{"package":"modx/revolution","ecosystem":"composer","latest_version":"v3.2.0-pl","description":"MODX Revolution is a Content Management System","license":"GPL-2.0+","license_risk":"unknown","commercial_use_notes":"verify manually — license not parseable / not declared.","homepage":"https://modx.com/","repository":"https://github.com/modxcms/revolution","downloads_weekly":0,"health":{"score":36,"risk":"critical","breakdown":{"maintenance":20,"popularity":0,"security":0,"maturity":12,"community":4},"deprecated":false,"max_score":100},"vulnerabilities":{"count":14,"critical":1,"high":5,"medium":7,"low":1,"details":[{"vuln_id":"CVE-2017-9069","severity":"high","summary":"MODX Revolution allows overwriting .htaccess","affected_versions":"<2.5.7","fixed_version":"2.5.7","source":"osv","published_at":"2022-05-17T02:43:14Z","in_kev":false,"epss_prob":0.0096,"epss_percentile":0.7656,"threat_tier":"theoretical"},{"vuln_id":"CVE-2017-9070","severity":"medium","summary":"MODX Revolution cross-site scripting vulnerability","affected_versions":"<2.5.7","fixed_version":"2.5.7","source":"osv","published_at":"2022-05-17T02:43:14Z","in_kev":false,"epss_prob":0.00217,"epss_percentile":0.44124,"threat_tier":"theoretical"},{"vuln_id":"CVE-2017-9067","severity":"high","summary":"MODX Revolution Directory Traversal Vulnerability","affected_versions":"<2.5.7","fixed_version":"2.5.7","source":"osv","published_at":"2022-05-17T02:43:12Z","in_kev":false,"epss_prob":0.00238,"epss_percentile":0.46797,"threat_tier":"theoretical"},{"vuln_id":"CVE-2018-20756","severity":"medium","summary":"MODX Revolution allows XSS via document resources","affected_versions":"<2.7.1-pl|=v2.7.0-pl","fixed_version":"2.7.1-pl","source":"osv","published_at":"2022-05-14T01:36:14Z","in_kev":false,"epss_prob":0.0024,"epss_percentile":0.47225,"threat_tier":"theoretical"},{"vuln_id":"CVE-2018-20757","severity":"medium","summary":"MODX Revolution allows XSS through extended user fields","affected_versions":"<2.7.1-pl|=v2.7.0-pl","fixed_version":"2.7.1-pl","source":"osv","published_at":"2022-05-14T01:36:14Z","in_kev":false,"epss_prob":0.0024,"epss_percentile":0.47225,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-28010","severity":"low","summary":"MODX allows cross-site scripting (XSS) via an SVG file","affected_versions":"<=3.1.0|=v2.7.0-pl|=v2.7.1-pl|=v2.7.2-pl|=v2.7.3-pl|=v2.8.0-pl|=v2.8.1-pl|=v2.8.2-pl|=v2.8.3-pl|=v2.8.4-pl|=v2.8.5-pl|=v2.8.6-pl|=v2.8.7-pl|=v2.8.8-pl|=v3.0.0-alpha1|=v3.0.0-alpha2|=v3.0.0-alpha3|=v3.0.0-beta1|=v3.0.0-beta2|=v3.0.0-pl|=v3.0.0-rc1|=v3.0.0-rc2|=v3.0.1-pl|=v3.0.2-pl|=v3.0.3-pl|=v3.0.4-pl|=v3.0.5-pl|=v3.0.6-pl","fixed_version":null,"source":"osv","published_at":"2025-03-13T18:32:21Z","in_kev":false,"epss_prob":0.00189,"epss_percentile":0.4048,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-26149","severity":"high","summary":"Unrestricted Upload of File with Dangerous Type in MODX Revolution","affected_versions":"<=2.8.3-pl|=v2.7.0-pl|=v2.7.1-pl|=v2.7.2-pl|=v2.7.3-pl|=v2.8.0-pl|=v2.8.1-pl|=v2.8.2-pl|=v2.8.3-pl","fixed_version":null,"source":"osv","published_at":"2022-02-27T00:00:14Z","in_kev":false,"epss_prob":0.10493,"epss_percentile":0.93277,"threat_tier":"theoretical"},{"vuln_id":"CVE-2018-1000207","severity":"high","summary":"MODX Revolution Incorrect Access Control vulnerability","affected_versions":"<2.7.0","fixed_version":"2.7.0","source":"osv","published_at":"2022-05-13T01:48:35Z","in_kev":false,"epss_prob":0.03821,"epss_percentile":0.88165,"threat_tier":"theoretical"},{"vuln_id":"CVE-2017-9071","severity":"medium","summary":"MODX