Thedaylightstudio Fuel Cms

Fuel CMS 1.4.13 Blind SQLi via 'col' in Activity Log
CVE-2021-47980 7.1 - High - May 16, 2026

Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the 'col' parameter to extract database information based on response time delays.

SQL Injection

Daylight Studio Fuel CMS 1.5.2 XSS Priv Esc via /fuel/blocks/ & /fuel/pages
CVE-2024-57605 - February 12, 2025

Cross Site Scripting vulnerability in Daylight Studio Fuel CMS v.1.5.2 allows an attacker to escalate privileges via the /fuel/blocks/ and /fuel/pages components.

FUEL CMS 1.5.2 Reflected XSS via group_id
CVE-2024-25369 - February 22, 2024

A reflected Cross-Site Scripting (XSS) vulnerability in FUEL CMS 1.5.2allows attackers to run arbitrary code via crafted string after the group_id parameter.

SQL Injection in Base_module_model.php (FUEL-CMS 1.4.9) via col param
CVE-2020-24950 8.8 - High - August 11, 2023

SQL Injection vulnerability in file Base_module_model.php in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute arbitrary code via the col parameter to function list_items.

SQL Injection

CVE-2020-22152: XSS in Daylight Studio FUEL-CMS 1.4.6 via Meta Tags
CVE-2020-22152 5.4 - Medium - July 03, 2023

Cross Site Scripting vulnerability in daylight studio FUEL- CMS v.1.4.6 allows a remote attacker to execute arbitrary code via the page title, meta description and meta keywords of the pages function.

XSS

Fuel CMS 1.4.6 unauth RCE via malformed ZIP in assets upload
CVE-2020-22151 9.8 - Critical - July 03, 2023

Permissions vulnerability in Fuel-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted zip file to the assests parameter of the upload function.

FUELCMS 1.4.6 Remote File Upload Arbitrary Code Execution
CVE-2020-22153 9.8 - Critical - July 03, 2023

File Upload vulnerability in FUEL-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted .php file to the upload parameter in the navigation function.

Unrestricted File Upload

Fuel CMS v1.5.2 SQLI via id param in Blocks.php
CVE-2023-33557 8.8 - High - June 09, 2023

Fuel CMS v1.5.2 was discovered to contain a SQL injection vulnerability via the id parameter at /controllers/Blocks.php.

SQL Injection

CSRF in Fuel-CMS 1.4.13 /users/delete/2 enabling arbitrary code exec
CVE-2021-36569 8.8 - High - February 03, 2023

Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /users/delete/2.

Session Riding

CSRF allows remote code exec in FUEL-CMS 1.4.13 via /permissions/delete
CVE-2021-36570 8.8 - High - February 03, 2023

Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /permissions/delete/2---.

Session Riding

A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0
CVE-2021-44117 8.8 - High - June 10, 2022

A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4.

Session Riding

A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1
CVE-2022-28599 5.4 - Medium - May 03, 2022

A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.

XSS

Daylight Studio Fuel CMS 1.5.1 is vulnerable to HTML Injection.
CVE-2022-27156 5.4 - Medium - April 11, 2022

Daylight Studio Fuel CMS 1.5.1 is vulnerable to HTML Injection.

XSS

A Cross Site Scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 in the Assets page
CVE-2021-44607 5.4 - Medium - February 24, 2022

A Cross Site Scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 in the Assets page via an SVG file.

XSS

FUEL CMS 1.5.0 allows SQL Injection
CVE-2021-38727 9.8 - Critical - September 09, 2021

FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/logs/items

SQL Injection

FUEL CMS 1.5.0 login.php contains a cross-site request forgery (CSRF) vulnerability
CVE-2021-38721 6.5 - Medium - September 09, 2021

FUEL CMS 1.5.0 login.php contains a cross-site request forgery (CSRF) vulnerability

Session Riding

FUEL CMS 1.5.0 allows SQL Injection
CVE-2021-38723 8.8 - High - September 09, 2021

FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/pages/items

SQL Injection

Fuel CMS 1.5.0 has a brute force vulnerability in fuel/modules/fuel/controllers/Login.php
CVE-2021-38725 5.3 - Medium - September 09, 2021

Fuel CMS 1.5.0 has a brute force vulnerability in fuel/modules/fuel/controllers/Login.php

Improper Restriction of Excessive Authentication Attempts

A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuel_constants.php and fuel/modules/fuel/libraries/Asset.php
CVE-2021-38290 8.1 - High - August 09, 2021

A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuel_constants.php and fuel/modules/fuel/libraries/Asset.php. An attacker can use a man in the middle attack such as phishing.

Injection

In FUEL CMS 11.4.12 and before, the page preview feature
CVE-2020-26167 9.8 - Critical - November 04, 2020

In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one.

Information Disclosure

FUEL CMS 1.4.7 allows SQL Injection
CVE-2020-17463 9.8 - Critical - August 13, 2020

FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.

SQL Injection

FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console
CVE-2019-15229 - August 20, 2019

FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.

FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console
CVE-2019-15228 - August 20, 2019

FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.

FUEL CMS 1.4.3 has CSRF
CVE-2018-20188 - December 17, 2018

FUEL CMS 1.4.3 has CSRF via users/create/ to add an administrator account.

XSS exists in FUEL CMS 1.4.3
CVE-2018-20137 - December 13, 2018

XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the pages/edit/1?lang=english URI.

XSS exists in FUEL CMS 1.4.3
CVE-2018-20136 - December 13, 2018

XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the pages/edit/1?lang=english URI.

FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter
CVE-2018-16763 9.8 - Critical - September 09, 2018

FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.

Injection

FUEL CMS 1.4.1 allows SQL Injection
CVE-2018-16762 9.8 - Critical - September 09, 2018

FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or search_term parameter to pages/items.

SQL Injection

Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inline= in FUEL CMS 1.4
CVE-2018-16416 8.8 - High - September 03, 2018

Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inline= in FUEL CMS 1.4 allows remote attackers to change the administrator's password.

Session Riding