Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

43581 matches found

NVD
NVDadded 2026/04/22 12:16 a.m.1 views

CVE-2026-41128

Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...

5.3CVSS0.00248EPSS
Exploits0References2
CNNVD
CNNVDadded 2026/04/22 12:0 a.m.8 views

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Versions 5.6.0 to 5.9.14 of Craft CMS have security vulnerabilities. These vulnerabilities stem from the actionSavePermissions endpoint, which allows users with only the “viewUsers” permission to remove any user from al...

5.3CVSS5.8AI score0.00248EPSS
Exploits0References1
CNNVD
CNNVDadded 2026/04/22 12:0 a.m.7 views

Craft CMS 代码问题漏洞

Craft CMS is an open-source content management system developed by Craft CMS. There are code vulnerabilities in Craft CMS. These vulnerabilities stem from the resource-js endpoint, which allows unauthenticated requests to proxy remote JavaScript resources. When trustedHosts is not explicitly...

7CVSS5.9AI score0.0026EPSS
Exploits0References1
GithubExploit
GithubExploitadded 2026/04/21 11:50 p.m.121 views

Exploit for Injection in Ghost

This is a rework of the Repo by rootxran for this same CVE - htt...

9.8CVSS5.8AI score0.00372EPSS
Exploits3
ATTACKERKB
ATTACKERKBadded 2026/04/21 11:36 p.m.2 views

CVE-2026-41130

Craft CMS is a content management system CMS. In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the resource-js endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When trustedHosts is not explicitly restricted default...

7CVSS5.9AI score0.0026EPSS
Exploits0References3Affected Software1
EUVD
EUVDadded 2026/04/21 11:36 p.m.2 views

EUVD-2026-24571

Craft CMS is a content management system CMS. In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the resource-js endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When trustedHosts is not explicitly restricted default...

7CVSS5.9AI score0.0026EPSS
Exploits0References2
Vulnrichment
Vulnrichmentadded 2026/04/21 11:36 p.m.0 views

CVE-2026-41130 Craft CMS has a host header injection leading to SSRF via resource-js endpoint

Craft CMS is a content management system CMS. In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the resource-js endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When trustedHosts is not explicitly restricted default...

7CVSS5.9AI score0.0026EPSS
Exploits0References2
Cvelist
Cvelistadded 2026/04/21 11:36 p.m.31 views

CVE-2026-41130 Craft CMS has a host header injection leading to SSRF via resource-js endpoint

Craft CMS is a content management system CMS. In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the resource-js endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When trustedHosts is not explicitly restricted default...

7CVSS0.0026EPSS
Exploits0References2
CVE
CVEadded 2026/04/21 11:34 p.m.11 views

CVE-2026-41129

Craft CMS versions in the 4.x line up to 4.17.8 and the 5.x line up to 5.9.14 are vulnerable to a Server-Side Request Forgery when specific GraphQL permissions are enabled: “Edit assets in the volume” and “Create assets in the volume.” The issue is fixed in 4.17.9 and 5.9.15. Affected users sho...

7CVSS5.7AI score0.00275EPSS
Exploits0References2
ATTACKERKB
ATTACKERKBadded 2026/04/21 11:34 p.m.10 views

CVE-2026-41129

Craft CMS is a content management system CMS. Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" and "Create...

7CVSS5.7AI score0.00275EPSS
Exploits0References3Affected Software1
Cvelist
Cvelistadded 2026/04/21 11:34 p.m.33 views

CVE-2026-41129 Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations

Craft CMS is a content management system CMS. Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" and "Create...

7CVSS0.00275EPSS
Exploits0References2
Vulnrichment
Vulnrichmentadded 2026/04/21 11:34 p.m.4 views

CVE-2026-41129 Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations

Craft CMS is a content management system CMS. Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" and "Create...

7CVSS5.7AI score0.00275EPSS
Exploits0References2
ATTACKERKB
ATTACKERKBadded 2026/04/21 11:32 p.m.0 views

CVE-2026-41128

Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...

5.3CVSS5.9AI score0.00248EPSS
Exploits0References3Affected Software1
Cvelist
Cvelistadded 2026/04/21 11:32 p.m.26 views

CVE-2026-41128 Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action

Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...

5.3CVSS0.00248EPSS
Exploits0References2
CVE
CVEadded 2026/04/21 11:32 p.m.11 views

CVE-2026-41128

Craft CMS (versions 5.6.0–5.9.14) contains an authorization flaw in the actionSavePermissions() endpoint. A user with only viewUsers permission can remove arbitrary users from all groups because _saveUserGroups() lacks a corresponding removal authorization check for an empty groups payload. This ...

5.3CVSS5.9AI score0.00248EPSS
Exploits0References2
Vulnrichment
Vulnrichmentadded 2026/04/21 11:32 p.m.4 views

CVE-2026-41128 Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action

Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...

5.3CVSS5.9AI score0.00248EPSS
Exploits0References2
NVD
NVDadded 2026/04/21 7:16 p.m.5 views

CVE-2026-41456

Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit...

5.1CVSS0.00379EPSS
Exploits0References4
Cvelist
Cvelistadded 2026/04/21 6:3 p.m.27 views

CVE-2026-41456 Bludit CMS Reflected XSS via Search Plugin

Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit...

5.1CVSS0.00379EPSS
Exploits0References4
ATTACKERKB
ATTACKERKBadded 2026/04/21 6:3 p.m.3 views

CVE-2026-41456

Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit...

5.1CVSS5.8AI score0.00379EPSS
Exploits0References5
Vulnrichment
Vulnrichmentadded 2026/04/21 6:3 p.m.1 views

CVE-2026-41456 Bludit CMS Reflected XSS via Search Plugin

Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit...

5.1CVSS5.8AI score0.00379EPSS
Exploits0References4
Rows per page
Query Builder