Expressionengine vulnerabilities
13 known vulnerabilities affecting expressionengine/expressionengine.
Total CVEs
13
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH6MEDIUM6
Vulnerabilities
Page 1 of 1
CVE-2020-13443P3HIGHCVSS 8.8fixed in 5.3.22020-06-24
CVE-2020-13443 [HIGH] CWE-434 CVE-2020-13443: ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php
ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges (member) is able to upload this. It is possible to bypass the MIME type check and file-extension check while uploading new files. Short aliases are not used
nvd
CVE-2023-22953P3HIGHCVSS 8.8fixed in 7.2.62023-02-09
CVE-2023-22953 [HIGH] CVE-2023-22953: In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control
In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user.
nvd
CVE-2021-27230P3HIGHCVSS 8.8fixed in 5.4.2≥ 6.0.0, < 6.0.32021-03-15
CVE-2021-27230 [HIGH] CWE-94 CVE-2021-27230: ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticate
ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory.
nvd
CVE-2017-0897P3HIGHCVSS 7.5v2.0.0v2.0.1+75 more2017-06-22
CVE-2017-0897 [HIGH] CWE-330 CVE-2017-0897: ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with we
ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution.
nvd
CVE-2021-33199P3CRITICALCVSS 9.8fixed in 6.0.32021-08-12
CVE-2021-33199 [CRITICAL] CWE-20 CVE-2021-33199: In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted inp
In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg.
nvd
CVE-2020-8242P3HIGHCVSS 7.2≤ 5.4.02022-02-18
CVE-2020-8242 [HIGH] CWE-89 CVE-2020-8242: Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL in
Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. The user needs member creation/admin control panel access to execute the attack.
nvd
CVE-2025-59473P3HIGHCVSS 7.2≥ 7.0.0, < 7.5.142026-01-26
CVE-2025-59473 [HIGH] CWE-89 CVE-2025-59473: SQL Injection vulnerability in the Structure for Admin authenticated user
SQL Injection vulnerability in the Structure for Admin authenticated user
nvd
CVE-2009-1070P4MEDIUMCVSS 4.3PoCv1.6.4v1.6.5+1 more2009-03-26
CVE-2009-1070 [MEDIUM] CWE-79 CVE-2009-1070: Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 through 1.6.6
Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 through 1.6.6, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the avatar parameter.
nvd
CVE-2014-5387P3MEDIUMCVSS 6.5≤ 2.9.0v2.1.0+18 more2014-11-04
CVE-2014-5387 [MEDIUM] CWE-89 CVE-2014-5387: Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authen
Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[] parameter to system/index.php or the (3) tbl_sort[0][] parameter in the comment module to system/index.php.
nvd
CVE-2021-44534P3MEDIUMCVSS 6.5≥ 6.0.3, < 6.0.32024-05-31
CVE-2021-44534 [MEDIUM] CWE-200 CVE-2021-44534: Insufficient user input filtering leads to arbitrary file read by non-authenticated attacker, which
Insufficient user input filtering leads to arbitrary file read by non-authenticated attacker, which results in sensitive information disclosure.
nvd
CVE-2017-1000160P4MEDIUMCVSS 5.4v3.4.22017-11-17
CVE-2017-1000160 [MEDIUM] CWE-79 CVE-2017-1000160: EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injectio
EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection
nvd
CVE-2008-0202P4MEDIUMCVSS 4.3≤ 1.2.12008-01-10
CVE-2008-0202 [MEDIUM] CWE-94 CVE-2008-0202: CRLF injection vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attack
CRLF injection vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the URL parameter.
nvd
CVE-2008-0201P4MEDIUMCVSS 4.3≤ 1.2.12008-01-10
CVE-2008-0201 [MEDIUM] CWE-79 CVE-2008-0201: Cross-site scripting (XSS) vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows r
Cross-site scripting (XSS) vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL parameter.
nvd