Revolution XSS via HTTP Host header","affected_versions":"<2.5.7","fixed_version":"2.5.7","source":"osv","published_at":"2022-05-17T02:43:14Z","in_kev":false,"epss_prob":0.00301,"epss_percentile":0.53406,"threat_tier":"theoretical"},{"vuln_id":"CVE-2017-1000067","severity":"high","summary":"MODX Revolution blind SQL injection","affected_versions":">=2.0.0,<2.6.0","fixed_version":"2.6.0","source":"osv","published_at":"2022-05-17T02:27:14Z","in_kev":false,"epss_prob":0.00546,"epss_percentile":0.67905,"threat_tier":"theoretical"},{"vuln_id":"CVE-2018-20755","severity":"medium","summary":"MODX Revolution vulnerable to XSS attack through its User Photo field","affected_versions":"<2.7.1-pl|=v2.7.0-pl","fixed_version":"2.7.1-pl","source":"osv","published_at":"2022-05-14T01:36:14Z","in_kev":false,"epss_prob":0.0024,"epss_percentile":0.47225,"threat_tier":"theoretical"},{"vuln_id":"BIT-modx-2020-25911","severity":"critical","summary":"XML External Entity vulnerability in MODX CMS","affected_versions":"<2.8.0|=v2.7.0-pl|=v2.7.1-pl|=v2.7.2-pl|=v2.7.3-pl","fixed_version":"2.8.0","source":"osv","published_at":"2021-11-01T19:19:43Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2017-9068","severity":"medium","summary":"MODX Revolution Reflected XSS","affected_versions":"<2.5.7","fixed_version":"2.5.7","source":"osv","published_at":"2022-05-17T02:43:14Z","in_kev":false,"epss_prob":0.0024,"epss_percentile":0.47225,"threat_tier":"theoretical"},{"vuln_id":"CVE-2018-20758","severity":"medium","summary":"MODX vulnerability allows for XSS via user settings parameters","affected_versions":"<2.7.1-pl|=v2.7.0-pl","fixed_version":"2.7.1-pl","source":"osv","published_at":"2022-05-13T01:31:02Z","in_kev":false,"epss_prob":0.00206,"epss_percentile":0.42669,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"v3.2.0-pl","total_count":31,"recent":["v3.2.0-pl","v3.1.2-pl","v3.1.1-pl","v3.1.0-pl","v3.0.6-pl","v3.0.5-pl","v3.0.4-pl","v3.0.3-pl","v3.0.2-pl","v3.0.1-pl","v3.0.0-pl","v3.0.0-rc2","v3.0.0-rc1","v3.0.0-beta2","v3.0.0-beta1","v3.0.0-alpha3","v3.0.0-alpha2","v3.0.0-alpha1","v2.8.8-pl","v2.8.7-pl"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":3,"first_published":null,"last_published":"2026-02-17T16:26:46+00:00","dependencies_count":29,"dependencies":["php","xpdo/xpdo","league/flysystem","league/flysystem-aws-s3-v3","league/flysystem-ftp","phpmailer/phpmailer","smarty/smarty","james-heinrich/phpthumb","erusev/parsedown","inlinestyle/inlinestyle","simplepie/simplepie","pimple/pimple","psr/http-client","psr/http-message","psr/http-factory","guzzlehttp/guzzle","guzzlehttp/psr7","ext-curl","ext-dom","ext-gd","ext-zlib","ext-json","ext-simplexml","ext-pdo","ext-xml","ext-zip","ext-xmlwriter","ext-fileinfo","symfony/polyfill-php82"]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["Low health score (36/100)","5 high severity vulnerabilities","1 critical vulnerabilities"],"use_version":"v3.2.0-pl","version_hint":"Update to >= 2.7.1-pl to fix known vulnerabilities","summary":"modx/revolution has critical vulnerabilities — do not use"},"version_scoped":null,"requested_version":null,"_cache":"miss","_response_ms":2087,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":20,"first_release_age_days":null,"last_release_days_ago":71,"avg_days_between_releases":null,"release_velocity":"active"}}