marcantondahmen/automad

marcantondahmen/automad

Releases174

Frequency3 weeks 5 days

Last Release 8 days ago

Stars902

A flat-file content management system and template engine

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-45332 ↗	May 28, 2026Thursday, 28 May 2026, 19:16	7.5 HIGH	—
Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /_api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is complete and returns full serialized user data in the JSON response body. This vulnerability is fixed in 2.0.0-beta.28.
CVE-2024-40400 ↗	Jul 19, 2024Friday, 19 July 2024, 19:15	8.8 HIGH	—
An arbitrary file upload vulnerability in the image upload function of Automad v2.0.0 allows attackers to execute arbitrary code via a crafted file.
CVE-2021-37502 ↗	Feb 3, 2023Friday, 3 February 2023, 18:15	5.4 MEDIUM	—
Cross Site Scripting (XSS) vulnerability in automad 1.7.5 allows remote attackers to run arbitrary code via the user name field when adding a user.