Xxyopen Novel-plus

50 CVEs affecting Xxyopen Novel-plus. Latest disclosed: 2025-10-08. Critical: 21, High: 6.

Top CVEs affecting Xxyopen Novel-plus
CVESeverityScorePublishedSummary
CVE-2025-45890Critical9.82025-06-20Directory Traversal vulnerability in novel plus before v.5.1.0 allows a remote attacker to execute arbitrary code via the filePath parameter
CVE-2024-25274Critical9.82024-02-20An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 allows attackers to execute arbitrary code via uploading a cra…
CVE-2024-24021Critical9.82024-02-08A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform S…
CVE-2024-24017Critical9.82024-02-08A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQ…
CVE-2024-24014Critical9.82024-02-08A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQ…
CVE-2024-24026Critical9.82024-02-08An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An a…
CVE-2024-24025Critical9.82024-02-08An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pas…
CVE-2024-24024Critical9.82024-02-08An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker…
CVE-2024-24023Critical9.82024-02-08A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform S…
CVE-2024-24018Critical9.82024-02-08A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform…
CVE-2024-24019Critical9.82024-02-07A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform…
CVE-2024-24015Critical9.82024-02-06A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform…
CVE-2024-24013Critical9.82024-02-06A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQ…
CVE-2023-46981Critical9.82023-11-05SQL injection vulnerability in Novel-Plus v.4.2.0 allows a remote attacker to execute arbitrary code via a crafted script to the sort parameter in /common/log/…
CVE-2023-30058Critical9.82023-09-11novel-plus 3.6.2 is vulnerable to SQL Injection.
CVE-2023-37847Critical9.82023-08-14novel-plus v3.6.2 was discovered to contain a SQL injection vulnerability.
CVE-2022-36672Critical9.82022-09-01Novel-Plus v3.6.2 was discovered to contain a hard-coded JWT key located in the project config file. This vulnerability allows attackers to create a custom use…
CVE-2022-35121Critical9.82022-08-17Novel-Plus v3.6.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /service/impl/BookServiceImpl.java.
CVE-2021-42967Critical9.82022-05-13Unrestricted file upload in /novel-admin/src/main/java/com/java2nb/common/controller/FileController.java in novel-plus all versions allows allows an attacker t…
CVE-2021-41921Critical9.82022-04-28novel-plus V3.6.1 allows unrestricted file uploads. Unrestricted file suffixes and contents can lead to server attacks and arbitrary code execution.