Foxcms: community verdicts
4 notable / known-exploited Foxcms CVEs the community has triaged.
ⓘ Not an exhaustive list: we focus on the findings that matter (exploited / notable). For every Foxcms CVE, see NVD ↗.
- CVE-2025-25789CRIT 9.8Real · low riskEPSS 1%
FoxCMS v1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the index() method at \controller\Sitemap.php.
- CVE-2025-25790CRIT 9.8Real · low riskEPSS 1%
An arbitrary file upload vulnerability in the component \controller\LocalTemplate.php of FoxCMS v1.2.5 allows attackers to execute arbitrary code via uploading a crafted Zip file.
- CVE-2025-55409HIGH 8.8Real · low riskEPSS 0%
FoxCMS 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article. This allows attackers to execute arbitrary code.
- CVE-2025-55422HIGH 8.8Real · low riskEPSS 0%
In FoxCMS 1.2.6, there is a reflected Cross Site Scripting (XSS) vulnerability in /index.php/plus.