43612 matches found
CVE-2026-32262 Craft CMS has a Path Traversal Vulnerability in AssetsController
Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController-replaceFile method has a targetFilename body parameter that is used unsanitized in a deleteFile call before...
CVE-2026-32261
The CVE concerns the Craft CMS Webhooks plugin. Versions 3.0.0–3.1.x render user-supplied Twig template content with Twig renderString() without sandbox protection, allowing an authenticated user with access to the Craft control panel and plugin permissions to inject Twig code that can call arbit...
CVE-2026-32261 RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin
Webhooks for Craft CMS plugin adds the ability to manage “webhooks” in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig’s renderString function without...
CVE-2026-32261 RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin
Webhooks for Craft CMS plugin adds the ability to manage “webhooks” in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig’s renderString function without...
GHSA-Q6FM-P73F-X862 Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability
Unauthenticated users can view a list of buckets the plugin has access to. The DefaultController-actionLoadContainerData endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Because Azure can return sensitive data in error...
Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability
Unauthenticated users can view a list of buckets the plugin has access to. The DefaultController-actionLoadContainerData endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Because Azure can return sensitive data in error...
GHSA-CC7P-2J3X-X7XF Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
Summary A low-privilege user or an unauthenticated user who has been sent a shared URL can escalate their privileges to admin by abusing UsersController-actionImpersonateWithToken. Affected users should update to Craft 4.17.6 and 5.9.12 to mitigate the issue. Details This vulnerability allows any...
Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
Summary A low-privilege user or an unauthenticated user who has been sent a shared URL can escalate their privileges to admin by abusing UsersController-actionImpersonateWithToken. Affected users should update to Craft 4.17.6 and 5.9.12 to mitigate the issue. Details This vulnerability allows any...
Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability
Unauthenticated users can view a list of buckets the plugin has access to. The DefaultController-actionLoadBucketData endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.1 of the plugin to...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the actionLoadBucketData endpoint in DefaultController. An attacker can access sensitive information by sending unauthenticated requests with a valid CSRF token. Remediation Upgrade...
GHSA-HWJ7-4VGC-J3V9 Amazon S3 for Craft CMS has an Information Disclosure vulnerability
Unauthenticated users can view a list of buckets the plugin has access to. The BucketsController-actionLoadBucketData endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to...
Amazon S3 for Craft CMS has an Information Disclosure vulnerability
Unauthenticated users can view a list of buckets the plugin has access to. The BucketsController-actionLoadBucketData endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to...
GHSA-4484-8V2F-5748 Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
The fix for https://github.com/advisories/GHSA-7jx7-3846-m7w7 commit https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748 only patched src/services/Fields.php, but the same vulnerable pattern exists in ElementIndexesController and FieldsController. You need Craft contro...
Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
The fix for https://github.com/advisories/GHSA-7jx7-3846-m7w7 commit https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748 only patched src/services/Fields.php, but the same vulnerable pattern exists in ElementIndexesController and FieldsController. You need Craft contro...
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' via the ElementIndexesController and FieldsController components. An attacker can execute arbitrary code by...
Craft CMS vulnerable to behavior injection RCE via EntryTypesController
The fix for GHSA-7jx7-3846-m7w7 commit 395c64f0b80b507be1c862a2ec942eaacb353748 only patched src/services/Fields.php, but the same vulnerable pattern exists in EntryTypesController::actionApplyOverrideSettings. In src/controllers/EntryTypesController.php lines 381-387: php $settingsStr =...
EUVD-2026-12503
Craft CMS has a Path Traversal Vulnerability in AssetsController...
GHSA-472V-J2G4-G9H2 Craft CMS has a Path Traversal Vulnerability in AssetsController
The AssetsController-replaceFile method has a targetFilename body parameter that is used unsanitized in a deleteFile call before Assets::prepareAssetName is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by...
Craft CMS has a Path Traversal Vulnerability in AssetsController
The AssetsController-replaceFile method has a targetFilename body parameter that is used unsanitized in a deleteFile call before Assets::prepareAssetName is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by...
GHSA-8WG7-WM29-2RVG RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin
The Webhooks plugin renders user-supplied template content through Twig’s renderString function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP...