Totaljs: >> Total.js >> 3.4.7 Security Vulnerabilities
A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
4.8
EPSS Score
0.0
Published
2025-09-26
In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter.
CVSS Score
8.8
EPSS Score
0.036
Published
2022-10-30
Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9.
CVSS Score
7.5
EPSS Score
0.009
Published
2021-08-30
The package total.js before 3.4.9 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.
CVSS Score
9.8
EPSS Score
0.053
Published
2021-07-12
The package total.js before 3.4.8 are vulnerable to Remote Code Execution (RCE) via set.
CVSS Score
9.8
EPSS Score
0.127
Published
2021-03-04