CVE-2026-29069 Craft has an unauthenticated activation email trigger with potential user enumeration

Craft is a content management system CMS. Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pendin...

CVE-2026-25497

CVE-2026-25497 : Privilege escalation in Craft CMS GraphQL API affecting versions 4.0.0-RC1 through before 4.17.0-beta.1 and 5.9.0-beta.1. An authenticated user with write access to one asset volume can escalate privileges and modify/transfer assets across volumes, including private or restricted...

CVE-2025-68436

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the...

CVE-2025-68456

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update ...

CVE-2025-68456 Unauthenticated Craft CMS users can trigger a database backup

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update ...

CVE-2025-68456

CVE-2025-68456 affects Craft CMS versions 5.0.0-RC1–5.8.20 and 3.0.0–4.16.16, where unauthenticated users can trigger database backup operations via the admin action path updater/backup. The underlying issue is exposed across all updater actions configured for anonymous access, enabling a backup ...

EUVD-2025-24040

Malicious code in bioql PyPI...

PT-2025-32419 · Craft · Craft

Name of the Vulnerable Software and Affected Versions: Craft versions 4.13.8 through 4.16.2 Craft versions 5.5.8 through 5.8.3 Description: Craft is a platform for creating digital experiences. A vulnerability exists that allows bypassing security measures, potentially leading to remote code...