CVE-2019-10262 — CVSS 9.8 (critical): A SQL Injection issue was discovered in BlueCMS 1.6. The variable $ad_id is spliced directly in uploads/admin/ad.php in the admin folder…
CVE-2019-9594 — CVSS 9.8 (critical): BlueCMS 1.6 allows SQL Injection via the user_id parameter in an uploads/admin/user.php?act=edit request.
CVE-2010-4897 — CVSS 7.5 (high): SQL injection vulnerability in comment.php in BlueCMS 1.6 allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For…
CVE-2024-45894 — CVSS 4.9 (medium): BlueCMS 1.6 suffers from Arbitrary File Deletion via the file_name parameter in an /admin/database.php?act=del request.
CVE-2025-29150 — CVSS 4.3 (medium): BlueCMS 1.6 suffers from Arbitrary File Deletion via the id parameter in an /publish.php?act=del request.