instantcms CVE Vulnerabilities & Metrics

Focus on instantcms vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About instantcms Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with instantcms. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total instantcms CVEs: 18
Earliest CVE date: 18 Jul 2018, 15:29 UTC
Latest CVE date: 29 Oct 2024, 23:15 UTC

Latest CVE reference: CVE-2024-50348

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 3

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -78.57%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -78.57%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical instantcms CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.24

Max CVSS: 4.3

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	17
4.0-6.9	1
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS instantcms CVEs

These are the five CVEs with the highest CVSS scores for instantcms, sorted by severity first and recency.

CVE-2018-14382 instantcms Published on 18 Jul 2018, 15:29 UTC (CVSS: 4.3)
InstantCMS 2.10.1 has /redirect?url= XSS.
CVE-2024-50348 instantcms Published on 29 Oct 2024, 23:15 UTC (CVSS: 0)
InstantCMS is a free and open source content management system. In photo upload function in the photo album page there is no input validation taking place. Due to this attackers are able to inject the XSS (Cross Site Scripting) payload and execute. This vulnerability is fixed in 2.16.3.
CVE-2024-31213 instantcms Published on 05 Apr 2024, 15:15 UTC (CVSS: 0)
InstantCMS is a free and open source content management system. An open redirect was found in the ICMS2 application version 2.16.2 when being redirected after modifying one's own user profile. An attacker could trick a victim into visiting their web application, thinking they are still present on the ICMS2 application. They could then host a website stating "To update your profile, please enter...
CVE-2024-31212 instantcms Published on 04 Apr 2024, 23:15 UTC (CVSS: 0)
InstantCMS is a free and open source content management system. A SQL injection vulnerability affects instantcms v2.16.2 in which an attacker with administrative privileges can cause the application to execute unauthorized SQL code. The vulnerability exists in index_chart_data action, which receives an input from user and passes it unsanitized to the core model `filterFunc` function that furthe...
CVE-2023-4879 instantcms Published on 10 Sep 2023, 18:15 UTC (CVSS: 0)
Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1.-git.

All CVEs for instantcms

CVE-2024-50348 instantcms vulnerability CVSS: 0 29 Oct 2024, 23:15 UTC

InstantCMS is a free and open source content management system. In photo upload function in the photo album page there is no input validation taking place. Due to this attackers are able to inject the XSS (Cross Site Scripting) payload and execute. This vulnerability is fixed in 2.16.3.

CVE-2024-31213 instantcms vulnerability CVSS: 0 05 Apr 2024, 15:15 UTC

InstantCMS is a free and open source content management system. An open redirect was found in the ICMS2 application version 2.16.2 when being redirected after modifying one's own user profile. An attacker could trick a victim into visiting their web application, thinking they are still present on the ICMS2 application. They could then host a website stating "To update your profile, please enter your password," upon which the user may type their password and send it to the attacker. As of time of publication, a patched version is not available.

CVE-2024-31212 instantcms vulnerability CVSS: 0 04 Apr 2024, 23:15 UTC

InstantCMS is a free and open source content management system. A SQL injection vulnerability affects instantcms v2.16.2 in which an attacker with administrative privileges can cause the application to execute unauthorized SQL code. The vulnerability exists in index_chart_data action, which receives an input from user and passes it unsanitized to the core model `filterFunc` function that further embeds this data in an SQL statement. This allows attackers to inject unwanted SQL code into the statement. The `period` should be escaped before inserting it in the query. As of time of publication, a patched version is not available.

CVE-2023-4879 instantcms vulnerability CVSS: 0 10 Sep 2023, 18:15 UTC

Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1.-git.

CVE-2023-4878 instantcms vulnerability CVSS: 0 10 Sep 2023, 18:15 UTC

Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

CVE-2023-4704 instantcms vulnerability CVSS: 0 01 Sep 2023, 10:15 UTC

External Control of System or Configuration Setting in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

CVE-2023-4655 instantcms vulnerability CVSS: 0 31 Aug 2023, 01:15 UTC

Cross-site Scripting (XSS) - Reflected in GitHub repository instantsoft/icms2 prior to 2.16.1.

CVE-2023-4654 instantcms vulnerability CVSS: 0 31 Aug 2023, 01:15 UTC

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository instantsoft/icms2 prior to 2.16.1.

CVE-2023-4653 instantcms vulnerability CVSS: 0 31 Aug 2023, 01:15 UTC

Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

CVE-2023-4652 instantcms vulnerability CVSS: 0 31 Aug 2023, 01:15 UTC

Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

CVE-2023-4651 instantcms vulnerability CVSS: 0 31 Aug 2023, 01:15 UTC

Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1.

CVE-2023-4650 instantcms vulnerability CVSS: 0 31 Aug 2023, 01:15 UTC

Improper Access Control in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

CVE-2023-4649 instantcms vulnerability CVSS: 0 31 Aug 2023, 01:15 UTC

Session Fixation in GitHub repository instantsoft/icms2 prior to 2.16.1.

CVE-2023-4381 instantcms vulnerability CVSS: 0 16 Aug 2023, 12:15 UTC

Unverified Password Change in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

CVE-2023-4189 instantcms vulnerability CVSS: 0 05 Aug 2023, 20:15 UTC

Cross-site Scripting (XSS) - Reflected in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

CVE-2023-4188 instantcms vulnerability CVSS: 0 05 Aug 2023, 20:15 UTC

SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

CVE-2023-4187 instantcms vulnerability CVSS: 0 05 Aug 2023, 18:15 UTC

Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

CVE-2018-14382 instantcms vulnerability CVSS: 4.3 18 Jul 2018, 15:29 UTC

InstantCMS 2.10.1 has /redirect?url= XSS.