CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-53952 – Dotclear 2.25.3 Authenticated Remote Code Execution via File Upload
https://notcve.org/view.php?id=CVE-2023-53952
19 Dec 2025 — Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed, enabling arbitrary code execution on the server. • https://dotclear.org • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 1CVE-2024-58281 – Dotclear 2.29 Remote Code Execution via Authenticated File Upload
https://notcve.org/view.php?id=CVE-2024-58281
10 Dec 2025 — Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload process by crafting a PHP shell with a command execution form to gain system access through the uploaded file. • https://git.dotclear.org/explore/repos • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27626
https://notcve.org/view.php?id=CVE-2024-27626
05 Mar 2024 — A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Dotclear version 2.29. The flaw exists within the Search functionality of the Admin Panel. Se ha identificado una vulnerabilidad de Cross-Site Scripting (XSS) Reflejado en la versión 2.29 de Dotclear. La falla existe en la función de búsqueda del Panel de administración. • https://packetstormsecurity.com/files/177239/Dotclear-2.29-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16358
https://notcve.org/view.php?id=CVE-2018-16358
02 Sep 2018 — A cross-site scripting (XSS) vulnerability in inc/core/class.dc.core.php in the media manager in Dotclear through 2.14.1 allows remote authenticated users to upload HTML content containing an XSS payload with the file extension .ahtml. Una vulnerabilidad Cross-Site Scripting (XSS) en inc/core/class.dc.core.php en el gestor multimedia en Dotclear hasta la versión 2.14.1 permite que usuarios autenticados remotos suban contenido HTML que contiene una carga útil (payload) XSS con la extensión de archivo .ahtml. • https://hg.dotclear.org/dotclear/rev/d4841d6d65d6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-5689
https://notcve.org/view.php?id=CVE-2018-5689
14 Jan 2018 — Cross-site scripting (XSS) vulnerability in admin/auth.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the malicious user's email. Una vulnerabilidad Cross-Site Scripting (XSS) en admin/auth.php en Dotclear 2.12.1 permite que usuarios remotos autenticados inyecten scripts web o HTLM arbitrarios mediante el email malicioso del usuario. • http://dev.dotclear.org/2.0/changeset/3b0b868d58b00a1b216e0dc13c461bb3550ed3da • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-5690
https://notcve.org/view.php?id=CVE-2018-5690
14 Jan 2018 — Cross-site scripting (XSS) vulnerability in admin/users.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the nb parameter (aka the page limit number). Una vulnerabilidad Cross-Site Scripting (XSS) en admin/users.php en Dotclear 2.12.1 permite que usuarios remotos autenticados inyecten scripts web o HTLM arbitrarios mediante el parámetro nb (también conocido como el número límite de páginas). • http://dev.dotclear.org/2.0/changeset/3b0b868d58b00a1b216e0dc13c461bb3550ed3da • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6446
https://notcve.org/view.php?id=CVE-2017-6446
05 Mar 2017 — XSS was discovered in Dotclear v2.11.2, affecting admin/blogs.php and admin/users.php with the sortby and order parameters. Vulnerabilidad de XSS ha sido descubierta en Dotclear v2.11.2, afectando a admin/blogs.php y admin/users.php con los parámetros de ordenar por y orden. • http://www.securityfocus.com/bid/96575 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 3CVE-2015-8832
https://notcve.org/view.php?id=CVE-2015-8832
09 Feb 2017 — Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php in Dotclear before 2.8.2 allow remote authenticated users with "manage their own media items" and "manage their own entries and comments" permissions to execute arbitrary PHP code by uploading a file with a (1) .pht, (2) .phps, or (3) .phtml extension. Múltiples vulnerabilidades de lista negra incompleta en inc/core/class.dc.core.php en Dotclear en versiones anteriores a 2.8.2 permiten a usuarios remotos autenticados con permisos pa... • http://dotclear.org/blog/post/2015/10/25/Dotclear-2.8.2 • CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2015-8831
https://notcve.org/view.php?id=CVE-2015-8831
09 Feb 2017 — Cross-site scripting (XSS) vulnerability in admin/comments.php in Dotclear before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via the author name in a comment. Vulnerabilidad de XSS en admin/comments.php en Dotclear en versiones anteriores a 2.8.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del nombre del autor en un comentario. • http://dotclear.org/blog/post/2015/10/25/Dotclear-2.8.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7903
https://notcve.org/view.php?id=CVE-2016-7903
04 Jan 2017 — Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header. Dotclear en versiones anteriores a 2.10.3, cuando la cabecera del Host no es parte del proceso de enrutamiento del servidor web, permite a atacantes remotos modificar el enlace de dirección de restablecimiento de contraseña a través de la cabecera del HTTP Host . • http://www.openwall.com/lists/oss-security/2016/10/05/5 • CWE-264: Permissions, Privileges, and Access Controls •