Lucene search
K

7 matches found

CVE
CVE
added 2026/07/01 10:20 p.m.11 views

CVE-2026-50283

Craft CMS versions 5.0.0-RC1–5.9.20 and 4.0.0-RC1–4.17.13 contain an authorization issue in AssetsController::actionReplaceFile that can delete a source asset without source delete permission when both assetId and sourceAssetId are supplied. The runtime loads assetId ($assetToReplace) and sourceA...

5.3CVSS5.8AI score0.00265EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:36 p.m.13 views

CVE-2026-41129

Craft CMS is a content management system CMS. Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" and "Create...

7CVSS5.4AI score0.00275EPSS
Exploits0References1
OSV
OSV
added 2026/05/06 5:54 p.m.6 views

GHSA-33M5-HQP9-97PW Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure

Summary AssetsController::actionShowInFolder fetches an asset by ID and returns its filename and complete folder hierarchy including volume handle, volume UID, folder names, folder UIDs, and folder URI paths without checking whether the requesting user has viewAssets or viewPeerAssets permission ...

7.1CVSS6AI score0.00324EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.15 views

PT-2026-38287

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 through 5.9.17 Description The actionShowInFolder function within the AssetsController fetches an asset by ID and returns its filename and complete folder hierarchy, including volume handle, volume UID, folder name...

7.1CVSS6AI score0.00324EPSS
Exploits0References5
NVD
NVD
added 2026/04/22 12:16 a.m.9 views

CVE-2026-41129

Craft CMS is a content management system CMS. Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" and "Create...

7CVSS0.00275EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/21 11:34 p.m.14 views

CVE-2026-41129

Craft CMS is a content management system CMS. Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" and "Create...

7CVSS5.7AI score0.00275EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/02/11 9:16 p.m.12 views

CVE-2026-25633

Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take...

4.3CVSS0.00285EPSS
Exploits0References4
Rows per page
Query Builder