EUVD-2026-38179

Craft CMS versions = 5.0.0-RC1, = 4.0.0-RC1, = 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an...

CVE-2026-44012 Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure

Craft CMS is a content management system CMS. From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder fetches an asset by ID and returns its filename and complete folder hierarchy including volume handle, volume UID, folder names, folder UIDs, and folder URI paths without checking...

CVE-2026-33158

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized...

Authorization Bypass Through User-Controlled Key

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the assets/edit-image endpoint when processing the assetId parameter. An attacker can access unauthorized private asset contents by supplyi...

CVE-2026-27705

Plane is an an open-source project management tool. Prior to version 1.2.2, the ProjectAssetEndpoint.patch method in apps/api/plane/app/views/asset/v2.py lines 579–593 performs a global asset lookup using only the asset ID pk via FileAsset.objects.getid=pk, without verifying that the asset belong...

Exploit for Code Injection in Craftcms Craft_Cms

CraftCMS CVE-2025-32432 Vulnerability Exploitation Tool Set A...

Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised

Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. The attacks, first observed by Orange Cyberdefense SensePost on February 14, 2025, involve chaining the below vulnerabilities -...

CVE-2021-32666

wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the " character, it will cause the iO...

CVE-2017-14370

RSA Archer GRC Platform prior to 6.2.0.5 is affected by stored cross-site scripting via the Source Asset ID field. An authenticated attacker may potentially exploit this to execute arbitrary HTML in the user's browser session in the context of the affected RSA Archer application...

CVE-2017-14370

RSA Archer GRC Platform prior to 6.2.0.5 is affected by stored cross-site scripting via the Source Asset ID field. An authenticated attacker may potentially exploit this to execute arbitrary HTML in the user's browser session in the context of the affected RSA Archer application...

Cross site scripting

RSA Archer GRC Platform prior to 6.2.0.5 is affected by stored cross-site scripting via the Source Asset ID field. An authenticated attacker may potentially exploit this to execute arbitrary HTML in the user's browser session in the context of the affected RSA Archer application...

CVE-2017-14370

RSA Archer GRC Platform prior to 6.2.0.5 is affected by stored cross-site scripting via the Source Asset ID field. An authenticated attacker may potentially exploit this to execute arbitrary HTML in the user's browser session in the context of the affected RSA Archer application...

EMC RSA Archer GRC Platform Cross-Site Scripting Vulnerability (CNVD-2017-32996)

EMC RSA Archer GRC Platform is an enterprise IT governance and compliance governance product from EMC Corporation USA. The product enables the development of eGRC programs for managing enterprise risk, automating business processes, and more. A cross-site scripting vulnerability exists in EMC RSA...

MS:9191FEAE-C6DE-480C-8EC8-8779EE08FBC1

...

MS:0A80AF25-3289-4238-B183-C42B7B865438

...