Lucene search
K

54 matches found

Vulnrichment
Vulnrichment
added 2026/02/09 7:25 p.m.1 views

CVE-2026-25491 Craft has a Stored XSS in Entry Types Name

Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22...

4.8CVSS5.4AI score0.0031EPSS
Exploits1References3
OSV
OSV
added 2026/02/09 7:25 p.m.4 views

CVE-2026-25491 Craft has a Stored XSS in Entry Types Name

Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22...

4.8CVSS5.5AI score0.0031EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/02/09 7:25 p.m.23 views

CVE-2026-25491 Craft has a Stored XSS in Entry Types Name

Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22...

4.8CVSS0.0031EPSS
Exploits1References3
CVE
CVE
added 2026/02/09 7:25 p.m.20 views

CVE-2026-25491

Craft CMS has a stored XSS in Entry Type names for versions 5.0.0-RC1 to 5.8.21, caused by names not being sanitized when displayed in the Entry Types list. The issue is fixed in version 5.8.22. Exploitation details are not provided in the available documents.

4.8CVSS5.4AI score0.0031EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/09 12:0 a.m.12 views

PT-2026-7143

Name of the Vulnerable Software and Affected Versions Craft versions 4.0.0-RC1 through 4.16.17 Craft versions 5.0.0-RC1 through 5.8.21 Description The saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default...

6.9CVSS5.4AI score0.00359EPSS
Exploits1References13
Positive Technologies
Positive Technologies
added 2026/02/09 12:0 a.m.9 views

PT-2026-7146

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping,...

4.8CVSS5.7AI score0.0036EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/02/09 12:0 a.m.23 views

PT-2026-7138

Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22...

4.8CVSS5.4AI score0.0031EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/01/07 9:11 a.m.3 views

CVE-2025-68455

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for...

8.6CVSS8AI score0.00812EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:11 a.m.4 views

CVE-2025-68456

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update ...

8.3CVSS6.6AI score0.00471EPSS
Exploits1References1
NVD
NVD
added 2026/01/05 10:15 p.m.10 views

CVE-2025-68437

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL saveAsset mutation is vulnerable to Server-Side Request Forgery SSRF. This vulnerability arises because the file input, specifically its url parameter,...

6.8CVSS0.00427EPSS
Exploits1References3
NVD
NVD
added 2026/01/05 10:15 p.m.21 views

CVE-2025-68454

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and...

8.8CVSS0.00787EPSS
Exploits1References3
NVD
NVD
added 2026/01/05 10:15 p.m.6 views

CVE-2025-68456

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update ...

9.1CVSS0.00471EPSS
Exploits1References3
NVD
NVD
added 2026/01/05 10:15 p.m.20 views

CVE-2025-68436

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the...

7.1CVSS0.00232EPSS
Exploits0References2
NVD
NVD
added 2026/01/05 10:15 p.m.6 views

CVE-2025-68455

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for...

8.6CVSS0.00812EPSS
Exploits1References5
EUVD
EUVD
added 2026/01/05 9:59 p.m.6 views

EUVD-2026-0824

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for...

8.6CVSS8.1AI score0.00812EPSS
Exploits1References6
EUVD
EUVD
added 2026/01/05 9:56 p.m.6 views

EUVD-2026-0844

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and...

7.7CVSS6.7AI score0.00787EPSS
Exploits1References4
EUVD
EUVD
added 2026/01/05 9:52 p.m.8 views

EUVD-2026-0845

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL saveAsset mutation is vulnerable to Server-Side Request Forgery SSRF. This vulnerability arises because the file input, specifically its url parameter,...

5.9CVSS6.7AI score0.00427EPSS
Exploits1References4
EUVD
EUVD
added 2026/01/05 9:46 p.m.6 views

EUVD-2026-0846

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the...

7.1CVSS6.1AI score0.00232EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/01/05 12:0 a.m.5 views

PT-2026-1346

Name of the Vulnerable Software and Affected Versions Craft versions 5.0.0-RC1 through 5.8.20 Craft versions 4.0.0-RC1 through 4.16.16 Description Craft is a platform for creating digital experiences. The software is susceptible to potential authenticated Remote Code Execution through malicious...

8.6CVSS7AI score0.00812EPSS
Exploits1References9
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2025-24040

Malicious code in bioql PyPI...

8.8CVSS8.7AI score0.04714EPSS
Exploits1References4
Rows per page
Query Builder