2166 matches found
Missing Authorization
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the migrate endpoint /actions/app/migrate. An attacker can perform unauthorized migration operations by sending crafted requests to this endpoint. Remediation There ...
CVE-2026-31266
Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint /actions/app/migrate...
CVE-2026-31266
Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint /actions/app/migrate...
CVE-2026-31266
Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint /actions/app/migrate...
CVE-2026-31266
Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint /actions/app/migrate...
PT-2026-43997
Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint /actions/app/migrate...
Craft CMS 安全漏洞
Craft CMS is an open-source content management system CMS developed by Craft CMS. Versions of Craft CMS 5.9.5 and earlier contained security vulnerabilities, which were caused by a lack of authorization verification at the migrate endpoint...
CVE-2026-31266
CVE-2026-31266 affects Craft CMS 5.9.5 and earlier. Affected component: migrate endpoint at /actions/app/migrate. Root cause: missing authorization check in migrate action leading to Missing Authorization vulnerability. Impact (per sources): unauthorized actions on migrate could lead to changes w...
K000161415: Craft CMS vulnerability CVE-2025-32432
Security Advisory Description Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is ...
Exploit for Code Injection in Craftcms Craft_Cms
CVE-2025-32432 - Craft CMS Unauthenticated RCE PoC Working...
CVE-2025-69443
Remote Code Execution in coleam00 Archon 0.1.0. A crafted HTML page, when accessed by a victim, can execute commands, run prompts on behalf of the user, control the Archon UI features, and steal all Archon information available on the UI including API keys...
CVE-2026-44012
Craft CMS is a content management system CMS. From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder fetches an asset by ID and returns its filename and complete folder hierarchy including volume handle, volume UID, folder names, folder UIDs, and folder URI paths without checking...
CVE-2026-44010
Craft CMS is a content management system CMS. From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver src/gql/resolvers/elements/Address.php performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read ever...
CVE-2026-44290 protobufjs: Process-wide denial of service through unsafe option paths
protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write...
CVE-2026-44012
Craft CMS is a content management system CMS. From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder fetches an asset by ID and returns its filename and complete folder hierarchy including volume handle, volume UID, folder names, folder UIDs, and folder URI paths without checking...
CVE-2026-44011
Craft CMS is a content management system CMS. From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled...
CVE-2026-44010
Craft CMS is a content management system CMS. From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver src/gql/resolvers/elements/Address.php performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read ever...
CVE-2026-44011 Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior
Craft CMS is a content management system CMS. From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled...
CVE-2026-44011
Craft CMS is a content management system CMS. From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled...
CVE-2026-44011 Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior
Craft CMS is a content management system CMS. From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled...