Lucene search
K

135 matches found

EUVD
EUVD
added 2026/07/06 9:29 p.m.8 views

EUVD-2026-41212

Craft CMS: Sensitive File Disclosure / Server-Side File Read...

6CVSS5.9AI score0.00268EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/01 11:20 p.m.34 views

CVE-2026-55792 Craft CMS: Sensitive File Disclosure / Server-Side File Read

Craft CMS is a content management system CMS. In versions starting from 4.0.0-RC1 and prior to 4.18.0, and 5.0.0-RC1 and above, prior to 5.10.0, the dataUrl Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission ...

6CVSS0.00268EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 11:20 p.m.22 views

CVE-2026-55792

Craft CMS is vulnerable in versions 4.0.0-RC1 through 4.17.x and 5.0.0-RC1 through 5.9.x due to dataUrl() being in the Twig sandbox allowlist. A control panel user with the utility:system-messages permission can embed a file-reading payload in system emails, causing the server to read targeted fi...

6CVSS5.8AI score0.00268EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.7 views

PT-2026-54860

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.9 Craft CMS versions 5.0.0-RC1 through 5.9.9 Description Control panel users with the utility:system-messages permission can embed a file-reading payload into system email templates because the dataUrl...

6CVSS5.8AI score0.00268EPSS
Exploits0References10
Tenable Nessus
Tenable Nessus
added 2026/06/05 12:0 a.m.10 views

AlmaLinux 8 : bind9.16 (ALSA-2026:23360)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:23360 advisory. bind: BIND 9 server memory exhaustion during GSS-API TKEY negotiation CVE-2026-3039 bind: BIND: Denial of Service via specially crafted DNS messages...

7.5CVSS5.6AI score0.0181EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2026/05/29 1:23 a.m.22 views

SUSE CVE-2026-5946

Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet IN - for example, CHAOS or HESIOD, or DNS messages that specify meta-classes ANY or NONE in the question section. Specially crafted requests reaching the affected code paths - recursio...

7.5CVSS5.9AI score0.0181EPSS
Exploits0References14
CNNVD
CNNVD
added 2026/05/15 12:0 a.m.12 views

Open WebUI 信息泄露漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.9.5 had a vulnerability related to information leakage. This vulnerability occurred when group members were granted read access to model settings, allowing them to...

4.3CVSS5.8AI score0.0022EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/07 6:39 p.m.23 views

CVE-2026-22711 Stored XSS through system messages in WikiLove

Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting XSS.The issue has been remediated on the master branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45...

6.9CVSS0.00293EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/05 7:30 p.m.8 views

CVE-2026-28784

Craft is a content management system CMS. Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to...

8.6CVSS6AI score0.00514EPSS
Exploits0References1
NVD
NVD
added 2026/03/04 5:16 p.m.8 views

CVE-2026-28784

Craft is a content management system CMS. Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to...

8.6CVSS0.00514EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/04 4:53 p.m.6 views

CVE-2026-28784

Craft is a content management system CMS. Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to...

8.6CVSS6AI score0.00514EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/03/04 4:53 p.m.30 views

CVE-2026-28784 Craft is affected by potential authenticated Remote Code Execution via Twig SSTI

Craft is a content management system CMS. Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to...

8.6CVSS0.00514EPSS
Exploits0References3
OSV
OSV
added 2026/03/04 4:53 p.m.6 views

CVE-2026-28784 Craft is affected by potential authenticated Remote Code Execution via Twig SSTI

Craft is a content management system CMS. Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to...

8.6CVSS5.9AI score0.00514EPSS
Exploits0References5
CVE
CVE
added 2026/03/04 4:53 p.m.15 views

CVE-2026-28784

Craft CMS is affected by a Server-Side Template Injection (Twig map filter) vulnerability prior to versions 5.8.22 and 4.16.18. The issue arises in text fields that accept Twig input (Settings in the Craft Control Panel or via the System Messages utility), allowing an attacker with administrator ...

8.6CVSS6AI score0.00514EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/04 4:50 p.m.6 views

CVE-2026-28783 Craft has a Twig Function Blocklist Bypass

Craft is a content management system CMS. Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either ha...

9.4CVSS6.1AI score0.00464EPSS
Exploits0References2
CVE
CVE
added 2026/03/04 4:50 p.m.25 views

CVE-2026-28783

CVE-2026-28783 affects Craft CMS (Craft CMS core) where a blocklist of potentially dangerous PHP functions is bypassable via Twig non-Closure arrow functions. Affected versions are prior to 5.9.0-beta.1 and 4.17.0-beta.1. Successful exploitation requires attacker permissions (production allowAdmi...

9.4CVSS6.1AI score0.00464EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/03/03 9:6 p.m.10 views

Template Injection

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Template Injection via the map filter in Twig templates when processing text fields that accept Twig input in the control panel settings or through the System Messages utility. An attacker ca...

8.6CVSS6.1AI score0.00514EPSS
Exploits0References2
OSV
OSV
added 2026/03/03 9:6 p.m.7 views

GHSA-QC86-Q28F-GGWW Craft CMS has potential authenticated Remote Code Execution via Twig SSTI

For this to work, the attacker must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craftset-allowAdminChanges-to-false-in-production...

8.6CVSS6AI score0.00514EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/03 9:6 p.m.10 views

Craft CMS has potential authenticated Remote Code Execution via Twig SSTI

For this to work, the attacker must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craftset-allowAdminChanges-to-false-in-production...

8.6CVSS6AI score0.00514EPSS
Exploits0References5Affected Software1
Snyk
Snyk
added 2026/03/03 9:0 p.m.9 views

Template Injection

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Template Injection via the craft.app.fs.write function in Twig templates. An attacker can execute arbitrary system commands and disclose sensitive information by injecting malicious payloads...

9.4CVSS5.9AI score0.01067EPSS
Exploits1References2
Rows per page
Query Builder