Vulnerabilities > Expressionengine > Expressionengine > 3.5.10
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-09 | CVE-2023-22953 | Unspecified vulnerability in Expressionengine In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user. | 8.8 |
| 2022-02-18 | CVE-2020-8242 | SQL Injection vulnerability in Expressionengine Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. | 6.5 |
| 2021-08-12 | CVE-2021-33199 | Improper Input Validation vulnerability in Expressionengine In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg. | 7.5 |
| 2021-03-15 | CVE-2021-27230 | Code Injection vulnerability in Expressionengine ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory. | 6.5 |
| 2020-06-24 | CVE-2020-13443 | Unrestricted Upload of File with Dangerous Type vulnerability in Expressionengine ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. | 6.5 |
| 2018-10-01 | CVE-2018-17874 | Cross-site Scripting vulnerability in Expressionengine ExpressionEngine before 4.3.5 has reflected XSS. | 4.3 |