CVE-2025-70866 — CVSS 8.8 (high): LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly…
CVE-2022-42188 — CVSS 7.5 (high): In Lavalite 9.0.0, the XSRF-TOKEN cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
CVE-2024-31828 — CVSS 6.1 (medium): Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via…
CVE-2025-71177 — CVSS 5.4 (medium): LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search…
CVE-2020-36395 — CVSS 5.4 (medium): A stored cross site scripting (XSS) vulnerability in the /admin/user/team component of LavaLite 5.8.0 allows authenticated attackers to…
CVE-2020-36396 — CVSS 5.4 (medium): A stored cross site scripting (XSS) vulnerability in the /admin/roles/role component of LavaLite 5.8.0 allows authenticated attackers to…
CVE-2020-36397 — CVSS 5.4 (medium): A stored cross site scripting (XSS) vulnerability in the /admin/contact/contact component of LavaLite 5.8.0 allows authenticated attackers…
CVE-2017-1000467 — CVSS 5.4 (medium): LavaLite version 5.2.4 is vulnerable to stored cross-site scripting vulnerability, within the blog creation page, which can result in…
CVE-2020-23234 — CVSS 4.8 (medium): Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS 5.8.0 via the Menu Blocks feature, which can be bypassed by using HTML event…