If you discover a security issue with REDAXO or a related package, please
contact us via https://github.com/redaxo/core/security/advisories/new or
info {at} redaxo.org instead of using a public channel. That way we can work
on a fix together before everyone knows how to exploit a potential issue. Thank
you!
Security: redaxo/core
Security
SECURITY.md
-
Reflected XSS in REDAXO backend Metainfo API via type parameter (CSRF token required)GHSA-m662-8jrj-cw6v published
Apr 9, 2026 by gharlanLow -
Reflected XSS in REDAXO backend packages API via function parameter (CSRF token required)GHSA-xq4j-g85q-wf97 published
Apr 9, 2026 by gharlanLow -
Path Traversal in Backup Addon Leading to Arbitrary File ReadGHSA-824x-88xg-cwrv published
Jan 5, 2026 by gharlanHigh -
Reflected XSS in Mediapool Info Banner via args[types]GHSA-x6vr-q3vf-vqgq published
Nov 25, 2025 by gharlanModerate -
Arbitrary File Upload in mediapool pageGHSA-wppf-gqj5-fc4f published
Mar 5, 2025 by gharlanModerate -
Authenticated Reflected Cross Site Scripting - packages installationGHSA-8366-xmgf-334f published
Mar 5, 2025 by gharlanModerate -
Stored XSS on REDAXO 5.18.1 - Article / "content/edit"GHSA-7wj8-856p-qc9m published
Feb 10, 2025 by gharlanModerate
Learn more about advisories related to redaxo/core in the GitHub Advisory Database