Juzaweb Juzaweb

  1. Vendors
  2. Juzaweb

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Juzaweb product.

RSS Feeds for Juzaweb security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Juzaweb products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Juzaweb Sorted by Most Security Vulnerabilities since 2018

Juzaweb Cms23 vulnerabilities

Juzaweb Cms1 vulnerability

By the Year

In 2026 there have been 7 vulnerabilities in Juzaweb with an average score of 5.2 out of ten. Last year, in 2025 Juzaweb had 12 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Juzaweb in 2026 could surpass last years number. Last year, the average CVE base score was greater by 1.23




Year Vulnerabilities Average Score
2026 7 5.24
2025 12 6.48
2024 2 4.90
2023 2 6.60

It may take a day or so for new Juzaweb vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Juzaweb Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-56394 Jun 21, 2026
Craft CMS 4.0.0RC1 Path Traversal Local File Read via assets/icon Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.
Cms
CVE-2026-56393 Jun 21, 2026
Stored XSS in Craft CMS 4.x/5.x <4.17.0/5.9.0 Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Cms
CVE-2026-56385 Jun 21, 2026
Craft CMS <=5.9.13 Auth Bypass via assets/preview-file (fixed 5.9.14) Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an asset they are not permitted to view and still receive preview response data (previewHtml), including a private preview image route containing the target private assetId. Fixed in 5.9.14 and 4.17.8.
Cms
CVE-2026-56383 Jun 21, 2026
Craft CMS 4.x/5.x XSS in editableTable.twig via Row Heading Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes when another user views a page containing the affected table field. Affected versions are >= 4.5.0-beta.1 through 4.16.18 and >= 5.0.0-RC1 through 5.8.22; fixed in 4.16.19 and 5.8.23.
Cms
CVE-2026-56384 Jun 21, 2026
Craft CMS previewthumb auth bypass pre 4.17.8/5.9.14 Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, <= 4.17.7 and >= 5.0.0-RC1, <= 5.9.13, and is fixed in 4.17.8 and 5.9.14.
Cms
CVE-2026-56382 Jun 21, 2026
Craft CMS RCE via FieldsController::actionRenderCardPreview (v5.5-5.9.13) Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.
Cms
CVE-2026-56381 Jun 21, 2026
Craft CMS 5.0.0-RC1 XSS via Unescaped User Group Names Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.
Cms
CVE-2025-6735 Jun 27, 2025
Juzaweb CMS 3.4.2 Remote Improper Auth in Import Page A vulnerability classified as critical has been found in juzaweb CMS 3.4.2. Affected is an unknown function of the file /admin-cp/imports of the component Import Page. The manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Cms
CVE-2025-6736 Jun 27, 2025
juzaweb CMS 3.4.2 Improper Auth via Add New Themes Page A vulnerability classified as critical was found in juzaweb CMS 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admin-cp/theme/install of the component Add New Themes Page. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Cms
CVE-2025-5429 Jun 02, 2025
JuzaWeb CMS <3.4.2: Improper Access Control in Plugins Page (/admin-cp/plugin/install) A vulnerability classified as critical was found in juzaweb CMS up to 3.4.2. This vulnerability affects unknown code of the file /admin-cp/plugin/install of the component Plugins Page. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Cms
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.