Neos - 5 CVEs (Page 1/1)

About “Neos”

A curated feed of “Neos”-related CVEs appears below. We currently track 5 CVEs for this tag (all time). In the last 365 days, 1 were published. Average CVSS is 5.6 (all time; 4.3 over 365d), and 0% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-352 - Cross-Site Request Forgery (CSRF).

In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: neos

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	Premier Support	EOL	LTS
9.1	2025-12-17	9.1.5	2027-04-01	2028-04-01
8.4	2025-10-10	8.4.5	2026-09-01	2027-09-01	LTS
9.0	2025-04-03	9.0.12	2027-04-01	2028-04-01
8.3	2023-04-24	8.3.33	2026-09-01	2027-09-01	LTS
8.2	2022-12-01	8.2.14	2024-03-31	2025-03-31 Expired
8.1	2022-09-02	8.1.14	2024-03-31	2025-03-31 Expired
8.0	2022-04-01	8.0.19	2024-03-31	2025-03-31 Expired
7.3	2021-12-08	7.3.21	2024-03-31	2025-03-31 Expired	LTS

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “Neos”

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2026-03-21

Medium

CVE-2026-4143

The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncff_add_p…

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD

2023-09-18

Medium

CVE-2023-37611

Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file to the neos/management/media component.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2022-06-02

Medium

CVE-2022-30429

Multiple cross-site scripting (XSS) vulnerabilities in Neos CMS allow attackers with the editor role or higher to inject arbitrary script or HTML code using the editor function, the deletion of asset…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2021-06-21

Medium

CVE-2021-32697

neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is se…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD

2015-04-01

Medium

CVE-2015-2821

TYPO3 Neos 1.1.x before 1.1.3 and 1.2.x before 1.2.3 allows remote editors to access, create, and modify content nodes in the workspace of other editors via unspecified vectors.

CVSS: 6.5 CWE: CWE-264 View on NVD