9 matches found
Missing Authorization
craftcms/cms is vulnerable to Missing Authorization. The vulnerability is due to missing authorization checks in the GraphQL @parseRefs directive, which allows an attacker to access sensitive attributes of CMS elements without proper permissions...
CVE-2026-28696
Craft is a content management system CMS. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags e.g., user:1:email, can be abused by both authenticated users and unauthenticated guests if a Public Schema is enabled to access sensitive...
CVE-2026-28696
Craft is a content management system CMS. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags e.g., user:1:email, can be abused by both authenticated users and unauthenticated guests if a Public Schema is enabled to access sensitive...
CVE-2026-28696
Craft is a content management system CMS. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags e.g., user:1:email, can be abused by both authenticated users and unauthenticated guests if a Public Schema is enabled to access sensitive...
CVE-2026-28696
Craft CMS is affected by CVE-2026-28696 due to missing authorization in the GraphQL directive @parseRefs. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, authenticated users and unauthenticated guests (when Public Schema is enabled) could read sensitive attributes of CMS elements by abusing {type:ID:fie...
GHSA-7X43-MPFG-R9WJ Craft CMS has IDOR via GraphQL @parseRefs
The GraphQL directive @parseRefs, intended to parse internal reference tags e.g., user:1:email, can be abused by both authenticated users and unauthenticated guests if a Public Schema is enabled to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs...
Missing Authorization
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the parseRefs directive. An attacker can access sensitive attributes of any element, including user emails, usernames, custom fields, and internal server paths, by...
Craft CMS has IDOR via GraphQL @parseRefs
The GraphQL directive @parseRefs, intended to parse internal reference tags e.g., user:1:email, can be abused by both authenticated users and unauthenticated guests if a Public Schema is enabled to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs...
PT-2026-22948
Name of the Vulnerable Software and Affected Versions Craft versions prior to 4.17.0-beta.1 and versions prior to 5.9.0-beta.1 Description Craft is a content management system CMS that contains a flaw in the GraphQL directive @parseRefs. This directive, designed to parse internal reference tags,...