CVE Tools

monstra

Web & CMS Pluginsoss-project

16

Cumulative CVEs

4

Monthly snapshots

#39

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting monstra.

CVE-2025-69906Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directl...8.8Feb 5, 2026
CVE-2024-36773A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Themes parameter at index.php.4.8Jun 7, 2024
CVE-2024-36775A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the About Me parameter in the Edit Pro...5.4Jun 6, 2024
CVE-2024-36774An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a crafted PHP file.7.2Jun 6, 2024
CVE-2021-40940Monstra 3.0.4 does not filter the case of php, which leads to an unrestricted file upload vulnerability.9.8Jun 15, 2022
CVE-2021-36548A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=blog of Monstra v3.0.4 allows attackers to execute arbitrary commands via a cra...9.8Oct 28, 2021
CVE-2020-20691An issue in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via bypassing the file extension filter and uploading crafted HTML files.6.5Sep 27, 2021
CVE-2020-23697Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the page feature in admin/index.php.5.4Jul 6, 2021
CVE-2020-23219Monstra CMS 3.0.4 allows attackers to execute arbitrary code via a crafted payload entered into the "Snippet content" field under the "Edit Snippet" module.8.8Jul 1, 2021
CVE-2020-23205A stored cross site scripting (XSS) vulnerability in Monstra CMS version 3.0.4 allows attackers to execute arbitrary web scripts or HTML via crafted a payload entered into the "Site Name" field und...5.4Jul 1, 2021
CVE-2020-25414A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.9.8Jun 17, 2021
CVE-2020-13978Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting th...7.2Jun 9, 2020
CVE-2020-13384Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames...8.8May 22, 2020
CVE-2020-8439Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit ...6.5Mar 7, 2020
CVE-2018-19599Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/index.php?id=filesmanager&path=uploads/ URI. NOTE: this is a discontinued product.5.4Mar 2, 2020