jpress CVE Vulnerabilities & Metrics

Focus on jpress vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About jpress Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with jpress. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total jpress CVEs: 14
Earliest CVE date: 11 Nov 2018, 05:29 UTC
Latest CVE date: 28 Nov 2024, 22:15 UTC

Latest CVE reference: CVE-2024-11971

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 2

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical jpress CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.7

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	3
4.0-6.9	10
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS jpress CVEs

These are the five CVEs with the highest CVSS scores for jpress, sorted by severity first and recency.

CVE-2021-45807 jpress Published on 13 Jan 2022, 19:15 UTC (CVSS: 7.5)
jpress v4.2.0 is vulnerable to command execution via io.jpress.web.admin._AddonController::doUploadAndInstall.
CVE-2022-23330 jpress Published on 04 Feb 2022, 22:15 UTC (CVSS: 6.5)
A remote code execution (RCE) vulnerability in HelloWorldAddonController.java of jpress v4.2.0 allows attackers to execute arbitrary code via a crafted JAR package.
CVE-2021-46114 jpress Published on 26 Jan 2022, 19:15 UTC (CVSS: 6.5)
jpress v 4.2.0 is vulnerable to RCE via io.jpress.module.product.ProductNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code.
CVE-2021-46118 jpress Published on 26 Jan 2022, 17:15 UTC (CVSS: 6.5)
jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.article.kit.ArticleNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code.
CVE-2021-46116 jpress Published on 26 Jan 2022, 17:15 UTC (CVSS: 6.5)
jpress 4.2.0 is vulnerable to remote code execution via io.jpress.web.admin._TemplateController#doInstall. The admin panel provides a function through which attackers can install templates and inject some malicious code.

All CVEs for jpress

CVE-2024-11971 jpress vulnerability CVSS: 4.0 28 Nov 2024, 22:15 UTC

A vulnerability classified as problematic was found in Guizhou Xiaoma Technology jpress 5.1.2. Affected by this vulnerability is an unknown functionality of the file /commons/attachment/upload of the component Avatar Handler. The manipulation of the argument files leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2024-8304 jpress vulnerability CVSS: 5.8 29 Aug 2024, 15:15 UTC

A vulnerability has been found in jpress up to 5.1.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/template/edit of the component Template Module Handler. The manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2022-23330 jpress vulnerability CVSS: 6.5 04 Feb 2022, 22:15 UTC

A remote code execution (RCE) vulnerability in HelloWorldAddonController.java of jpress v4.2.0 allows attackers to execute arbitrary code via a crafted JAR package.

CVE-2021-46114 jpress vulnerability CVSS: 6.5 26 Jan 2022, 19:15 UTC

jpress v 4.2.0 is vulnerable to RCE via io.jpress.module.product.ProductNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code.

CVE-2021-46118 jpress vulnerability CVSS: 6.5 26 Jan 2022, 17:15 UTC

jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.article.kit.ArticleNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code.

CVE-2021-46116 jpress vulnerability CVSS: 6.5 26 Jan 2022, 17:15 UTC

jpress 4.2.0 is vulnerable to remote code execution via io.jpress.web.admin._TemplateController#doInstall. The admin panel provides a function through which attackers can install templates and inject some malicious code.

CVE-2021-46115 jpress vulnerability CVSS: 6.5 26 Jan 2022, 17:15 UTC

jpress 4.2.0 is vulnerable to RCE via io.jpress.web.admin._TemplateController#doUploadFile. The admin panel provides a function through which attackers can upload templates and inject some malicious code.

CVE-2021-46117 jpress vulnerability CVSS: 6.5 26 Jan 2022, 16:15 UTC

jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.page.PageNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code.

CVE-2021-45808 jpress vulnerability CVSS: 6.5 19 Jan 2022, 13:15 UTC

jpress v4.2.0 allows users to register an account by default. With the account, user can upload arbitrary files to the server.

CVE-2021-45807 jpress vulnerability CVSS: 7.5 13 Jan 2022, 19:15 UTC

jpress v4.2.0 is vulnerable to command execution via io.jpress.web.admin._AddonController::doUploadAndInstall.

CVE-2021-45806 jpress vulnerability CVSS: 6.5 13 Jan 2022, 14:15 UTC

jpress v4.2.0 admin panel provides a function through which attackers can modify the template and inject some malicious code.

CVE-2021-33347 jpress vulnerability CVSS: 3.5 18 Jun 2021, 11:15 UTC

An issue was discovered in JPress v3.3.0 and below. There are XSS vulnerabilities in the template module and tag management module. If you log in to the background by means of weak password, the storage XSS vulnerability can occur.

CVE-2019-6278 jpress vulnerability CVSS: 3.5 14 Jan 2019, 19:29 UTC

XSS exists in JPress v1.0.4 via Markdown input, or Markdown input with the code input option.

CVE-2018-19170 jpress vulnerability CVSS: 3.5 11 Nov 2018, 05:29 UTC

In JPress v1.0-rc.5, there is stored XSS via each of the first three input fields to the starter-tomcat-1.0/admin/setting URI, as demonstrated by the web_name parameter.