CVE-2014-9146

Fiyo CMS 2.0.1.8 - Cross-Site Scripting via Multiple URI Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9146.

AI-analyzed exploit summary The provided exploit demonstrates multiple SQL injection vulnerabilities in FiyoCMS 2.0.1.8, including UNION-based, error-based, and time-based blind SQLi. It includes specific payloads and Sqlmap outputs for parameters like 'id', 'cat', 'user', and 'level'.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Fiyo CMS 2.0.1.8 allow remote attackers to inject arbitrary web script or HTML via the (1) view, (2) id, (3) page, or (4) app parameter to the default URI or the (5) act parameter to dapur/index.php.

Exploits (1)

exploitdb WORKING POC
webappsphp
https://www.exploit-db.com/exploits/36581

The provided exploit demonstrates multiple SQL injection vulnerabilities in FiyoCMS 2.0.1.8, including UNION-based, error-based, and time-based blind SQLi. It includes specific payloads and Sqlmap outputs for parameters like 'id', 'cat', 'user', and 'level'.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: FiyoCMS 2.0.1.8
No auth needed
Prerequisites: Network access to the target FiyoCMS instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Scores

EPSS 0.0254
EPSS Percentile 82.9%

Details

CWE
CWE-79
Status published
Products (1)
fiyo/fiyo_cms 2.0.1.8
Published Apr 14, 2015
Tracked Since Feb 18, 2026