CraftCMS generate-transform command injection

Added: 03/25/2026 Background CraftCMS is a content management system written in PHP. Problem A vulnerability in CraftCMS allows remote attackers to inject arbitrary PHP code into the session file and then execute it using a specially crafted request to generate-transform. Resolution Upgrade to...

CVE-2026-33160

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. T...

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Versions prior to 4.17.8 and 5.9.14 of Craft CMS had security vulnerabilities. These vulnerabilities stemmed from the lack of enforceable resource authorization checks, which could allow unauthorized access to transform...

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Versions prior to Craft CMS 4.17.0-beta.1 and 5.9.0-beta.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of validation during the creation of entries, allowing large amounts of values t...

Craft CMS 跨站脚本漏洞

Craft CMS is an open-source content management system developed by Craft. Versions of Craft CMS from 4.0.0-RC1 to 4.16.17, as well as from 5.0.0-RC1 to 5.8.21, have a cross-site scripting vulnerability. This vulnerability stems from improper escaping of prefix and suffix fields during rendering,...

CVE-2021-27903

An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes if an attacker were somehow able to hijack an administrator's session...

EUVD-2021-1499

Malware in sbrugna...

EUVD-2021-2209

Malware in sbrugna...

EUVD-2022-3413

Malicious code in bioql PyPI...

EUVD-2025-0208

Malicious code in bioql PyPI...

The vulnerability of the Response Header Handler component in the Craft CMS system allows a hacker to execute arbitrary code.

The vulnerability of the Response Header Handler component in the Craft CMS content management system is related to errors in HTTP request processing. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability

Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 ...

Arbitrary Command Injection

Craft CMS is vulnerable to Arbitrary Command Injection. The vulnerability is due to unauthenticated user-supplied data being stored in session files without validation, potentially allowing PHP code injection into a predictable server file path...

CVE-2025-35939

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at...

Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI

Craft CMS contains a potential remote code execution vulnerability via Twig SSTI. You must have administrator access and ALLOWADMINCHANGES must be enabled for this to work. https://craftcms.com/knowledge-base/securing-craftset-allowAdminChanges-to-false-in-production Note: This is a follow-up to...

CVE-2025-32432

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity...

CVE-2025-32432 Craft CMS Allows Remote Code Execution

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity...

Ethercreative Logs 3.0.3 - Path Traversal

Exploit Title: Ethercreative Logs 3.0.3 - Path Traversal Date: 2022.01.26 Exploit Author: Steffen Rogge, SC Vendor Homepage: https://github.com/ethercreative/logs Software Link: https://plugins.craftcms.com/logs Version: =3.0.4 impact: Medium found: 2021-07-06 SEC Consult Vulnerability Lab An...

Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled

Impact You are affected if your php.ini configuration has registerargcargv enabled. Patches Update to 3.9.14, 4.13.2, or 5.5.2. Workarounds If you can't upgrade yet, and registerargcargv is enabled, you can disable it to mitigate the issue...

Craft CMS Access Control Error Vulnerability

Craft CMS is Craft CMS open source content management system CMS. An access control error vulnerability exists in Craft CMS versions 5.0.0-beta.1 through 5.2.2, which stems from allowing multiple reuses of a TOTP token during its validity period. An attacker can exploit the vulnerability by...