CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2026-25633 – Statamic's missing authorization allows access to assets
https://notcve.org/view.php?id=CVE-2026-25633
11 Feb 2026 — Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5. • https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64112 – Statmatic vulnerable to Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2025-64112
30 Oct 2025 — Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1. • https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 5EXPL: 1CVE-2025-12331 – Willow CMS add unrestricted upload
https://notcve.org/view.php?id=CVE-2025-12331
27 Oct 2025 — A weakness has been identified in Willow CMS up to 1.4.0. Impacted is an unknown function of the file /admin/images/add. This manipulation causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. • https://github.com/matthewdeaves/willow/issues/132 • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.8EPSS: 0%CPEs: 5EXPL: 1CVE-2025-12330 – Willow CMS Add Post add cross site scripting
https://notcve.org/view.php?id=CVE-2025-12330
27 Oct 2025 — A security flaw has been discovered in Willow CMS up to 1.4.0. This issue affects some unknown processing of the file /admin/articles/add of the component Add Post Page. The manipulation of the argument title/body results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be exploited. • https://github.com/matthewdeaves/willow/issues/131 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10940 – Total.js CMS Layout admin layouts_save cross site scripting
https://notcve.org/view.php?id=CVE-2025-10940
25 Sep 2025 — A vulnerability was found in Total.js CMS 1.0.0. Affected by this vulnerability is the function layouts_save of the file /admin/ of the component Layout Page. Performing manipulation of the argument HTML results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. • https://vuldb.com/?ctiid.325810 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 50%CPEs: 1EXPL: 2CVE-2025-34086 – Bolt CMS Authenticated Remote Code Execution via Profile Injection and File Rename
https://notcve.org/view.php?id=CVE-2025-34086
03 Jul 2025 — Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /fil... • https://boltcms.io/newsitem/major-announcements-bolt-3-eol-bolt-4-2-5-0-releases • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 21%CPEs: 1EXPL: 2CVE-2025-34076 – Microweber CMS Authenticated Local File Inclusion via Backup API
https://notcve.org/view.php?id=CVE-2025-34076
02 Jul 2025 — An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then ... • https://github.com/microweber/microweber • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-5435 – Marwal Infotech CMS page.php sql injection
https://notcve.org/view.php?id=CVE-2025-5435
02 Jun 2025 — A vulnerability was found in Marwal Infotech CMS 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /page.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. • https://vuldb.com/?id.310768 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-5434 – Aem Solutions CMS page.php sql injection
https://notcve.org/view.php?id=CVE-2025-5434
02 Jun 2025 — A vulnerability was found in Aem Solutions CMS up to 1.0. It has been classified as critical. This affects an unknown part of the file /page.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. • https://github.com/YZS17/CVE/blob/main/SQL/SQLi%20in%20Aem%20Solutions%20CMS%20v1.0.md • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-5432 – AssamLook CMS view_tender.php sql injection
https://notcve.org/view.php?id=CVE-2025-5432
02 Jun 2025 — A vulnerability has been found in AssamLook CMS 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /view_tender.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/YZS17/CVE/blob/main/SQL/SQLi%20in%20AssamLook%20CMS-v1.0.md • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •