Xxyopen Novel-plus
50 CVEs affecting Xxyopen Novel-plus. Latest disclosed: 2025-10-08. Critical: 21, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-45890 | Critical | 9.8 | 2025-06-20 | Directory Traversal vulnerability in novel plus before v.5.1.0 allows a remote attacker to execute arbitrary code via the filePath parameter |
CVE-2024-25274 | Critical | 9.8 | 2024-02-20 | An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 allows attackers to execute arbitrary code via uploading a cra… |
CVE-2024-24021 | Critical | 9.8 | 2024-02-08 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform S… |
CVE-2024-24017 | Critical | 9.8 | 2024-02-08 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQ… |
CVE-2024-24014 | Critical | 9.8 | 2024-02-08 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQ… |
CVE-2024-24026 | Critical | 9.8 | 2024-02-08 | An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An a… |
CVE-2024-24025 | Critical | 9.8 | 2024-02-08 | An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pas… |
CVE-2024-24024 | Critical | 9.8 | 2024-02-08 | An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker… |
CVE-2024-24023 | Critical | 9.8 | 2024-02-08 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform S… |
CVE-2024-24018 | Critical | 9.8 | 2024-02-08 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform… |
CVE-2024-24019 | Critical | 9.8 | 2024-02-07 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform… |
CVE-2024-24015 | Critical | 9.8 | 2024-02-06 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform… |
CVE-2024-24013 | Critical | 9.8 | 2024-02-06 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQ… |
CVE-2023-46981 | Critical | 9.8 | 2023-11-05 | SQL injection vulnerability in Novel-Plus v.4.2.0 allows a remote attacker to execute arbitrary code via a crafted script to the sort parameter in /common/log/… |
CVE-2023-30058 | Critical | 9.8 | 2023-09-11 | novel-plus 3.6.2 is vulnerable to SQL Injection. |
CVE-2023-37847 | Critical | 9.8 | 2023-08-14 | novel-plus v3.6.2 was discovered to contain a SQL injection vulnerability. |
CVE-2022-36672 | Critical | 9.8 | 2022-09-01 | Novel-Plus v3.6.2 was discovered to contain a hard-coded JWT key located in the project config file. This vulnerability allows attackers to create a custom use… |
CVE-2022-35121 | Critical | 9.8 | 2022-08-17 | Novel-Plus v3.6.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /service/impl/BookServiceImpl.java. |
CVE-2021-42967 | Critical | 9.8 | 2022-05-13 | Unrestricted file upload in /novel-admin/src/main/java/com/java2nb/common/controller/FileController.java in novel-plus all versions allows allows an attacker t… |
CVE-2021-41921 | Critical | 9.8 | 2022-04-28 | novel-plus V3.6.1 allows unrestricted file uploads. Unrestricted file suffixes and contents can lead to server attacks and arbitrary code execution. |