ExpressionEngine Program Statistics

View program

33 total issues disclosed

$0 total paid publicly

Most disclosed (6 disclosures) — Code Injection

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
SQL injection in structure plugin SQL Injection fed01k Medium 2026-01-26
Multiple XSS and open HTTP redirection Cross-site Scripting (XSS) - Stored maggick High 2024-07-16
Non-authenticated path traversal leading to arbitrary file read Path Traversal d3addog High 2024-05-28
Import/Convert user file exposure leading to logins/passwords/PII leak. Insecure Storage of Sensitive Information d0bby Low 2024-05-28
Arbitrary comment content change with GET CSRF. Cross-Site Request Forgery (CSRF) d0bby Low 2024-05-28
Arbitrary forum topic close with GET CSRF. Cross-Site Request Forgery (CSRF) d0bby Low 2024-05-28
Comment/channel unsubscribe GET CSRF Cross-Site Request Forgery (CSRF) d0bby Low 2024-05-28
Stored XSS filter bypass on discussion forum. "URL" tag. Cross-site Scripting (XSS) - Stored d0bby Medium 2024-05-28
Stored XSS filter bypass on discussion forum. Cross-site Scripting (XSS) - Stored d0bby Low 2024-05-28
Authenticated RCE via page title Code Injection sum-catnip Medium 2024-05-28
PHP Code Injection through "Translate::save()" method Code Injection egix Medium 2024-05-28
Low privileges (auth) Remote Command Execution - PHP file upload bypass. Code Injection mariuszdeepsec High 2024-05-28
PHP Object injection -> Building Custom Gadget chain -> RCE Command Injection - Generic karezma High 2023-03-28
SQL injection at /admin.php?/cp/members/create SQL Injection khoabda1 Medium 2022-02-01
License verification mechanism can be bypassed Use of a Broken or Risky Cryptographic Algorithm unbaiat Low 2018-09-28
Persistent XSS via malicious license file Cross-site Scripting (XSS) - Stored unbaiat Medium 2018-09-28
XML Member Proccessing - Local File inclusion Vulnerability None supplied lawrenceamer Low 2018-05-21
Import File Converter - local File inclusion None supplied lawrenceamer Low 2018-05-18
RCE By import channel field Command Injection - Generic khaledibnalwalid High 2018-04-20
[EE] change the author of post using the author_id Insecure Direct Object Reference (IDOR) flex0geek Low 2018-04-20
[EE] Spoof the redirect process Open Redirect flex0geek Low 2018-04-20
Arbitrary file upload when setting an avatar Code Injection strukt No rating 2018-04-04
Remote Code Execution in the Import Channel function None supplied strukt Medium 2018-04-04
Reflective XSS Cross-site Scripting (XSS) - Generic hogarth45 No rating 2017-09-29
Potential code injection in fun delete_directory Code Injection freetom Medium 2017-09-07
Image lib - unescaped file path Code Injection freetom Medium 2017-09-07
Open redirects protection bypass Open Redirect strukt Medium 2017-06-16
Type Juggling -> PHP Object Injection -> SQL Injection Chain Cryptographic Issues - Generic jstnkndy No rating 2017-02-07
Arbitrary SQL query execution and reflected XSS in the "SQL Query Form" Denial of Service strukt No rating 2016-08-18
Filename and directory enumeration Information Disclosure strukt No rating 2016-08-08
Full path + some back-end code disclosure Information Disclosure strukt No rating 2016-08-07
Stored Cross-Site Scripting Vulnerability in /admin.php?/cp/admin_system/general_configuration Cross-site Scripting (XSS) - Generic deadlock No rating 2014-11-17
Cross Site Scripting (Stored) Cross-site Scripting (XSS) - Generic charan-eis No rating 2014-09-30