LavaLite/cms

GitHub

github.com

lavalite.org

Releases57

Frequency1 month 1 week

Last Release almost 3 years ago

Stars2.89K

Multilingual PHP CMS built with Laravel and bootstrap

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-70866 ↗	Feb 13, 2026Friday, 13 February 2026, 22:16	8.8 HIGH	—
LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider without role-based access control verification.
CVE-2025-71177 ↗	Jan 23, 2026Friday, 23 January 2026, 17:16	5.4 MEDIUM	—
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.
CVE-2023-36984 ↗	Aug 1, 2023Tuesday, 1 August 2023, 02:15	7.5 HIGH	—
LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure.
CVE-2023-36983 ↗	Aug 1, 2023Tuesday, 1 August 2023, 02:15	7.5 HIGH	—
LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure.
CVE-2023-30124 ↗	May 18, 2023Thursday, 18 May 2023, 01:15	5.4 MEDIUM	—
LavaLite v9.0.0 is vulnerable to Cross Site Scripting (XSS).
CVE-2023-27238 ↗	May 12, 2023Friday, 12 May 2023, 11:15	9.8 CRITICAL	—
LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning.
CVE-2020-23234 ↗	Jul 26, 2021Monday, 26 July 2021, 20:15	4.8 MEDIUM	3.5 LOW
Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS 5.8.0 via the Menu Blocks feature, which can be bypassed by using HTML event handlers, such as "ontoggle,".
CVE-2020-23700 ↗	Jul 7, 2021Wednesday, 7 July 2021, 19:15	4.8 MEDIUM	3.5 LOW
Cross Site Scripting (XSS) vulnerability in LavaLite-CMS 5.8.0 via the Menu Links feature.
CVE-2020-36395 ↗	Jul 2, 2021Friday, 2 July 2021, 18:15	5.4 MEDIUM	3.5 LOW
A stored cross site scripting (XSS) vulnerability in the /admin/user/team component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.
CVE-2020-36397 ↗	Jul 2, 2021Friday, 2 July 2021, 18:15	5.4 MEDIUM	3.5 LOW
A stored cross site scripting (XSS) vulnerability in the /admin/contact/contact component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.
CVE-2020-36396 ↗	Jul 2, 2021Friday, 2 July 2021, 18:15	5.4 MEDIUM	3.5 LOW
A stored cross site scripting (XSS) vulnerability in the /admin/roles/role component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.
CVE-2019-18883 ↗	Nov 13, 2019Wednesday, 13 November 2019, 20:15	6.1 MEDIUM	4.3 MEDIUM
XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field.
CVE-2019-17434 ↗	Oct 10, 2019Thursday, 10 October 2019, 12:15	5.4 MEDIUM	3.5 LOW
LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen.
CVE-2018-16551 ↗	Sep 5, 2018Wednesday, 5 September 2018, 22:29	—	3.5 LOW
LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/job/Zy8PWBekrJ/edit.
CVE-2017-1000467 ↗	Jan 3, 2018Wednesday, 3 January 2018, 15:29	—	3.5 LOW
LavaLite version 5.2.4 is vulnerable to stored cross-site scripting vulnerability, within the blog creation page, which can result in disruption of service and execution of javascript code.