Snews CMS 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials without authentication by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that submits POST requests to the changeup action, modifying the admin username and password parameters to gain unauthorized access.
CVSS Score
6.9
EPSS Score
0.0
Published
2026-04-04
Snews CMS 1.7 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files including PHP executables to the snews_files directory. Attackers can upload malicious PHP files through the multipart form-data upload endpoint and execute them by accessing the uploaded file path to achieve remote code execution.
CVSS Score
9.3
EPSS Score
0.003
Published
2026-04-04
A Cross-Site Scripting (XSS) vulnerability exists in the reorder administrator functions in sNews 1.71.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-01-14