Webkul Qloapps
14 CVEs affecting Webkul Qloapps. Latest disclosed: 2026-01-12. Critical: 1, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-67325 | Critical | 9.8 | 2026-01-08 | Unrestricted file upload in the hotel review feature in QloApps versions 1.7.0 and earlier allows remote unauthenticated attackers to achieve remote code execu… |
CVE-2023-36284 | High | 7.5 | 2023-06-23 | An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to bypa… |
CVE-2024-40318 | High | 7.2 | 2024-07-25 | An arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 allows attackers to execute arbitrary code via uploading a crafted file. |
CVE-2023-36235 | Medium | 6.5 | 2024-01-17 | An issue in webkul qloapps before v1.6.0 allows an attacker to obtain sensitive information via the id_order parameter. |
CVE-2023-36287 | Medium | 6.1 | 2023-06-23 | An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then imperso… |
CVE-2023-36289 | Medium | 6.1 | 2023-06-23 | An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then imperso… |
CVE-2023-30256 | Medium | 6.1 | 2023-05-11 | Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create param… |
CVE-2021-41074 | Medium | 5.4 | 2026-01-12 | A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document. |
CVE-2023-36288 | Medium | 5.4 | 2023-06-23 | An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then imperso… |
CVE-2025-10759 | Medium | 5.3 | 2025-09-21 | A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of th… |
CVE-2025-6173 | Medium | 4.7 | 2025-06-17 | A vulnerability classified as critical was found in Webkul QloApps 1.6.1. Affected by this vulnerability is an unknown functionality of the file /admin/ajax_pr… |
CVE-2025-1155 | Medium | 4.3 | 2025-02-10 | A vulnerability, which was classified as problematic, was found in Webkul QloApps 1.6.1. This affects an unknown part of the file /stores of the component Your… |
CVE-2025-1074 | Medium | 4.3 | 2025-02-06 | A vulnerability, which was classified as problematic, was found in Webkul QloApps 1.6.1. Affected is the function logout of the file /en/?mylogout of the compo… |
CVE-2025-26058 | Medium | 4.2 | 2025-02-18 | Webkul QloApps v1.6.1 exposes authentication tokens in URLs during redirection. When users access the admin panel or other protected areas, the application app… |