Every CVE whose affected-product data names Totaljs Total.js, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (12)
CVE-2021-23389 — CVSS 9.8 (critical): The package total.js before 3.4.9 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.
CVE-2022-44019 — CVSS 8.8 (high): In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter.
CVE-2024-48655 — CVSS 8.8 (high): An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file.
CVE-2020-28494 — CVSS 8.6 (high): This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used…
CVE-2021-32831 — CVSS 7.5 (high): Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or…
CVE-2020-28495 — CVSS 7.3 (high): This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However…
CVE-2022-30013 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in the upload function of totaljs CMS 3.4.5 allows attackers to execute arbitrary web…
CVE-2022-41392 — CVSS 5.4 (medium): A cross-site scripting (XSS) vulnerability in TotalJS commit 8c2c8909 allows attackers to execute arbitrary web scripts or HTML via a…
CVE-2025-10940 — CVSS 2.4 (low): A vulnerability was found in Total.js CMS 1.0.0. Affected by this vulnerability is the function layouts_save of the file /admin/ of the…
CVE-2025-11019 — CVSS 2.4 (low): A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation…