Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields

Summary A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. Proof of Concept Required Permissions -...

Cross-site Scripting (XSS)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering of the prefix and suffix fields in the Number field type settings without proper escaping. An attacker can execute arbitrary scripts in the context ...

GHSA-9F5H-MMQ6-2X78 Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields

Summary A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. Proof of Concept Required Permissions -...

GHSA-2453-MPPF-46CJ Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`

Summary The element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteriaorderBy parameter JSON body. The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause...

Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`

Summary The element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteriaorderBy parameter JSON body. The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause...

Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation

I observed a recent commit intended to mitigate Server-Side Request Forgery SSRF vulnerabilities. While the implemented defense mechanisms are an improvement, I have identified two methods to bypass these protections. This report details the first bypass method involving alternative IP notation,...

Server-side Request Forgery (SSRF)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the saveAsset mutation in GraphQL when alternative IP notations are used in the URL parameter. An attacker can access internal cloud metadata services by...

GHSA-M5R2-8P9X-HP5M Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation

I observed a recent commit intended to mitigate Server-Side Request Forgery SSRF vulnerabilities. While the implemented defense mechanisms are an improvement, I have identified two methods to bypass these protections. This report details the first bypass method involving alternative IP notation,...

Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect

Summary The saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. ---...

Server-side Request Forgery (SSRF)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklis. An attacker can access internal resources or sensiti...

Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host

Summary - The saveimagesAsset graphql mutation allows a user to give a url of an image to download. Url must use a domain, not a raw IP. - Attacker sets up domain attacker.domain with an A record of something like 169.254.169.254 special AWS metadata IP - Attacker invokes saveimagesAsset with url...

Server-side Request Forgery (SSRF)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in handleUpload, which is exploitable via the saveimagesAsset mutation in the GraphQL API. An attacker can retrieve sensitive internal resources, such as AWS...

GHSA-96PQ-HXPW-RGH8 Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host

Summary - The saveimagesAsset graphql mutation allows a user to give a url of an image to download. Url must use a domain, not a raw IP. - Attacker sets up domain attacker.domain with an A record of something like 169.254.169.254 special AWS metadata IP - Attacker invokes saveimagesAsset with url...

GHSA-7PR4-WX9W-MQWR Craft CMS Vulnerable to Stored XSS in Entry Types Name

Summary Stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. --- Proof of Concept Required Permissions Attacker - Admin access only admins have access to the settings page - allowAdminChanges is enabled in production, which is against our security...

CVE-2026-25496

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping,...

CVE-2026-25497

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their...

CVE-2026-25492

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveimagesAsset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a...

Cross-site Scripting (XSS)

craftcms/commerce is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of the “Address Line 1” field in Inventory Locations, which allows an attacker to store and execute malicious JavaScript in an administrator’s browser via the admin panel...

CVE-2026-25498

Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 contain a Remote Code Execution (RCE) flaw in assembleLayoutFromPost() where user-supplied configuration data is not sanitized before passing to Craft::createObject(). This allows authenticated administrators to inject mali...

CVE-2026-25498 Craft has a potential authenticated Remote Code Execution via malicious attached Behavior

Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution RCE vulnerability exists in Craft CMS where the assembleLayoutFromPost function in src/services/Fields.php fails to sanitize user-supplied configuratio...