[LOW] REDAXO has reflected XSS backend packages API via function parameter (CSRF token required)

PKSA-ps7n-211c-nz3j GHSA-xq4j-g85q-wf97

Affected version: <5.21.0

Reported by:
GitHub

[LOW] REDAXO has reflected XSS in backend Metainfo API via type parameter (CSRF token required)

PKSA-4w67-7bxw-yj96 GHSA-m662-8jrj-cw6v

Affected version: <5.21.0

Reported by:
GitHub

[HIGH] Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read

PKSA-h8yt-8rph-k3h8 CVE-2026-21857 GHSA-824x-88xg-cwrv

Affected version: <=5.20.1

Reported by:
GitHub

[MEDIUM] REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]

PKSA-dcqq-vjpq-jyz4 CVE-2025-66026 GHSA-x6vr-q3vf-vqgq

Affected version: <5.20.1

Reported by:
GitHub

[MEDIUM] REDAXO CMS is vulnerable to XSS through its module management component

PKSA-wmbc-n846-7h2f CVE-2025-64049 GHSA-vqc7-7fj4-3fm3

Affected version: <5.20.1

Reported by:
GitHub

[HIGH] REDAXO CMS is vulnerable to RCE attack through its template management component

PKSA-wnfn-tqc3-fmcx CVE-2025-64050 GHSA-xj9j-gjxg-7jvq

Affected version: <5.20.1

Reported by:
GitHub