GHSA-7PR4-WX9W-MQWR Craft CMS Vulnerable to Stored XSS in Entry Types Name

Summary Stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. --- Proof of Concept Required Permissions Attacker - Admin access only admins have access to the settings page - allowAdminChanges is enabled in production, which is against our security...

cms-security-poc

CVE-2026-31266 - Craft CMS Missing Authorization CVE Infor...

CVE-2023-40035

Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable...

GHSA-742X-X762-7383 Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI

For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment...

Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI

For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment...

Arbitrary Code Injection

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Arbitrary Code Injection via the checkArrowFunction function in src/web/twig/Extension.php. An attacker can execute arbitrary code by injecting malicious payloads into templates. Note: This i...

Craft CMS Potential Remote Code Execution via Twig SSTI

Note that users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craftset-allowAdminChanges-to-false-in-productio...

CVE-2025-46731 Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI

Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and ALLOWADMINCHANGES must be enabled for this to work...

PT-2024-35159 · Craft · Craft

Name of the Vulnerable Software and Affected Versions: Craft versions prior to 4.12.2 and 5.4.3 Description: The issue is related to a missing normalizePath in the FileHelper::absolutePath function, which could lead to Remote Code Execution on the server via twig Server Side Template Injection...

PT-2023-27228 · Craft · Craft

Name of the Vulnerable Software and Affected Versions: Craft versions prior to 3.8.15 Craft versions prior to 4.4.15 Description: The issue is related to bypassing the validatePath function, which can lead to potential remote code execution. This can result in malicious control of vulnerable...