Phome Empirecms

17 CVEs affecting Phome Empirecms. Latest disclosed: 2026-01-02. Critical: 4, High: 5.

Top CVEs affecting Phome Empirecms
CVESeverityScorePublishedSummary
CVE-2022-28585Critical9.82022-05-03EmpireCMS 7.5 has a SQL injection vulnerability in AdClass.php
CVE-2020-22937Critical9.82021-08-17A remote code execution (RCE) in e/install/index.php of EmpireCMS 7.5 allows attackers to execute arbitrary PHP code via writing malicious code to the install…
CVE-2018-20300Critical9.82018-12-20Empire CMS 7.5 allows remote attackers to execute arbitrary PHP code via the ftemp parameter in an enews=EditMemberForm action because this code is injected in…
CVE-2018-18869Critical9.82018-10-31EmpireCMS V7.5 allows remote attackers to upload and execute arbitrary code via ..%2F directory traversal in a .php filename in the upload/e/admin/ecmscom.php…
CVE-2018-18449High8.82019-03-07EmpireCMS 7.5 allows CSRF for adding a user account via an enews=AddUser action to e/admin/user/ListUser.php, a similar issue to CVE-2018-16339.
CVE-2018-18086High8.82018-10-09EmpireCMS v7.5 has an arbitrary file upload vulnerability in the LoadInMod function in e/class/moddofun.php, exploitable by logged-in users.
CVE-2018-16339High8.82018-09-02An issue was discovered in EmpireCMS 7.0. There is a CSRF vulnerability that can add administrators via upload/e/admin/user/AddUser.php?enews=AddUser.
CVE-2023-50162High7.22024-01-09SQL injection vulnerability in EmpireCMS v7.5, allows remote attackers to execute arbitrary code and obtain sensitive information via the DoExecSql function.
CVE-2018-19462High7.22019-06-07admin\db\DoSql.php in EmpireCMS through 7.5 allows remote attackers to execute arbitrary PHP code via SQL injection that uses a .php filename in a SELECT INTO…
CVE-2025-15423Medium6.32026-01-02A vulnerability has been found in EmpireSoft EmpireCMS up to 8.0. Impacted is the function CheckSaveTranFiletype of the file e/class/connect.php. Such manipula…
CVE-2019-12362Medium6.12019-05-27EmpireCMS 7.5.0 has XSS via the HTTP Referer header to e/member/doaction.php.
CVE-2019-12361Medium6.12019-05-27EmpireCMS 7.5.0 has XSS via the from parameter to e/member/doaction.php, as demonstrated by a CSRF payload that changes the dynamic page template. The attacker…
CVE-2025-15422Medium5.32026-01-02A flaw has been found in EmpireSoft EmpireCMS up to 8.0. This issue affects the function egetip of the file e/class/connect.php of the component IP Address Han…
CVE-2018-6881Medium5.32018-02-12EmpireCMS 6.6 allows remote attackers to discover the full path via an array value for a parameter to admin/tool/ShowPic.php.
CVE-2018-6880Medium5.32018-02-12EmpireCMS 6.6 through 7.2 allows remote attackers to discover the full path via an array value for a parameter to class/connect.php.
CVE-2018-19461Medium4.82019-06-07admin\db\DoSql.php in EmpireCMS through 7.5 allows XSS via crafted SQL syntax to admin/admin.php.
CVE-2012-57772012-11-16Eval injection vulnerability in the ReplaceListVars function in the template parser in e/class/connect.php in EmpireCMS 6.6 allows user-assisted remote attacke…