cbcvebase.

Alfasado Powercms vulnerabilities

11 known vulnerabilities affecting alfasado/powercms.

Total CVEs
11
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM6

Vulnerabilities

Page 1 of 1
CVE-2022-33941P2CRITICALCVSS 9.8≤ 4.51≥ 5.0, ≤ 5.21+1 more2022-09-08
CVE-2022-33941 [CRITICAL] CWE-78 CVE-2022-33941: PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability. Sending a PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability. Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products/versions are as follows: PowerCMS 6.021 and earlier (PowerCMS 6 Series
nvd
CVE-2021-20850P3CRITICALCVSS 9.8≥ 2.0, ≤ 2.058≥ 3.01, ≤ 3.295+2 more2021-11-24
CVE-2021-20850 [CRITICAL] CWE-78 CVE-2021-20850: PowerCMS XMLRPC API of PowerCMS 5.19 and earlier, PowerCMS 4.49 and earlier, PowerCMS 3.295 and earl PowerCMS XMLRPC API of PowerCMS 5.19 and earlier, PowerCMS 4.49 and earlier, PowerCMS 3.295 and earlier, and PowerCMS 2 Series (End-of-Life, EOL) allows a remote attacker to execute an arbitrary OS command via unspecified vectors.
nvd
CVE-2025-54757P3HIGHCVSS 8.0≥ 4.0, < 4.61≥ 5.0, < 5.31+1 more2025-07-31
CVE-2025-54757 [HIGH] CWE-434 CVE-2025-54757: Multiple versions of PowerCMS allow unrestricted upload of dangerous files. If a product administrat Multiple versions of PowerCMS allow unrestricted upload of dangerous files. If a product administrator accesses a malicious file uploaded by a product user, an arbitrary script may be executed on the browser.
nvd
CVE-2025-46359P3HIGHCVSS 7.2≥ 4.0, < 4.61≥ 5.0, < 5.31+1 more2025-07-31
CVE-2025-46359 [HIGH] CWE-22 CVE-2025-46359: A path traversal issue exists in backup and restore feature of multiple versions of PowerCMS. A prod A path traversal issue exists in backup and restore feature of multiple versions of PowerCMS. A product administrator may execute arbitrary code by restoring a crafted backup file.
nvd
CVE-2025-54752P3HIGHCVSS 8.0≥ 4.0, < 4.61≥ 5.0, < 5.31+1 more2025-07-31
CVE-2025-54752 [HIGH] CWE-1236 CVE-2025-54752: Multiple versions of PowerCMS improperly neutralize formula elements in a CSV file. If a product us Multiple versions of PowerCMS improperly neutralize formula elements in a CSV file. If a product user creates a malformed entry and a victim user downloads it as a CSV file and opens it in the user's environment, the embedded code may be executed.
nvd
CVE-2025-41396P3MEDIUMCVSS 6.5≥ 4.0, < 4.61≥ 5.0, < 5.31+1 more2025-07-31
CVE-2025-41396 [MEDIUM] CWE-22 CVE-2025-41396: A path traversal issue exists in file uploading feature of multiple versions of PowerCMS. Arbitrary A path traversal issue exists in file uploading feature of multiple versions of PowerCMS. Arbitrary files may be overwritten by a product user.
nvd
CVE-2023-50297P4MEDIUMCVSS 6.1fixed in 4.55≥ 5.0, < 5.25+1 more2023-12-26
CVE-2023-50297 [MEDIUM] CWE-601 CVE-2023-50297: Open redirect vulnerability in PowerCMS (6 Series, 5 Series, and 4 Series) allows a remote unauthent Open redirect vulnerability in PowerCMS (6 Series, 5 Series, and 4 Series) allows a remote unauthenticated attacker to redirect users to arbitrary web sites via a specially crafted URL. Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability.
nvd
CVE-2025-36563P4MEDIUMCVSS 6.1≥ 4.0, < 4.61≥ 5.0, < 5.31+1 more2025-07-31
CVE-2025-36563 [MEDIUM] CWE-79 CVE-2025-36563: Reflected cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product a Reflected cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product administrator accesses a crafted URL, an arbitrary script may be executed on the browser.
nvd
CVE-2023-49117P4MEDIUMCVSS 5.4fixed in 4.55≥ 5.0, < 5.25+1 more2023-12-26
CVE-2023-49117 [MEDIUM] CWE-79 CVE-2023-49117: PowerCMS (6 Series, 5 Series, and 4 Series) contains a stored cross-site scripting vulnerability. If PowerCMS (6 Series, 5 Series, and 4 Series) contains a stored cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on a logged-in user's web browser. Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability.
nvd
CVE-2025-41391P4MEDIUMCVSS 5.4≥ 4.0, < 4.61≥ 5.0, < 5.31+1 more2025-07-31
CVE-2025-41391 [MEDIUM] CWE-79 CVE-2025-41391: Stored cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product user Stored cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product user accesses a malicious page, an arbitrary script may be executed on the browser.
nvd
CVE-2019-6020P4MEDIUMCVSS 6.1≥ 3.01, ≤ 3.293≥ 4.0, ≤ 4.42+1 more2019-12-26
CVE-2019-6020 [MEDIUM] CWE-601 CVE-2019-6020: Open redirect vulnerability in PowerCMS 5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS Open redirect vulnerability in PowerCMS 5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL.
nvd
Alfasado Powercms vulnerabilities | cvebase