CVE Tools

xoops

Web & CMS Pluginsoss-project

61

Cumulative CVEs

19

Monthly snapshots

#6

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting xoops.

CVE-2019-25433XOOPS CMS 2.5.9 SQL Injection via gerar_pdf.php8.2Feb 22, 2026
CVE-2023-36217Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remote attacker to execute arbitrary code via the category name field of the image manager function.9.0Aug 3, 2023
CVE-2019-16684An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes.4.8Sep 30, 2019
CVE-2019-16683An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes.4.8Sep 30, 2019
CVE-2017-12139XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php.6.1Aug 2, 2017
CVE-2017-12138XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter.6.1Aug 2, 2017
CVE-2017-11174In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use o...9.8Jul 12, 2017
CVE-2017-7944XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php.6.1Apr 24, 2017
CVE-2017-7290SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. A...7.2Mar 30, 2017
CVE-2014-8999SQL injection vulnerability in htdocs/modules/system/admin.php in XOOPS before 2.5.7 Final allows remote authenticated users to execute arbitrary SQL commands via the selgroups parameter.6.5Nov 20, 2014
CVE-2012-0984Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or t...4.3Sep 11, 2014
CVE-2014-3935SQL injection vulnerability in glossaire-aff.php in the Glossaire module 1.0 for XOOPS allows remote attackers to execute arbitrary SQL commands via the lettre parameter.7.5Jun 2, 2014
CVE-2011-4565Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.5.1.a, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to incl...4.3Nov 28, 2011
CVE-2011-3822XOOPS 2.5.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/system/x...5.0Sep 24, 2011
CVE-2009-4851The activation resend function in the Profiles module in XOOPS before 2.4.1 sends activation codes in response to arbitrary activation requests, which allows remote attackers to bypass administrati...5.0May 7, 2010