Search
Search Results (7 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-40500 | 1 Processwire | 1 Processwire | 2026-07-09 | 6.8 Medium |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. The "Add Module from URL" feature requires superuser privileges (root-equivalent in ProcessWire) who already has unrestricted arbitrary code execution via standard module upload, making the SSRF vector incapable of providing incremental attack surface. The feature is also disabled by default and requires direct filesystem access to enable. | ||||
| CVE-2024-41597 | 1 Processwire | 1 Processwire | 2026-07-09 | 4.2 Medium |
| Cross Site Request Forgery vulnerability in ProcessWire v.3.0.229 allows a remote attacker to insert a comment. NOTE: this is disputed by the Supplier because the product intentionally accepts anonymous, unauthenticated comments and thus there are fewer situations in which CSRF would be a useful attack technique. Also, the submitted comments are, by default, held for moderator review. | ||||
| CVE-2025-60790 | 1 Processwire | 1 Processwire | 2025-11-07 | 6.5 Medium |
| ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limits prior to validation, enabling resource-exhaustion Denial of Service. | ||||
| CVE-2023-24676 | 1 Processwire | 1 Processwire | 2025-10-17 | 7.2 High |
| An issue found in ProcessWire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the download_zip_url parameter when installing a new module. NOTE: this is disputed because exploitation requires that the attacker is able to enter requests as an admin; however, a ProcessWire admin is intentionally allowed to install any module that contains any arbitrary code. | ||||
| CVE-2022-40488 | 1 Processwire | 1 Processwire | 2025-05-06 | 6.5 Medium |
| ProcessWire v3.0.200 was discovered to contain a Cross-Site Request Forgery (CSRF). | ||||
| CVE-2022-40487 | 1 Processwire | 1 Processwire | 2025-05-06 | 6.1 Medium |
| ProcessWire v3.0.200 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Search Users and Search Pages function. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via injection of a crafted payload. | ||||
| CVE-2020-27467 | 1 Processwire | 1 Processwire | 2024-11-21 | 7.5 High |
| A Directory Traversal vulnerability exits in Processwire CMS before 2.7.1 via the download parameter to index.php. | ||||
Page 1 of 1.