GilaCMS/gila

GitHub

github.com

gilacms.com

Releases0

Stars45

A lightweight and fast CMS system built with PHP

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2021-47900 ↗	Jan 27, 2026Tuesday, 27 January 2026, 16:16	9.8 CRITICAL	—
Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through manipulated HTTP headers. Attackers can inject PHP code in the User-Agent header with shell_exec() to run system commands by sending crafted requests to the admin endpoint.
CVE-2020-26625 ↗	Jan 2, 2024Tuesday, 2 January 2024, 22:15	3.8 LOW	—
A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts via the 'user_id' parameter after the login portal.
CVE-2020-26624 ↗	Jan 2, 2024Tuesday, 2 January 2024, 22:15	3.8 LOW	—
A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts via the ID parameter after the login portal.
CVE-2020-26623 ↗	Jan 2, 2024Tuesday, 2 January 2024, 22:15	3.8 LOW	—
SQL Injection vulnerability discovered in Gila CMS 1.15.4 and earlier allows a remote attacker to execute arbitrary web scripts via the Area parameter under the Administration>Widget tab after the login portal.
CVE-2020-20523 ↗	Aug 11, 2023Friday, 11 August 2023, 14:15	6.1 MEDIUM	—
Cross Site Scripting (XSS) vulnerability in adm_user parameter in Gila CMS version 1.11.3, allows remote attackers to execute arbitrary code during the Gila CMS installation.
CVE-2020-20726 ↗	Jun 20, 2023Tuesday, 20 June 2023, 15:15	8.8 HIGH	—
Cross Site Request Forgery vulnerability in Gila GilaCMS v.1.11.4 allows a remote attacker to execute arbitrary code via the cm/update_rows/user parameter.
CVE-2020-20696 ↗	Sep 27, 2021Monday, 27 September 2021, 22:15	5.4 MEDIUM	3.5 LOW
A cross-site scripting (XSS) vulnerability in /admin/content/post of GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Tags field.
CVE-2020-20693 ↗	Sep 27, 2021Monday, 27 September 2021, 22:15	8.8 HIGH	6.8 MEDIUM
A Cross-Site Request Forgery (CSRF) in GilaCMS v1.11.4 allows authenticated attackers to arbitrarily add administrator accounts.
CVE-2020-20695 ↗	Sep 27, 2021Monday, 27 September 2021, 22:15	5.4 MEDIUM	3.5 LOW
A stored cross-site scripting (XSS) vulnerability in GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.
CVE-2020-20692 ↗	Sep 27, 2021Monday, 27 September 2021, 22:15	7.2 HIGH	6.5 MEDIUM
GilaCMS v1.11.4 was discovered to contain a SQL injection vulnerability via the $_GET parameter in /src/core/controllers/cm.php.
CVE-2019-20804 ↗	May 21, 2020Thursday, 21 May 2020, 22:15	8.8 HIGH	6.8 MEDIUM
Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromise of the admin account.
CVE-2019-20803 ↗	May 21, 2020Thursday, 21 May 2020, 22:15	6.1 MEDIUM	4.3 MEDIUM
Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcategory id parameter, which is mishandled for g_preview_theme.
CVE-2019-17536 ↗	Oct 13, 2019Sunday, 13 October 2019, 18:15	4.9 MEDIUM	4 MEDIUM
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
CVE-2019-17535 ↗	Oct 13, 2019Sunday, 13 October 2019, 18:15	6.1 MEDIUM	4.3 MEDIUM
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-16679 ↗	Sep 21, 2019Saturday, 21 September 2019, 20:15	4.9 MEDIUM	4 MEDIUM
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.