-2025-29421PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the getThemeFileContent function.HIGH7.525.4%Aug 25, 2025
CVE-2025-29420PerfreeBlog v4.0.11 has a directory traversal vulnerability in the getThemeFilesByName function.HIGH7.553.5%Aug 25, 2025
CVE-2025-5164A vulnerability has been found in PerfreeBlog 4.0.11 and classified as problematic. This vulnerability affects the function JwtUtil of the component JWT Handler. The manipulation leads to use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.MEDIUM6.345.2%May 26, 2025
CVE-2025-29281In PerfreeBlog version 4.0.11, regular users can exploit the arbitrary file upload vulnerability in the attach component to upload arbitrary files and execute code within them.HIGH8.843.1%Apr 15, 2025
CVE-2025-29280Stored cross-site scripting vulnerability exists in PerfreeBlog v4.0.11 in the website name field of the backend system settings interface allows an attacker to insert and execute arbitrary malicious code.MEDIUM4.812.2%Apr 15, 2025
CVE-2023-40825An issue in Perfree PerfreeBlog v.3.1.2 allows a remote attacker to execute arbitrary code via crafted plugin listed in admin/plugin/access/list.HIGH7.258.9%Aug 28, 2023
CVE-2023-30333An arbitrary file upload vulnerability in the component /admin/ThemeController.java of PerfreeBlog v3.1.2 allows attackers to execute arbitrary code via a crafted file.CRITICAL9.856.3%May 18, 2023
CVE-2023-29643Cross Site Scripting (XSS) vulnerability in PerfreeBlog 3.1.2 allows attackers to execute arbitrary code via the Post function.MEDIUM5.436.4%May 1, 2023
CVE-2023-27757An arbitrary file upload vulnerability in the /admin/user/uploadImg component of PerfreeBlog v3.1.1 allows attackers to execute arbitrary code via a crafted JPG file.CRITICAL9.856.3%Mar 15, 2023