Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

PowerCMS

Source -

CNA

CNA CVEs -

7

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
7Vulnerabilities found
CVE-2025-36563
Assigner-JPCERT/CC
ShareView Details
Assigner-JPCERT/CC
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 7.51%
||
7 Day CHG~0.00%
Published-31 Jul, 2025 | 07:25
Updated-06 Aug, 2025 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product administrator accesses a crafted URL, an arbitrary script may be executed on the browser.

Action-Not Available
Vendor-Alfasado Inc.
Product-powercmsPowerCMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-41391
Assigner-JPCERT/CC
ShareView Details
Assigner-JPCERT/CC
CVSS Score-5.1||MEDIUM
EPSS-0.03% / 6.84%
||
7 Day CHG~0.00%
Published-31 Jul, 2025 | 07:25
Updated-06 Aug, 2025 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product user accesses a malicious page, an arbitrary script may be executed on the browser.

Action-Not Available
Vendor-Alfasado Inc.
Product-powercmsPowerCMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-41396
Assigner-JPCERT/CC
ShareView Details
Assigner-JPCERT/CC
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 16.68%
||
7 Day CHG~0.00%
Published-31 Jul, 2025 | 07:24
Updated-06 Aug, 2025 | 16:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A path traversal issue exists in file uploading feature of multiple versions of PowerCMS. Arbitrary files may be overwritten by a product user.

Action-Not Available
Vendor-Alfasado Inc.
Product-powercmsPowerCMS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-46359
Assigner-JPCERT/CC
ShareView Details
Assigner-JPCERT/CC
CVSS Score-8.6||HIGH
EPSS-0.10% / 28.20%
||
7 Day CHG~0.00%
Published-31 Jul, 2025 | 07:22
Updated-06 Aug, 2025 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A path traversal issue exists in backup and restore feature of multiple versions of PowerCMS. A product administrator may execute arbitrary code by restoring a crafted backup file.

Action-Not Available
Vendor-Alfasado Inc.
Product-powercmsPowerCMS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-54752
Assigner-JPCERT/CC
ShareView Details
Assigner-JPCERT/CC
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 10.80%
||
7 Day CHG~0.00%
Published-31 Jul, 2025 | 07:21
Updated-06 Aug, 2025 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple versions of PowerCMS improperly neutralize formula elements in a CSV file. If a product user creates a malformed entry and a victim user downloads it as a CSV file and opens it in the user's environment, the embedded code may be executed.

Action-Not Available
Vendor-Alfasado Inc.
Product-powercmsPowerCMS
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2025-54757
Assigner-JPCERT/CC
ShareView Details
Assigner-JPCERT/CC
CVSS Score-5.1||MEDIUM
EPSS-0.04% / 10.80%
||
7 Day CHG~0.00%
Published-31 Jul, 2025 | 07:20
Updated-06 Aug, 2025 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple versions of PowerCMS allow unrestricted upload of dangerous files. If a product administrator accesses a malicious file uploaded by a product user, an arbitrary script may be executed on the browser.

Action-Not Available
Vendor-Alfasado Inc.
Product-powercmsPowerCMS
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2019-6020
Assigner-JPCERT/CC
ShareView Details
Assigner-JPCERT/CC
CVSS Score-6.1||MEDIUM
EPSS-0.39% / 59.22%
||
7 Day CHG~0.00%
Published-26 Dec, 2019 | 15:16
Updated-04 Aug, 2024 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Open redirect vulnerability in PowerCMS 5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL.

Action-Not Available
Vendor-Alfasado Inc.
Product-powercmsPowerCMS
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')