EUVD-2024-3276

Malicious code in bioql PyPI...

EUVD-2023-1531

Malicious code in bioql PyPI...

GHSA-9HP3-F5G8-RCCG The Freeform CraftCMS plugin contains an Server-side template injection (SSTI) vulnerability

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection SSTI vulnerability, resulting in arbitrary code injection for all users that have access to editing a form submission title...

CVE-2024-52291

Craft is a content management system CMS. A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme e.g., file://file:////. This enables the attacker to specify sensitive folders as the file system, leading to potential file...

CVE-2023-30177

CraftCMS 3.7.59 is vulnerable Cross Site Scripting XSS. An attacker can inject javascript code into Volume Name...

CVE-2023-30130

An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter...

Remote Code Execution (RCE)

craftcms/cms is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper sanitization of user input, allowing attackers to inject malicious code if they have administrator access and the ALLOWADMINCHANGES setting is enabled...

CraftCMS 3.x < 3.9.15 / 4.x < 4.14.15 / 5.x < 5.6.17 Remote Code Execution

CraftCMS version 3.x prior to 3.9.15 or 4.x prior to 4.14.15 or 5.x prior to 5.6.16 is vulnerable to a Remote Code Execution RCE in the action endpoint. No source data...

Exploit for Code Injection in Craftcms Craft_Cms

CraftCMS CVE-2025-32432 Exploit By Chirag Artani Overview...

Arbitrary File Read

craftcms/cms is vulnerable to arbitrary file read. The vulnerability is due to the exploitation of the dataUrl function, which allows attackers with write permissions on system notification templates to embed and exfiltrate Base64-encoded file content via triggered email notifications...

Local File System Validation Bypass

craftcms/cms is vulnerable to local file system validation bypass. The vulnerability is due to improper validation of file paths, allowing attackers to exploit a double file:// scheme to bypass restrictions and access or overwrite sensitive files...

Cross Site Scripting(XSS)

craftcms/cms is vulnerable to Cross Site ScriptingXSS. The vulnerability is due to insufficient input sanitization in the breadcrumb list and title fields, allowing user-provided input to be stored without proper validation or encoding, which then executes malicious scripts when displayed...

CraftCMS Security Vulnerability

CraftCMS is a content management system from CraftCMS, Inc. A security vulnerability exists in CraftCMS version v3.7.31 and earlier versions. An attacker exploited the vulnerability to perform a SQL injection attack via a GraphQL API endpoint...

CVE-2023-30179

CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection SSTI. An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrator...

CVE-2023-30130

An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter...

CVE-2023-30177

CraftCMS 3.7.59 is vulnerable Cross Site Scripting XSS. An attacker can inject javascript code into Volume Name...