Btcpayserver Btcpay Server — known CVE vulnerabilities
Every CVE whose affected-product data names Btcpayserver Btcpay Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (13)
CVE-2022-32984 — CVSS 7.5 (high): BTCPay Server 1.3.0 through 1.5.3 allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. The…
CVE-2021-29246 — CVSS 6.7 (medium): BTCPay Server through 1.0.7.0 suffers from directory traversal, which allows an attacker with admin privileges to achieve code execution…
CVE-2021-29251 — CVSS 6.5 (medium): BTCPay Server before 1.0.7.1 mishandles the policy setting in which users can register (in Server Settings > Policies). This affects Docker…
CVE-2023-0879 — CVSS 6.3 (medium): Cross-site Scripting (XSS) - Stored in GitHub repository btcpayserver/btcpayserver prior to 1.7.12.
CVE-2021-3646 — CVSS 6.1 (medium): btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1149 — CVSS 5.4 (medium): Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.8.0.
CVE-2021-29250 — CVSS 5.4 (medium): BTCPay Server through 1.0.7.0 suffers from a Stored Cross Site Scripting (XSS) vulnerability within the POS Add Products functionality…
CVE-2021-3830 — CVSS 5.4 (medium): btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-29248 — CVSS 5.3 (medium): BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the Secure flag for a…
CVE-2023-0493 — CVSS 5.3 (medium): Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.7.5.
CVE-2021-29247 — CVSS 5.3 (medium): BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the HTTPOnly flag for…
CVE-2021-29245 — CVSS 5.3 (medium): BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key.