Blackcat-Cms: Security Vulnerabilities
Blackcat CMS 1.4 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into page content. Attackers can insert JavaScript payloads in the page modification interface that execute when other users view the compromised page.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-12-15
Blackcat CMS 1.4 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the jquery plugin manager. Attackers can upload a zip file with a PHP shell script and execute arbitrary system commands by accessing the uploaded plugin's PHP file with a 'code' parameter.
CVSS Score
7.2
EPSS Score
0.006
Published
2025-12-15
A stored cross-site scripting (XSS) vulnerability in /settings/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website header parameter.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-09-27
A reflected cross-site scripting (XSS) vulnerability in /install/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website title parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2023-09-27
A stored cross site scripting (XSS) vulnerability in the 'Add Page' feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-07-09
A stored cross site scripting (XSS) vulnerability in the 'Admin-Tools' feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the 'Output Filters' and 'Droplets' modules.
CVSS Score
4.8
EPSS Score
0.003
Published
2021-07-09
The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php.
CVSS Score
4.8
EPSS Score
0.003
Published
2021-02-16
An issue was discovered in BlackCat CMS before 1.4. There is a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution.
CVSS Score
8.8
EPSS Score
0.003
Published
2020-09-15
Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-12-10
Cross-site scripting (XSS) vulnerability in backend/pages/modify.php in BlackCatCMS 1.3 allows remote authenticated users with the Admin role to inject arbitrary web script or HTML via the search panel.
CVSS Score
4.8
EPSS Score
0.003
Published
2018-06-14
Page 1