CVE Tools

awstats

Enterprise Softwareoss-project

22

Cumulative CVEs

10

Monthly snapshots

#22

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting awstats.

CVE-2025-63261AWStats 8.0 is vulnerable to Command Injection via the open function7.8Mar 20, 2026
CVE-2022-46391AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks.6.1Dec 4, 2022
CVE-2020-35176In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf ...5.3Dec 11, 2020
CVE-2020-29600In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists bec...9.8Dec 7, 2020
CVE-2018-10245A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attackers to know where the config file is allocated, obtaining the full path of the server, a similar issue to CVE-2006-36...5.3Apr 20, 2018
CVE-2017-1000501Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.9.8Jan 3, 2018
CVE-2010-4369Directory traversal vulnerability in AWStats before 7.0 allows remote attackers to have an unspecified impact via a crafted LoadPlugin directory.6.4Dec 2, 2010
CVE-2010-4368awstats.cgi in AWStats before 7.0 on Windows accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located at a UNC ...7.5Dec 2, 2010
CVE-2010-4367awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV serv...7.5Dec 2, 2010
CVE-2009-5020Open redirect vulnerability in awredir.pl in AWStats before 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.5.8Dec 2, 2010
CVE-2008-5080awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the query_string parameter. NOTE: t...4.3Dec 3, 2008
CVE-2008-3714Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-36...4.3Aug 19, 2008
CVE-2006-3682awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attackers to obtain the installation path via the (1) year, (2) pluginmode or (3) month parameters.5.0Jul 18, 2006
CVE-2006-3681Multiple cross-site scripting (XSS) vulnerabilities in awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) refererpagesfilter...2.6Jul 18, 2006
CVE-2006-2644AWStats 6.5, and possibly other versions, allows remote authenticated users to execute arbitrary code by using the configdir parameter to awstats.pl to upload a configuration file whose name contai...4.0May 30, 2006