VulnerableCode Package Details - pkg:composer/processwire/processwire@3.0.210

Search for packages

Vulnerability	Summary	Fixed by
VCID-74dy-wnf7-p7ha Aliases: CVE-2025-60790 GHSA-9p44-q66p-xm6p	ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limits prior to validation, enabling resource-exhaustion Denial of Service.	There are no reported fixed by versions.
VCID-p9vh-54ts-ruhq Aliases: CVE-2026-40500 GHSA-gmwr-9j4p-96vm	ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can exploit differentiable error messages returned by the server to perform reliable internal network port scanning, host enumeration across RFC-1918 ranges, and potential access to cloud instance metadata endpoints.	There are no reported fixed by versions.
VCID-vk7u-xv74-b3cp Aliases: CVE-2024-41597 GHSA-r9vw-cjf9-xh4x	Cross Site Request Forgery vulnerability in ProcessWire v.3.0.229 allows a remote attacker to execute arbitrary code via a crafted HTML file to the comments functionality.	There are no reported fixed by versions.
VCID-wfd5-smt5-c7hy Aliases: CVE-2023-24676 GHSA-2cvg-w29m-j8xc	An issue found in ProcessWire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the download_zip_url parameter when installing a new module. NOTE: this is disputed because exploitation requires that the attacker is able to enter requests as an admin; however, a ProcessWire admin is intentionally allowed to install any module that contains any arbitrary code.	3.0.226 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-74dy-wnf7-p7ha
Aliases:
CVE-2025-60790
GHSA-9p44-q66p-xm6p

ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limits prior to validation, enabling resource-exhaustion Denial of Service.

There are no reported fixed by versions.

VCID-p9vh-54ts-ruhq
Aliases:
CVE-2026-40500
GHSA-gmwr-9j4p-96vm

ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can exploit differentiable error messages returned by the server to perform reliable internal network port scanning, host enumeration across RFC-1918 ranges, and potential access to cloud instance metadata endpoints.

There are no reported fixed by versions.

VCID-vk7u-xv74-b3cp
Aliases:
CVE-2024-41597
GHSA-r9vw-cjf9-xh4x

Cross Site Request Forgery vulnerability in ProcessWire v.3.0.229 allows a remote attacker to execute arbitrary code via a crafted HTML file to the comments functionality.

There are no reported fixed by versions.

VCID-wfd5-smt5-c7hy
Aliases:
CVE-2023-24676
GHSA-2cvg-w29m-j8xc

An issue found in ProcessWire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the download_zip_url parameter when installing a new module. NOTE: this is disputed because exploitation requires that the attacker is able to enter requests as an admin; however, a ProcessWire admin is intentionally allowed to install any module that contains any arbitrary code.

3.0.226
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:08:31.570817+00:00	GitLab Importer	Affected by	VCID-p9vh-54ts-ruhq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/processwire/processwire/CVE-2026-40500.yml	38.6.0
2026-06-12T20:26:12.276266+00:00	GitLab Importer	Affected by	VCID-74dy-wnf7-p7ha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/processwire/processwire/CVE-2025-60790.yml	38.6.0
2026-06-12T19:35:34.240217+00:00	GitLab Importer	Affected by	VCID-vk7u-xv74-b3cp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/processwire/processwire/CVE-2024-41597.yml	38.6.0
2026-06-12T15:47:57.505432+00:00	GitLab Importer	Affected by	VCID-wfd5-smt5-c7hy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/processwire/processwire/CVE-2023-24676.yml	38.6.0
2026-06-11T20:33:40.795834+00:00	GHSA Importer	Affected by	VCID-wfd5-smt5-c7hy	https://github.com/advisories/GHSA-2cvg-w29m-j8xc	38.6.0