Lucene search
K

99 matches found

NVD
NVD
added 5 days ago7 views

CVE-2026-14794

A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is...

5.3CVSS0.00222EPSS
Exploits0References6
EUVD
EUVD
added 5 days ago7 views

EUVD-2026-41805

A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is...

5.3CVSS5.5AI score0.00222EPSS
Exploits0References6
Cvelist
Cvelist
added 5 days ago35 views

CVE-2026-14794 Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization

A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is...

5.3CVSS0.00222EPSS
Exploits0References6
EUVD
EUVD
added 5 days ago5 views

EUVD-2026-41804

A vulnerability was detected in Craft CMS up to 4.18.0.1. Affected is the function actionReorderSets of the file src/controllers/GlobalsController.php of the component reorder-sets Endpoint. The manipulation results in authorization bypass. The attack can be executed remotely. Upgrading to versio...

5.3CVSS5.7AI score0.00224EPSS
Exploits0References6
CVE
CVE
added 2026/07/02 4:15 p.m.27 views

CVE-2026-50282

Craft CMS contains an authorization issue in AssetsController::actionMoveFolder where calling with force=true to move a folder into a destination with a conflicting name can overwrite and delete the destination folder without destination delete permission. Affected versions are 5.0.0-RC1 and abov...

7.1CVSS5.7AI score0.00207EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/02 4:2 p.m.7 views

EUVD-2026-41409

Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...

7.1CVSS5.9AI score0.00253EPSS
Exploits0References2
NVD
NVD
added 2026/07/01 11:16 p.m.9 views

CVE-2026-55790

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types...

7.4CVSS0.00311EPSS
Exploits0References2
NVD
NVD
added 2026/07/01 10:16 p.m.5 views

CVE-2026-55793

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.22, an author-level control panel user can store a malicious JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under th...

5.9CVSS0.00412EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.11 views

PT-2026-54859

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 through 5.9.22 Craft CMS versions 4.0.0-RC1 through 4.17.15 Description An attacker with a GitHub account can inject a JavaScript payload into a craftcms/cms issue title. The payload executes within the control pan...

7.4CVSS5.8AI score0.00311EPSS
Exploits0References10
EUVD
EUVD
added 2026/06/21 1:27 p.m.9 views

EUVD-2026-38179

Craft CMS versions = 5.0.0-RC1, = 4.0.0-RC1, = 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an...

5.3CVSS5.9AI score0.00221EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/21 1:27 p.m.6 views

EUVD-2026-38178

Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview...

5.3CVSS5.9AI score0.00193EPSS
Exploits0References3
CVE
CVE
added 2026/06/21 1:26 p.m.17 views

CVE-2026-56383

CVE-2026-56383 : Craft CMS contains a stored XSS in the editableTable.twig component via the Row Heading column type. The vulnerability arises from unsanitized input in row heading default values, enabling an attacker with an administrator account (when allowAdminChanges is enabled) to inject arb...

4.8CVSS5.8AI score0.00177EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/21 1:26 p.m.7 views

EUVD-2026-38177

Craft CMS contains a stored cross-site scripting XSS vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account with allowAdminChanges...

4.8CVSS5.8AI score0.00177EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/21 1:26 p.m.7 views

EUVD-2026-38175

Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other...

4.8CVSS5.8AI score0.00148EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/21 12:0 a.m.19 views

PT-2026-51230

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.5.0 through 5.9.13 Description An issue exists in the FieldsController::actionRenderCardPreview method where the fieldLayoutConfig POST parameter is passed directly to Fields::createLayout without being processed by...

8.6CVSS6.2AI score0.00493EPSS
Exploits0References11
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.7 views

Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs

Overview Craft CMS is vulnerable to Server-Side Request Forgery SSRF and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the...

6.9CVSS6.1AI score0.0033EPSS
Exploits0References3Affected Software1
Packet Storm News
Packet Storm News
added 2026/06/11 12:0 a.m.14 views

Craft CMS Authorization and Migration Endpoint Exposure Tool

This is an assessment utility designed to evaluate potential exposure related to authorization handling and migration endpoint accessibility in Craft CMS deployments...

5.3AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/06/05 7:36 p.m.11 views

CVE-2026-41128

Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...

5.3CVSS5.5AI score0.00248EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/01 10:3 p.m.12 views

CVE-2026-45697

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields with Default value → Custom that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site depending ...

9.8CVSS5.8AI score0.00475EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/29 7:1 p.m.11 views

EUVD-2026-33421

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields with Default value → Custom that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site depending ...

9.8CVSS5.8AI score0.00475EPSS
Exploits0References4
Rows per page
Query Builder