blackcat-cms CVE Vulnerabilities & Metrics

Focus on blackcat-cms vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About blackcat-cms Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with blackcat-cms. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total blackcat-cms CVEs: 16
Earliest CVE date: 12 Sep 2014, 14:55 UTC
Latest CVE date: 27 Sep 2023, 15:19 UTC

Latest CVE reference: CVE-2023-44043

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -100.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -100.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical blackcat-cms CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.98

Max CVSS: 6.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	10
4.0-6.9	7
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS blackcat-cms CVEs

These are the five CVEs with the highest CVSS scores for blackcat-cms, sorted by severity first and recency.

CVE-2020-25453 blackcat-cms Published on 15 Sep 2020, 22:15 UTC (CVSS: 6.8)
An issue was discovered in BlackCat CMS before 1.4. There is a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution.
CVE-2017-14399 blackcat-cms Published on 12 Sep 2017, 21:29 UTC (CVSS: 6.5)
In BlackCat CMS 1.2.2, unrestricted file upload is possible in backend\media\ajax_rename.php via the extension parameter, as demonstrated by changing the extension from .jpg to .php.
CVE-2017-14050 blackcat-cms Published on 31 Aug 2017, 04:29 UTC (CVSS: 6.5)
In BlackCat CMS 1.2, backend/addons/install.php allows remote authenticated users to execute arbitrary PHP code via a ZIP archive that contains a .php file.
CVE-2017-14048 blackcat-cms Published on 31 Aug 2017, 04:29 UTC (CVSS: 6.5)
BlackCat CMS 1.2 allows remote authenticated users to inject arbitrary PHP code into info.php via a crafted new_modulename parameter to backend/addons/ajax_create.php. NOTE: this can be exploited via CSRF.
CVE-2015-5079 blackcat-cms Published on 28 Feb 2018, 22:29 UTC (CVSS: 5.0)
Directory traversal vulnerability in widgets/logs.php in BlackCat CMS before 1.1.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the dl parameter.

All CVEs for blackcat-cms

CVE-2023-44043 blackcat-cms vulnerability CVSS: 0 27 Sep 2023, 15:19 UTC

A reflected cross-site scripting (XSS) vulnerability in /install/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website title parameter.

CVE-2023-44042 blackcat-cms vulnerability CVSS: 0 27 Sep 2023, 15:19 UTC

A stored cross-site scripting (XSS) vulnerability in /settings/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website header parameter.

CVE-2020-25878 blackcat-cms vulnerability CVSS: 3.5 09 Jul 2021, 22:15 UTC

A stored cross site scripting (XSS) vulnerability in the 'Admin-Tools' feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the 'Output Filters' and 'Droplets' modules.

CVE-2020-25877 blackcat-cms vulnerability CVSS: 3.5 09 Jul 2021, 22:15 UTC

A stored cross site scripting (XSS) vulnerability in the 'Add Page' feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter.

CVE-2021-27237 blackcat-cms vulnerability CVSS: 3.5 16 Feb 2021, 19:15 UTC

The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php.

CVE-2020-25453 blackcat-cms vulnerability CVSS: 6.8 15 Sep 2020, 22:15 UTC

An issue was discovered in BlackCat CMS before 1.4. There is a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution.

CVE-2018-16635 blackcat-cms vulnerability CVSS: 3.5 10 Dec 2018, 19:29 UTC

Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php.

CVE-2018-10821 blackcat-cms vulnerability CVSS: 3.5 14 Jun 2018, 16:29 UTC

Cross-site scripting (XSS) vulnerability in backend/pages/modify.php in BlackCatCMS 1.3 allows remote authenticated users with the Admin role to inject arbitrary web script or HTML via the search panel.

CVE-2015-5079 blackcat-cms vulnerability CVSS: 5.0 28 Feb 2018, 22:29 UTC

Directory traversal vulnerability in widgets/logs.php in BlackCat CMS before 1.1.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the dl parameter.

CVE-2017-14399 blackcat-cms vulnerability CVSS: 6.5 12 Sep 2017, 21:29 UTC

In BlackCat CMS 1.2.2, unrestricted file upload is possible in backend\media\ajax_rename.php via the extension parameter, as demonstrated by changing the extension from .jpg to .php.

CVE-2017-14050 blackcat-cms vulnerability CVSS: 6.5 31 Aug 2017, 04:29 UTC

In BlackCat CMS 1.2, backend/addons/install.php allows remote authenticated users to execute arbitrary PHP code via a ZIP archive that contains a .php file.

CVE-2017-14049 blackcat-cms vulnerability CVSS: 3.5 31 Aug 2017, 04:29 UTC

In BlackCat CMS 1.2, backend/settings/ajax_save_settings.php allows remote authenticated users to conduct XSS attacks via the Website header or Website footer field.

CVE-2017-14048 blackcat-cms vulnerability CVSS: 6.5 31 Aug 2017, 04:29 UTC

BlackCat CMS 1.2 allows remote authenticated users to inject arbitrary PHP code into info.php via a crafted new_modulename parameter to backend/addons/ajax_create.php. NOTE: this can be exploited via CSRF.

CVE-2017-13670 blackcat-cms vulnerability CVSS: 4.0 31 Aug 2017, 04:29 UTC

In BlackCat CMS 1.2, remote authenticated users can upload any file via the media upload function in backend/media/ajax_upload.php, as demonstrated by a ZIP archive that contains a .php file.

CVE-2017-9609 blackcat-cms vulnerability CVSS: 3.5 17 Jul 2017, 21:29 UTC

Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the map_language parameter to backend/pages/lang_settings.php.

CVE-2015-5521 blackcat-cms vulnerability CVSS: 3.5 14 Jul 2015, 16:59 UTC

Cross-site scripting (XSS) vulnerability in BlackCat CMS 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the name in a new group to backend/groups/index.php.

CVE-2014-5259 blackcat-cms vulnerability CVSS: 4.3 12 Sep 2014, 14:55 UTC

Cross-site scripting (XSS) vulnerability in cattranslate.php in the CatTranslate JQuery plugin in BlackCat CMS 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter.