easycms CVE Vulnerabilities & Metrics

Focus on easycms vulnerabilities and metrics.

Last updated: 15 Feb 2026, 23:25 UTC

About easycms Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with easycms. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total easycms CVEs: 10
Earliest CVE date: 25 Apr 2018, 09:29 UTC
Latest CVE date: 18 Jan 2026, 00:15 UTC

Latest CVE reference: CVE-2026-1105

Rolling Stats

30-day Count (Rolling): 1
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical easycms CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.76

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	1
4.0-6.9	7
7.0-8.9	2
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS easycms CVEs

These are the five CVEs with the highest CVSS scores for easycms, sorted by severity first and recency.

CVE-2026-1105 easycms Published on 18 Jan 2026, 00:15 UTC (CVSS: 7.5)
A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument _order leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2022-23358 easycms Published on 16 Feb 2022, 12:15 UTC (CVSS: 7.5)
EasyCMS v1.6 allows for SQL injection via ArticlemAction.class.php. In the background, search terms provided by the user were not sanitized and were used directly to construct a SQL statement.
CVE-2020-24271 easycms Published on 01 Feb 2021, 15:15 UTC (CVSS: 6.8)
A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=***&password=***.
CVE-2019-6294 easycms Published on 15 Jan 2019, 14:29 UTC (CVSS: 6.8)
An issue was discovered in EasyCMS 1.5. There is CSRF via the index.php?s=/admin/articlem/insert/navTabId/listarticle/callbackType/closeCurrent URI.
CVE-2018-16345 easycms Published on 02 Sep 2018, 18:29 UTC (CVSS: 6.8)
An issue was discovered in EasyCMS 1.5. There is a CSRF vulnerability that can update the admin password via index.php?s=/admin/rbacuser/update/navTabId/listusers/callbackType/closeCurrent.

All CVEs for easycms

CVE-2026-1105 easycms vulnerability CVSS: 7.5 18 Jan 2026, 00:15 UTC

A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument _order leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2022-23358 easycms vulnerability CVSS: 7.5 16 Feb 2022, 12:15 UTC

EasyCMS v1.6 allows for SQL injection via ArticlemAction.class.php. In the background, search terms provided by the user were not sanitized and were used directly to construct a SQL statement.

CVE-2020-24271 easycms vulnerability CVSS: 6.8 01 Feb 2021, 15:15 UTC

A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=***&password=***.

CVE-2019-6294 easycms vulnerability CVSS: 6.8 15 Jan 2019, 14:29 UTC

An issue was discovered in EasyCMS 1.5. There is CSRF via the index.php?s=/admin/articlem/insert/navTabId/listarticle/callbackType/closeCurrent URI.

CVE-2018-17113 easycms vulnerability CVSS: 4.3 17 Sep 2018, 04:29 UTC

App/Modules/Admin/Tpl/default/Public/dwz/uploadify/scripts/uploadify.swf in EasyCMS 1.5 has XSS via the uploadifyID or movieName parameter, a related issue to CVE-2018-9173.

CVE-2018-16773 easycms vulnerability CVSS: 3.5 10 Sep 2018, 04:29 UTC

EasyCMS 1.5 allows XSS via the index.php?s=/admin/fields/update/navTabId/listfields/callbackType/closeCurrent content field.

CVE-2018-16759 easycms vulnerability CVSS: 4.3 09 Sep 2018, 21:29 UTC

The removeXSS function in App/Common/common.php (called from App/Modules/Index/Action/SearchAction.class.php) in EasyCMS v1.4 allows XSS via an onhashchange event.

CVE-2018-16345 easycms vulnerability CVSS: 6.8 02 Sep 2018, 18:29 UTC

An issue was discovered in EasyCMS 1.5. There is a CSRF vulnerability that can update the admin password via index.php?s=/admin/rbacuser/update/navTabId/listusers/callbackType/closeCurrent.

CVE-2018-12971 easycms vulnerability CVSS: 5.8 29 Jun 2018, 05:29 UTC

EasyCMS 1.3 has CSRF via the index.php?s=/admin/user/delAll URI to delete users.

CVE-2018-10374 easycms vulnerability CVSS: 4.3 25 Apr 2018, 09:29 UTC

EasyCMS 1.3 has XSS via the s POST parameter (aka a search box value) in an index.php?s=/index/search/index.html request.