2 matches found
EUVD-2026-38159
Craft CMS 4.x = 4.0.0-RC1, = 5.0.0-RC1, 5.9.0-beta.1 contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization e.g., via the checkbox.twig template, which used label|raw . An authenticated administrator with...
Craft CMS vulnerable to Remote Code Execution via unrestricted file extension
Summary Unrestricted file extension lead to a potential Remote Code Execution Authenticated, ALLOWADMINCHANGES=true Details Vulnerability Cause : If the name parameter value is not empty string'' in the View.php's doesTemplateExist - resolveTemplate - resolveTemplateInternal - resolveTemplate...