ulicms CVE Vulnerabilities & Metrics

Focus on ulicms vulnerabilities and metrics.

Last updated: 16 Jan 2026, 23:25 UTC

About ulicms Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with ulicms. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total ulicms CVEs: 7
Earliest CVE date: 08 May 2019, 18:29 UTC
Latest CVE date: 17 Dec 2025, 23:15 UTC

Latest CVE reference: CVE-2023-53925

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 4

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical ulicms CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.84

Max CVSS: 4.3

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	4
4.0-6.9	3
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS ulicms CVEs

These are the five CVEs with the highest CVSS scores for ulicms, sorted by severity first and recency.

CVE-2020-12704 ulicms Published on 07 May 2020, 20:15 UTC (CVSS: 4.3)
UliCMS before 2020.2 has PageController stored XSS.
CVE-2020-12703 ulicms Published on 07 May 2020, 20:15 UTC (CVSS: 4.3)
UliCMS before 2020.2 has XSS during PackageController uninstall.
CVE-2019-11398 ulicms Published on 08 May 2019, 18:29 UTC (CVSS: 4.3)
Multiple cross-site scripting (XSS) vulnerabilities in UliCMS 2019.2 and 2019.1 allow remote attackers to inject arbitrary web script or HTML via the go parameter to admin/index.php, the go parameter to /admin/index.php?register=register, or the error parameter to admin/index.php?action=favicon.
CVE-2023-53925 ulicms Published on 17 Dec 2025, 23:15 UTC (CVSS: 0)
UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users.
CVE-2023-53924 ulicms Published on 17 Dec 2025, 23:15 UTC (CVSS: 0)
UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously crafted avatar uploads.

All CVEs for ulicms

CVE-2023-53925 ulicms vulnerability CVSS: 0 17 Dec 2025, 23:15 UTC

UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users.

CVE-2023-53924 ulicms vulnerability CVSS: 0 17 Dec 2025, 23:15 UTC

UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously crafted avatar uploads.

CVE-2023-53923 ulicms vulnerability CVSS: 0 17 Dec 2025, 23:15 UTC

UliCMS 2023.1 contains a privilege escalation vulnerability that allows unauthenticated attackers to create administrative accounts through the UserController endpoint. Attackers can send a crafted POST request to /dist/admin/index.php with specific parameters to generate a new admin user with full system access.

CVE-2023-53914 ulicms vulnerability CVSS: 0 17 Dec 2025, 23:15 UTC

UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specific parameters to generate an administrative account with full system access.

CVE-2020-12704 ulicms vulnerability CVSS: 4.3 07 May 2020, 20:15 UTC

UliCMS before 2020.2 has PageController stored XSS.

CVE-2020-12703 ulicms vulnerability CVSS: 4.3 07 May 2020, 20:15 UTC

UliCMS before 2020.2 has XSS during PackageController uninstall.

CVE-2019-11398 ulicms vulnerability CVSS: 4.3 08 May 2019, 18:29 UTC

Multiple cross-site scripting (XSS) vulnerabilities in UliCMS 2019.2 and 2019.1 allow remote attackers to inject arbitrary web script or HTML via the go parameter to admin/index.php, the go parameter to /admin/index.php?register=register, or the error parameter to admin/index.php?action=favicon.