syspass CVE Vulnerabilities & Metrics

Focus on syspass vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About syspass Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with syspass. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total syspass CVEs: 4
Earliest CVE date: 06 Mar 2017, 06:59 UTC
Latest CVE date: 03 Sep 2024, 18:15 UTC

Latest CVE reference: CVE-2024-42904

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical syspass CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.33

Max CVSS: 5.0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	1
4.0-6.9	3
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS syspass CVEs

These are the five CVEs with the highest CVSS scores for syspass, sorted by severity first and recency.

CVE-2017-5999 syspass Published on 06 Mar 2017, 06:59 UTC (CVSS: 5.0)
An issue was discovered in sysPass 2.x before 2.1, in which an algorithm was never sufficiently reviewed by cryptographers. The fact that inc/SP/Core/Crypt.class is using the MCRYPT_RIJNDAEL_256() function (the 256-bit block version of Rijndael, not AES) instead of MCRYPT_RIJNDAEL_128 (real AES) could help an attacker to create unknown havoc in the remote system.
CVE-2017-9306 syspass Published on 31 May 2017, 04:29 UTC (CVSS: 4.3)
inc/SP/Html/Html.class.php in sysPass 2.1.9 allows remote attackers to bypass the XSS filter, as demonstrated by use of an "<svg/onload=" substring instead of an "<svg onload=" substring.
CVE-2022-4930 syspass Published on 06 Mar 2023, 16:15 UTC (CVSS: 4.0)
A vulnerability classified as problematic was found in nuxsmin sysPass up to 3.2.4. Affected by this vulnerability is an unknown functionality of the component URL Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 3.2.5 is able to address this issue. The patch is named 4da4d031732ecca67519851fd0c34597dbb8ee55. It is recommended to...
CVE-2024-42904 syspass Published on 03 Sep 2024, 18:15 UTC (CVSS: 0)
A cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter at /Controllers/ClientController.php.

All CVEs for syspass

CVE-2024-42904 syspass vulnerability CVSS: 0 03 Sep 2024, 18:15 UTC

A cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter at /Controllers/ClientController.php.

CVE-2022-4930 syspass vulnerability CVSS: 4.0 06 Mar 2023, 16:15 UTC

A vulnerability classified as problematic was found in nuxsmin sysPass up to 3.2.4. Affected by this vulnerability is an unknown functionality of the component URL Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 3.2.5 is able to address this issue. The patch is named 4da4d031732ecca67519851fd0c34597dbb8ee55. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222319.

CVE-2017-9306 syspass vulnerability CVSS: 4.3 31 May 2017, 04:29 UTC

inc/SP/Html/Html.class.php in sysPass 2.1.9 allows remote attackers to bypass the XSS filter, as demonstrated by use of an "<svg/onload=" substring instead of an "<svg onload=" substring.

CVE-2017-5999 syspass vulnerability CVSS: 5.0 06 Mar 2017, 06:59 UTC

An issue was discovered in sysPass 2.x before 2.1, in which an algorithm was never sufficiently reviewed by cryptographers. The fact that inc/SP/Core/Crypt.class is using the MCRYPT_RIJNDAEL_256() function (the 256-bit block version of Rijndael, not AES) instead of MCRYPT_RIJNDAEL_128 (real AES) could help an attacker to create unknown havoc in the remote system.