These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A cross-site request forgery (CSRF) vulnerability exists in e107 CMS versions prior to 2.3.5. The `session_handler::check()` method fails to enforce CSRF token validation on state-changing requests when no token is present in the request, allowing the check to be bypassed entirely. This affects comment moderation actions, where an attacker could trick an authenticated administrator into performing uninten [truncated]
A Server-Side Request Forgery (SSRF) vulnerability exists in e107 CMS versions prior to 2.3.4. The vulnerability is located in the Media Manager's 'From a remote location' feature, specifically within the 'Image/File URL:' input field. An authenticated administrator can specify URLs pointing to internal/local resources, causing the server to make requests to those endpoints. This allows access to the loca [truncated]
A Host Header Injection vulnerability in e107 CMS prior to version 2.3.4 allows attackers to manipulate password reset links by controlling the Host header, potentially enabling phishing attacks and account takeover. The vulnerability affects the password reset functionality, a critical authentication component. The issue was disclosed on 2026-05-26 and fixed in e107 version 2.3.4. Multiple commits addres [truncated]
A Broken Access Control vulnerability in e107 CMS prior to version 2.3.4 allows authenticated users to edit comments posted by other users. The flaw stems from insufficient server-side validation, where the application relies solely on a predictable identifier in the request to determine which comment to edit without verifying that the requesting user owns the target comment. The vulnerability was disclos [truncated]