CVE Daily – Backdrop (High+Critical)

[High] CVE-2026-45430 – The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a ...

Tue, 12 May 2026 04:16:28 +0000

High CVE-2026-45430

The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks.

CVSS: 7.1 · CWE: CWE-352

View on NVD

[High] CVE-2025-27822 – An issue was discovered in the Masquerade module before 1.x-1.0.1 for Backdrop C...

Fri, 07 Mar 2025 22:15:37 +0000

High CVE-2025-27822

An issue was discovered in the Masquerade module before 1.x-1.0.1 for Backdrop CMS. It allows people to temporarily switch to another user account. The module provides a "Masquerade as admin" permission to restrict people (who can masquerade) from switching to an account with administrative privileges. This permission is not always honored and may allow non-administrative users to masquerade as a…

CVSS: 7.5 · CWE: CWE-863

View on NVD

[High] CVE-2022-42092 – Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that...

Fri, 07 Oct 2022 18:15:23 +0000

High CVE-2022-42092

Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that allows attackers to Remote Code Execution. Note: Third parties dispute this and argue that advanced permissions are required.

CVSS: 7.2 · CWE: CWE-434

View on NVD

[High] CVE-2021-45268 – A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, w...

Thu, 03 Feb 2022 22:15:08 +0000

High CVE-2021-45268

A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons

CVSS: 8.8 · CWE: CWE-352

View on NVD

[High] CVE-2019-19902 – An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1...

Thu, 19 Dec 2019 06:15:11 +0000

High CVE-2019-19902

An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded archives for invalid data, allowing non-configuration scripts to potentially be uploaded to the server. This issue is mitigated by the fact that the attacker would be re…

CVSS: 7.2 · CWE: CWE-20

View on NVD

[Critical] CVE-2019-14771 – Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 allows the upload of ...

Thu, 08 Aug 2019 02:15:11 +0000

Critical CVE-2019-14771

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded archives for invalid data, potentially allowing non-configuration scripts to be uploaded to the server. (This attack is mitigated by the attacker needing the "Synchronize, import, and export configura…

CVSS: 9.8 · CWE: CWE-20

View on NVD