finecms CVE Vulnerabilities & Metrics

Focus on finecms vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About finecms Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with finecms. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total finecms CVEs: 12
Earliest CVE date: 24 Jul 2017, 00:29 UTC
Latest CVE date: 09 Oct 2018, 20:29 UTC

Latest CVE reference: CVE-2018-18191

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical finecms CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 6.23

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	0
4.0-6.9	6
7.0-8.9	6
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS finecms CVEs

These are the five CVEs with the highest CVSS scores for finecms, sorted by severity first and recency.

CVE-2018-6893 finecms Published on 12 Feb 2018, 14:29 UTC (CVSS: 7.5)
controllers/member/Api.php in dayrui FineCms 5.2.0 has SQL Injection: a request with s=member,c=api,m=checktitle, and the parameter 'module' with a SQL statement, lacks effective filtering.
CVE-2017-16920 finecms Published on 21 Nov 2017, 13:29 UTC (CVSS: 7.5)
v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via a member api swfupload action to index.php.
CVE-2017-11585 finecms Published on 24 Jul 2017, 00:29 UTC (CVSS: 7.5)
dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection.
CVE-2017-11584 finecms Published on 24 Jul 2017, 00:29 UTC (CVSS: 7.5)
dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php.
CVE-2017-11583 finecms Published on 24 Jul 2017, 00:29 UTC (CVSS: 7.5)
dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php.

All CVEs for finecms

CVE-2018-18191 finecms vulnerability CVSS: 6.8 09 Oct 2018, 20:29 UTC

Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member&m=edit&uid=1 in dayrui FineCms 5.4 allows remote attackers to change the administrator's password.

CVE-2018-7476 finecms vulnerability CVSS: 4.3 25 Feb 2018, 19:29 UTC

controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting (XSS) via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xss_clean protection mechanism is defeated by crafted input that lacks a '<' or '>' character.

CVE-2018-6893 finecms vulnerability CVSS: 7.5 12 Feb 2018, 14:29 UTC

controllers/member/Api.php in dayrui FineCms 5.2.0 has SQL Injection: a request with s=member,c=api,m=checktitle, and the parameter 'module' with a SQL statement, lacks effective filtering.

CVE-2017-16920 finecms vulnerability CVSS: 7.5 21 Nov 2017, 13:29 UTC

v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via a member api swfupload action to index.php.

CVE-2017-16866 finecms vulnerability CVSS: 4.3 16 Nov 2017, 21:29 UTC

dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) in core/M_Controller.php via the DR_URI field.

CVE-2017-11629 finecms vulnerability CVSS: 4.3 26 Jul 2017, 08:29 UTC

dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request.

CVE-2017-11586 finecms vulnerability CVSS: 5.8 24 Jul 2017, 00:29 UTC

dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php.

CVE-2017-11585 finecms vulnerability CVSS: 7.5 24 Jul 2017, 00:29 UTC

dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection.

CVE-2017-11584 finecms vulnerability CVSS: 7.5 24 Jul 2017, 00:29 UTC

dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php.

CVE-2017-11583 finecms vulnerability CVSS: 7.5 24 Jul 2017, 00:29 UTC

dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php.

CVE-2017-11582 finecms vulnerability CVSS: 7.5 24 Jul 2017, 00:29 UTC

dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php.

CVE-2017-11581 finecms vulnerability CVSS: 4.3 24 Jul 2017, 00:29 UTC

dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character.