Thedaylightstudio Fuel Cms — known CVE vulnerabilities
Every CVE whose affected-product data names Thedaylightstudio Fuel Cms, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (40)
CVE-2020-26167 — CVSS 9.8 (critical): In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an…
CVE-2020-26045 — CVSS 9.8 (critical): FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/. Exploiting this issue could allow an attacker to…
CVE-2020-22153 — CVSS 9.8 (critical): File Upload vulnerability in FUEL-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted .php file to the upload…
CVE-2020-24791 — CVSS 9.8 (critical): FUEL CMS 1.4.8 allows SQL injection via the 'fuel_replace_id' parameter in pages/replace/1. Exploiting this issue could allow an attacker…
CVE-2026-30457 — CVSS 9.8 (critical): An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code.
CVE-2018-16763 — CVSS 9.8 (critical): FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth…
CVE-2020-22151 — CVSS 9.8 (critical): Permissions vulnerability in Fuel-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted zip file to the assests…
CVE-2026-30458 — CVSS 9.1 (critical): An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack.
CVE-2018-16416 — CVSS 8.8 (high): Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inline= in FUEL CMS 1.4 allows remote attackers to change the…
CVE-2019-15229 — CVSS 8.8 (high): FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the…
CVE-2020-23722 — CVSS 8.8 (high): An issue was discovered in FUEL CMS 1.4.7. There is a escalation of privilege vulnerability to obtain super admin privilege via the "id"…
CVE-2020-24950 — CVSS 8.8 (high): SQL Injection vulnerability in file Base_module_model.php in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute…
CVE-2021-36569 — CVSS 8.8 (high): Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /users/delete/2.
CVE-2021-36570 — CVSS 8.8 (high): Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to…
CVE-2021-44117 — CVSS 8.8 (high): A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4…
CVE-2023-33557 — CVSS 8.8 (high): Fuel CMS v1.5.2 was discovered to contain a SQL injection vulnerability via the id parameter at /controllers/Blocks.php.
CVE-2026-30460 — CVSS 8.8 (high): Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module.
CVE-2026-30461 — CVSS 8.3 (high): Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the…
CVE-2021-38290 — CVSS 8.1 (high): A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuel_constants.php and fuel/modules/fuel/librar…
CVE-2026-30463 — CVSS 7.7 (high): Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component.
CVE-2026-30459 — CVSS 7.1 (high): An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset…
CVE-2022-28599 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf…
CVE-2024-25369 — CVSS 5.4 (medium): A reflected Cross-Site Scripting (XSS) vulnerability in FUEL CMS 1.5.2allows attackers to run arbitrary code via crafted string after the…
CVE-2019-15228 — CVSS 5.4 (medium): FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions…
CVE-2021-44607 — CVSS 5.4 (medium): A Cross Site Scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 in the Assets page via an SVG file.
CVE-2024-57605 — CVSS 5.4 (medium): Cross Site Scripting vulnerability in Daylight Studio Fuel CMS v.1.5.2 allows an attacker to escalate privileges via the /fuel/blocks/ and…
CVE-2020-23721 — CVSS 5.4 (medium): An issue was discovered in FUEL CMS V1.4.7. An attacker can use a XSS payload and bypass a filter via /fuelCM/fuel/pages/edit/1?lang=english…
CVE-2020-26046 — CVSS 5.4 (medium): FUEL CMS 1.4.11 has stored XSS in Blocks/Navigation/Site variables. This could lead to cookie stealing and other malicious actions. This…
CVE-2020-22152 — CVSS 5.4 (medium): Cross Site Scripting vulnerability in daylight studio FUEL- CMS v.1.4.6 allows a remote attacker to execute arbitrary code via the page…
CVE-2018-20136 — CVSS 4.8 (medium): XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the…
CVE-2018-20137 — CVSS 4.8 (medium): XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the…
CVE-2020-28705 — CVSS 4.3 (medium): FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability that can delete a page via a post ID to /pages/delete/3.