Known Vulnerabilities for products from Civicrm
Listed below are 10 of the newest known vulnerabilities associated with the vendor "Civicrm".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2025-32551 json | Not Provided | 2025-04-11 | 2026-04-23 | |
| CVE-2025-31618 json | Not Provided | 2025-03-31 | 2026-04-23 | |
| CVE-2023-25440 json | Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute ... | 5.4 - MEDIUM | 2023-05-23 | 2023-05-30 |
| CVE-2020-36389 json | In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF. | 4.3 - MEDIUM | 2021-06-17 | 2023-02-03 |
| CVE-2020-36388 json | In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR arch... | 8.8 - HIGH | 2021-06-17 | 2023-02-03 |
| CVE-2018-1999022 json | PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerability in HTML_QuickForm's getSubmitValue metho... | 9.8 - CRITICAL | 2018-07-23 | 2018-10-03 |
| CVE-2015-4391 json | Cross-site request forgery (CSRF) vulnerability in the CiviCRM private report module 6.x-1.x before 6.x-1.2 and 7.x-1.x befor... | 6.8 - MEDIUM | 2015-06-15 | 2016-06-09 |
| CVE-2013-5957 json | Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location.php in CiviCRM before 4.2.12, 4.3.x before 4.3.7, and 4... | 7.5 - HIGH | 2013-11-27 | 2021-04-16 |
| CVE-2013-4662 json | The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the v... | 6.5 - MEDIUM | 2014-01-29 | 2014-02-21 |
| CVE-2013-4661 json | CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions f... | 4.9 - MEDIUM | 2014-01-29 | 2014-02-21 |
| CVE-2013-1636 json | Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the P... | 4.3 - MEDIUM | 2014-03-12 | 2017-08-29 |
| CVE-2011-5239 json | CiviCRM 4.0.5 and 4.1.1 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or s... | 5.8 - MEDIUM | 2012-11-06 | 2012-11-06 |
Known software with vulnerabilities from Civicrm
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Civicrm | Civicrm | 3.1.0 |
| Application | Civicrm | Civicrm Private Report | 6.x-1.0 |