Vendor coverage
Track published CVEs, severity trends, and remediation context for thedaylightstudio products.
Search results
Showing 1-40 of 40 vulnerabilities.
An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.
CVSS
7.1
HIGH
Published
Apr 16, 2026
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.
CVSS
8.3
HIGH
Published
Apr 15, 2026
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module.
CVSS
8.8
HIGH
Published
Apr 7, 2026
Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component.
CVSS
7.7
HIGH
Published
Mar 26, 2026
An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack.
CVSS
9.1
CRITICAL
Published
Mar 26, 2026
An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code.
CVSS
9.8
CRITICAL
Published
Mar 26, 2026
Cross Site Scripting vulnerability in Daylight Studio Fuel CMS v.1.5.2 allows an attacker to escalate privileges via the /fuel/blocks/ and /fuel/pages components.
CVSS
5.4
MEDIUM
Published
Feb 12, 2025
A reflected Cross-Site Scripting (XSS) vulnerability in FUEL CMS 1.5.2allows attackers to run arbitrary code via crafted string after the group_id parameter.
CVSS
5.4
MEDIUM
Published
Feb 22, 2024
SQL Injection vulnerability in file Base_module_model.php in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute arbitrary code via the col parameter to function list_items.
CVSS
8.8
HIGH
Published
Aug 11, 2023
File Upload vulnerability in FUEL-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted .php file to the upload parameter in the navigation function.
CVSS
9.8
CRITICAL
Published
Jul 3, 2023
Cross Site Scripting vulnerability in daylight studio FUEL- CMS v.1.4.6 allows a remote attacker to execute arbitrary code via the page title, meta description and meta keywords of the pages function.
CVSS
5.4
MEDIUM
Published
Jul 3, 2023
Permissions vulnerability in Fuel-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted zip file to the assests parameter of the upload function.
CVSS
9.8
CRITICAL
Published
Jul 3, 2023
Fuel CMS v1.5.2 was discovered to contain a SQL injection vulnerability via the id parameter at /controllers/Blocks.php.
CVSS
8.8
HIGH
Published
Jun 9, 2023
Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /permissions/delete/2---.
CVSS
8.8
HIGH
Published
Feb 3, 2023
Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /users/delete/2.
CVSS
8.8
HIGH
Published
Feb 3, 2023
A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4.
CVSS
8.8
HIGH
Published
Jun 10, 2022
A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.
CVSS
5.4
MEDIUM
Published
May 3, 2022
Daylight Studio Fuel CMS 1.5.1 is vulnerable to HTML Injection.
CVSS
5.4
MEDIUM
Published
Apr 11, 2022
A Cross Site Scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 in the Assets page via an SVG file.
CVSS
5.4
MEDIUM
Published
Feb 24, 2022
FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/logs/items
CVSS
9.8
CRITICAL
Published
Sep 9, 2021
Fuel CMS 1.5.0 has a brute force vulnerability in fuel/modules/fuel/controllers/Login.php
CVSS
5.3
MEDIUM
Published
Sep 9, 2021
FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/pages/items
CVSS
8.8
HIGH
Published
Sep 9, 2021
FUEL CMS 1.5.0 login.php contains a cross-site request forgery (CSRF) vulnerability
CVSS
6.5
MEDIUM
Published
Sep 9, 2021
A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuel_constants.php and fuel/modules/fuel/libraries/Asset.php. An attacker can use a man in the middle attack such as phishing.
CVSS
8.1
HIGH
Published
Aug 9, 2021
FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability that can delete a page via a post ID to /pages/delete/3.
CVSS
4.3
MEDIUM
Published
Mar 10, 2021
FUEL CMS 1.4.8 allows SQL injection via the 'fuel_replace_id' parameter in pages/replace/1. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CVSS
9.8
CRITICAL
Published
Mar 10, 2021
An issue was discovered in FUEL CMS 1.4.7. There is a escalation of privilege vulnerability to obtain super admin privilege via the "id" and "fuel_id" parameters.
CVSS
8.8
HIGH
Published
Mar 10, 2021
An issue was discovered in FUEL CMS V1.4.7. An attacker can use a XSS payload and bypass a filter via /fuelCM/fuel/pages/edit/1?lang=english.
CVSS
5.4
MEDIUM
Published
Mar 10, 2021
FUEL CMS 1.4.11 has stored XSS in Blocks/Navigation/Site variables. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account and also impact other visitors.
CVSS
5.4
MEDIUM
Published
Jan 5, 2021
FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CVSS
9.8
CRITICAL
Published
Jan 5, 2021
In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one.
CVSS
9.8
CRITICAL
Published
Nov 4, 2020
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
CVSS
9.8
CRITICAL
Published
Aug 13, 2020
FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.
CVSS
8.8
HIGH
Published
Aug 20, 2019
FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.
CVSS
5.4
MEDIUM
Published
Aug 20, 2019
FUEL CMS 1.4.3 has CSRF via users/create/ to add an administrator account.
CVSS
8.8
HIGH
Published
Dec 17, 2018
XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the pages/edit/1?lang=english URI.
CVSS
4.8
MEDIUM
Published
Dec 13, 2018
XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the pages/edit/1?lang=english URI.
CVSS
4.8
MEDIUM
Published
Dec 13, 2018
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
CVSS
9.8
CRITICAL
Published
Sep 9, 2018
FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or search_term parameter to pages/items.
CVSS
9.8
CRITICAL
Published
Sep 9, 2018
Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inline= in FUEL CMS 1.4 allows remote attackers to change the administrator's password.
CVSS
8.8
HIGH
Published
Sep 3, 2018
