{"package":"intelliants/subrion","ecosystem":"composer","latest_version":"v4.2.1","description":"Powerful opensource content management system written in PHP5 + MySQL.","license":"GPL v3","license_risk":"strong_copyleft","commercial_use_notes":"GPL-3.0: derivative works must release source under GPL; includes explicit patent grant.","homepage":"https://github.com/intelliants/subrion","repository":"https://github.com/intelliants/subrion","downloads_weekly":0,"health":{"score":15,"risk":"critical","breakdown":{"maintenance":0,"popularity":0,"security":0,"maturity":9,"community":6},"deprecated":false,"max_score":100},"vulnerabilities":{"count":26,"critical":1,"high":5,"medium":20,"low":0,"details":[{"vuln_id":"CVE-2023-46947","severity":"high","summary":"Subrion remote command execution vulnerability","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2023-11-03T15:33:55Z","in_kev":false,"epss_prob":0.01861,"epss_percentile":0.83136,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-43120","severity":"medium","summary":"Subrion CMS is vulnerable to Cross-Site Scripting (XSS)","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2022-11-09T19:02:23Z","in_kev":false,"epss_prob":0.00594,"epss_percentile":0.69381,"threat_tier":"theoretical"},{"vuln_id":"CVE-2020-12468","severity":"high","summary":"Subrion CMS CSV injection via Export Language","affected_versions":"=4.2.1","fixed_version":null,"source":"osv","published_at":"2022-05-24T17:16:53Z","in_kev":false,"epss_prob":0.00273,"epss_percentile":0.50674,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-43828","severity":"medium","summary":"Subrion CMS Cross-site Scripting vulnerability in /panel/languages","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2023-09-27T15:30:38Z","in_kev":false,"epss_prob":0.0027,"epss_percentile":0.50427,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-43875","severity":"medium","summary":"Subrion CMS vulnerable to Cross-site Scripting","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2023-10-20T00:30:24Z","in_kev":false,"epss_prob":0.026,"epss_percentile":0.85676,"threat_tier":"theoretical"},{"vuln_id":"CVE-2018-19422","severity":"high","summary":"Subrion CMS RCE Vulnerability","affected_versions":"<4.2.2|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":"4.2.2","source":"osv","published_at":"2022-05-13T01:10:00Z","in_kev":false,"epss_prob":0.86014,"epss_percentile":0.99397,"threat_tier":"likely_exploited"},{"vuln_id":"CVE-2020-18155","severity":"critical","summary":"SQL Injection in Subrion CMS ","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2021-09-08T17:27:45Z","in_kev":false,"epss_prob":0.00261,"epss_percentile":0.49414,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-43884","severity":"medium","summary":"Subrion CMS Cross-site Scripting vulnerability","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2023-09-28T15:30:17Z","in_kev":false,"epss_prob":0.00184,"epss_percentile":0.39799,"threat_tier":"theoretical"},{"vuln_id":"CVE-2020-18326","severity":"high","summary":"Cross Site Request Forgery in intelliants/subrion","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2022-03-05T00:00:45Z","in_kev":false,"epss_prob":0.0164,"epss_percentile":0.82024,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-70958","severity":"medium","summary":"Subrion CMS vulnerable to cross-site scripting","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2026-02-03T00:30:18Z","in_kev":false,"epss_prob":0.00016,"epss_percentile":0.0397,"threat_tier":"theoretical"},{"vuln_id":"CVE-2020-12469","severity":"medium","summary":"Subrion CMS PHP Object Injection","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2022-05-24T17:16:53Z","in_kev":false,"epss_prob":0.00225,"epss_percentile":0.4516,"threat_tier":"theoretical"},{"vuln_id":"CVE-2021-43464","severity":"high","summary":"Remote code execution in Subrion","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2022-04-05T00:00:23Z","in_kev":false,"epss_prob":0.00782,"epss_percentile":0.73801,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-56556","severity":"medium","summary":"Subrion CMS: Authenticated administrators are able to gain escalated access through Run SQL Query tool","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2025-09-11T21:31:54Z","in_kev":false,"epss_prob":0.00051,"epss_percentile":0.15627,"threat_tier":"theoretical"},{"vuln_id":"CVE-2020-22392","severity":"medium","summary":"Cross Site Scripting in Subrion CMS","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2021-09-01T18:31:45Z","in_kev":false,"epss_prob":0.00185,"epss_percentile":0.40052,"threat_tier":"theoretical"},{"vuln_id":"CVE-2020-22330","severity":"medium","summary":"Subrion Cross-Site Scripting (XSS) vulnerability","affected_versions":">=4.2.1,<4.2.2|=4.2.1|=v4.2.1","fixed_version":"4.2.2","source":"osv","published_at":"2022-05-24T19:10:19Z","in_kev":false,"epss_prob":0.00201,"epss_percentile":0.41995,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-43121","severity":"medium","summary":"Subrion CMS is vulnerable to Cross-Site Scripting (XSS)","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2022-11-09T19:02:23Z","in_kev":false,"epss_prob":0.00638,"epss_percentile":0.70594,"threat_tier":"theoretical"},{"vuln_id":"CVE-2021-41948","severity":"medium","summary":"Subrion CMS Cross-site Scripting (XSS) vulnerability in the `contact us` plugin","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2022-04-30T00:00:36Z","in_kev":false,"epss_prob":0.00191,"epss_percentile":0.40796,"threat_tier":"theoretical"},{"vuln_id":"CVE-2021-41502","severity":"medium","summary":"Cross site scripting in intelliants/subrion","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2022-06-12T00:00:44Z","in_kev":false,"epss_prob":0.00206,"epss_percentile":0.42651,"threat_tier":"theoretical"},{"vuln_id":"CVE-2020-18325","severity":"medium","summary":"Cross-site Scripting in intelliants/subrion","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2022-03-05T00:00:45Z","in_kev":false,"epss_prob":0.01709,"epss_percentile":0.82411,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-25399","severity":"medium","summary":"Subrion CMS vulnerable to Cross Site Scripting ","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2024-02-27T18:31:01Z","in_kev":false,"epss_prob":0.00245,"epss_percentile":0.47713,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-43830","severity":"medium","summary":"Subrion CMS XSS in /panel/configuration/financial/","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2023-09-27T15:30:38Z","in_kev":false,"epss_prob":0.0027,"epss_percentile":0.50427,"threat_tier":"theoretical"},{"vuln_id":"CVE-2020-12467","severity":"medium","summary":"Session Fixation in Subrion CMS","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2021-06-22T15:23:04Z","in_kev":false,"epss_prob":0.00285,"epss_percentile":0.51912,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-37059","severity":"medium","summary":"Subrion CMS 4.2.1 vulnerable to cross-site scripting in admin panel","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2022-08-29T20:06:52Z","in_kev":false,"epss_prob":0.00257,"epss_percentile":0.48985,"threat_tier":"theoretical"},{"vuln_id":"CVE-2018-14840","severity":"medium","summary":"Subrion CMS Cross-site Scripting","affected_versions":"<4.2.2|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":"4.2.2","source":"osv","published_at":"2022-05-14T02:00:54Z","in_kev":false,"epss_prob":0.03066,"epss_percentile":0.86788,"threat_tier":"theoretical"},{"vuln_id":"CVE-2020-23761","severity":"medium","summary":"subrion CMS Cross Site Scripting (XSS) vulnerability","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2022-05-24T17:46:56Z","in_kev":false,"epss_prob":0.00402,"epss_percentile":0.60821,"threat_tier":"theoretical"},{"vuln_id":"CVE-2020-18324","severity":"medium","summary":"Cross-site Scripting in Subrion CMS","affected_versions":"<=4.2.1|=v4.0.0|=v4.0.1|=v4.0.2|=v4.0.3|=v4.0.4|=v4.0.5|=v4.1.0|=v4.1.1|=v4.1.2|=v4.1.3|=v4.1.4|=v4.1.5|=v4.2.0|=v4.2.1","fixed_version":null,"source":"osv","published_at":"2022-03-05T00:00:45Z","in_kev":false,"epss_prob":0.06672,"epss_percentile":0.91263,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":1},"versions":{"latest":"v4.2.1","total_count":14,"recent":["v4.2.1","v4.2.0","v4.1.5","v4.1.4","v4.1.3","v4.1.2","v4.1.1","v4.1.0","v4.0.5","v4.0.4","v4.0.3","v4.0.2","v4.0.1","v4.0.0"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":2,"first_published":null,"last_published":"2018-06-14T12:04:55+00:00","dependencies_count":2,"dependencies":["php","composer/installers"]},"github_stats":{"stars":286,"forks":117,"open_issues":180,"is_archived":false,"pushed_at":"2023-08-24T14:49:52Z","subscribers_count":44},"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["Moderate health score (15/100) — verify manually","5 high severity vulnerabilities","1 critical vulnerabilities"],"use_version":"v4.2.1","version_hint":"Update to >= 4.2.2 to fix known vulnerabilities","summary":"intelliants/subrion has critical vulnerabilities — do not use"},"version_scoped":null,"_meta":{"endpoint":"check","tier":"full","philosophy":"DepScope is free. Use the cheapest endpoint that answers your real question.","cheaper_alternatives":[{"endpoint":"/api/exists/composer/intelliants%2Fsubrion","tokens_estimated":12,"use_when":"you only need to know if the package exists (hallucination guard)"},{"endpoint":"/api/health/composer/intelliants%2Fsubrion","tokens_estimated":80,"use_when":"you only need a 0-100 score for go/no-go (>=70 = safe)"},{"endpoint":"/api/prompt/composer/intelliants%2Fsubrion","tokens_estimated":280,"use_when":"you want a plain-text LLM-friendly brief instead of JSON"},{"endpoint":"POST /api/check_bulk","tokens_estimated":60,"use_when":"you have 5+ packages to check; sends one round-trip instead of N"}],"docs":"https://depscope.dev/integrate","hint_bulk":"You've called /api/check 30 times in 60s. Save bandwidth + tokens with POST /api/check_bulk (1 round-trip for N pkgs)."},"requested_version":null,"_cache":"miss","_response_ms":1833,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":14,"first_release_age_days":null,"last_release_days_ago":2880,"avg_days_between_releases":null,"release_velocity":"stale"}}