cbcvebase.

Thedaylightstudio Fuel Cms vulnerabilities

40 known vulnerabilities affecting thedaylightstudio/fuel_cms.

Total CVEs
40
CISA KEV
1
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL11HIGH15MEDIUM14

Vulnerabilities

Page 1 of 2
CVE-2020-17463P1CRITICALCVSS 9.8KEVPoCv1.4.72020-08-13
CVE-2020-17463 [CRITICAL] CWE-89 CVE-2020-17463: FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /n FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
nvd
CVE-2018-16763P1CRITICALCVSS 9.8ExploitedPoC≤ 1.4.22018-09-09
CVE-2018-16763 [CRITICAL] CWE-74 CVE-2018-16763: FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ dat FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
nvd
CVE-2020-24791P2CRITICALCVSS 9.8v1.4.82021-03-10
CVE-2020-24791 [CRITICAL] CWE-89 CVE-2020-24791: FUEL CMS 1.4.8 allows SQL injection via the 'fuel_replace_id' parameter in pages/replace/1. Exploiti FUEL CMS 1.4.8 allows SQL injection via the 'fuel_replace_id' parameter in pages/replace/1. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
nvd
CVE-2020-26045P3CRITICALCVSS 9.8v1.4.112021-01-05
CVE-2020-26045 [CRITICAL] CWE-89 CVE-2020-26045: FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/. Exploiting t FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
nvd
CVE-2026-30460P3HIGHCVSS 8.8v1.5.22026-04-07
CVE-2026-30460 [HIGH] CWE-94 CVE-2026-30460: Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module.
nvd
CVE-2026-30457P3CRITICALCVSS 9.8v1.5.22026-03-26
CVE-2026-30457 [CRITICAL] CWE-94 CVE-2026-30457: An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code.
nvd
CVE-2020-26167P3CRITICALCVSS 9.8≤ 1.4.122020-11-04
CVE-2020-26167 [CRITICAL] CVE-2020-26167: In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete o In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one.
nvd
CVE-2026-30461P3HIGHCVSS 8.3v1.5.22026-04-15
CVE-2026-30461 [HIGH] CWE-77 CVE-2026-30461: Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.
nvd
CVE-2020-22151P3CRITICALCVSS 9.8v1.4.62023-07-03
CVE-2020-22151 [CRITICAL] CWE-434 CVE-2020-22151: Permissions vulnerability in Fuel-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via Permissions vulnerability in Fuel-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted zip file to the assests parameter of the upload function.
nvd
CVE-2020-22153P3CRITICALCVSS 9.8v1.4.62023-07-03
CVE-2020-22153 [CRITICAL] CWE-434 CVE-2020-22153: File Upload vulnerability in FUEL-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via File Upload vulnerability in FUEL-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted .php file to the upload parameter in the navigation function.
nvd
CVE-2018-16762P3CRITICALCVSS 9.8≤ 1.4.22018-09-09
CVE-2018-16762 [CRITICAL] CWE-89 CVE-2018-16762: FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or search_term parameter to pages/ite FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or search_term parameter to pages/items.
nvd
CVE-2020-24950P3HIGHCVSS 8.8v1.4.92023-08-11
CVE-2020-24950 [HIGH] CWE-89 CVE-2020-24950: SQL Injection vulnerability in file Base_module_model.php in Daylight Studio FUEL-CMS version 1.4.9, SQL Injection vulnerability in file Base_module_model.php in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute arbitrary code via the col parameter to function list_items.
nvd
CVE-2021-38727P3CRITICALCVSS 9.8v1.5.02021-09-09
CVE-2021-38727 [CRITICAL] CWE-89 CVE-2021-38727: FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/logs/items FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/logs/items
nvd
CVE-2026-30458P3CRITICALCVSS 9.1v1.5.22026-03-26
CVE-2026-30458 [CRITICAL] CWE-620 CVE-2026-30458: An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset toke An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack.
nvd
CVE-2021-38723P3HIGHCVSS 8.8v1.5.02021-09-09
CVE-2021-38723 [HIGH] CWE-89 CVE-2021-38723: FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/pages/items FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/pages/items
nvd
CVE-2026-30463P3HIGHCVSS 7.7v1.5.22026-03-26
CVE-2026-30463 [HIGH] CWE-89 CVE-2026-30463: Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /cont Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component.
nvd
CVE-2020-23722P3HIGHCVSS 8.8v1.4.72021-03-10
CVE-2020-23722 [HIGH] CWE-639 CVE-2020-23722: An issue was discovered in FUEL CMS 1.4.7. There is a escalation of privilege vulnerability to obtai An issue was discovered in FUEL CMS 1.4.7. There is a escalation of privilege vulnerability to obtain super admin privilege via the "id" and "fuel_id" parameters.
nvd
CVE-2023-33557P3HIGHCVSS 8.8v1.5.22023-06-09
CVE-2023-33557 [HIGH] CWE-89 CVE-2023-33557: Fuel CMS v1.5.2 was discovered to contain a SQL injection vulnerability via the id parameter at /con Fuel CMS v1.5.2 was discovered to contain a SQL injection vulnerability via the id parameter at /controllers/Blocks.php.
nvd
CVE-2019-15229P3HIGHCVSS 8.8≤ 1.4.42019-08-20
CVE-2019-15229 [HIGH] CWE-352 CVE-2019-15229: FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.
nvd
CVE-2021-38290P3HIGHCVSS 8.1≤ 1.5.02021-08-09
CVE-2021-38290 [HIGH] CWE-74 CVE-2021-38290: A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuel_co A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuel_constants.php and fuel/modules/fuel/libraries/Asset.php. An attacker can use a man in the middle attack such as phishing.
nvd
Thedaylightstudio Fuel Cms vulnerabilities | cvebase