Subrion CMS before 4.1.4 has XSS.

Subrion CMS 4.2.1 allows _core/en/contacts/ XSS via the name, email, or phone parameter.

Subrion CMS 4.1.5 has CSRF in blog/delete/.

Subrion CMS v4.2.1 allows XSS via the panel/configuration/general/ SITE TITLE parameter.

panel/uploads/#elf_l1_XA in Subrion CMS v4.2.1 allows XSS via an SVG file with JavaScript in a SCRIPT element.

/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.

_core/admin/pages/add/ in Subrion CMS 4.2.1 has XSS via the titles[en] parameter.

There is Stored XSS in Subrion 4.2.1 via the admin panel URL configuration.

uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads).

There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to panel/database.