CVE-2021-27902

An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads...

CVE-2026-29905

Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service DoS via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize function. When the system attempts to process this file for...

Bludit 跨站脚本漏洞

Bludit is an open-source, lightweight blog content management system developed by Bludit. Versions of Bludit 3.18.2 and earlier had a cross-site scripting vulnerability. This vulnerability stemmed from a storage-based cross-site scripting flaw in the image upload function, which could allow...

CVE-2026-33686 Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil

Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In...

CVE-2026-33687

Sharp (code16/sharp) is a Laravel package where versions before 9.20.0 have an Arbitrary File Upload vulnerability in ApiFormUploadController. A client-controlled validation_rule is passed directly to Laravel’s validator, allowing an attacker to bypass all MIME type and file extension checks (e.g...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the Antlers-enabled fields. An attacker can obtain sensitive application configuration values by inserting configuration variables into content fields accessible to content editors. Remediation Upgrade...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the live preview. An attacker can gain unauthorized access to restricted content by using a valid live preview token intended for a different entry. Remediation Upgrade statamic/cms to version 5.73.16, 6.7.2 ...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the markdown preview endpoint. An attacker can access sensitive user data, including email addresses and encrypted authentication information, by manipulating the endpoint to return augmented data from...

CVE-2026-29905

Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service DoS via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize function. When the system attempts to process this file for...

Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata

Summary An authenticated low-privileged user can call assets/preview-file for an asset they are not authorized to view and still receive preview response data previewHtml for that private asset. The returned preview HTML included a private preview image route containing the target private assetId...

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization in the assets/preview-file. An attacker can access unauthorized preview metadata by sending crafted requests with a controlled assetId parameter, allowing retrieval of...

GHSA-44PX-QJJC-XRHQ Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata

Summary An authenticated low-privileged user can call assets/preview-file for an asset they are not authorized to view and still receive preview response data previewHtml for that private asset. The returned preview HTML included a private preview image route containing the target private assetId...

CVE-2025-55040

The import form CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to upload and install malicious form definitions through a CSRF attack. The vulnerable cForm.importform function lacks CSRF token validation, enabling malicious websites to forge file upload requests that install...

CVE-2025-55045

The update address CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to manipulate user address information through CSRF. The vulnerable cUsers.updateAddress function lacks CSRF token validation, enabling malicious websites to forge requests that add, modify, or delete user addresses...

CVE-2025-55044

The Trash Restore CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to restore deleted content from the trash to unauthorized locations through CSRF. The vulnerable cTrash.restore function lacks CSRF token validation, enabling malicious websites to forge requests that restore content...

CVE-2026-29840

JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting XSS vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering...

CVE-2026-29173

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...

CVE-2026-32266

The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the DefaultController-actionLoadBucketData endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin...

CVE-2026-33161

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response dat...

CVE-2026-4225

A security flaw has been discovered in CMS Made Simple up to 2.2.21. Impacted is an unknown function of the file admin/listusers.php of the component User Management Module. Performing a manipulation of the argument Message results in cross site scripting. The attack is possible to be carried out...