Lucene search
+L
CraftcmsCraft Cms

97 matches found

CVE
CVE
added 2024/12/18 8:37 p.m.3643 views

CVE-2024-56145

Craft CMS is affected by CVE-2024-56145 due to a code execution vector triggered when php.ini register_argc_argv is enabled. Reports indicate an RCE vulnerability exists in affected versions, with remediation via upgrading to Craft CMS 3.9.14, 4.13.2, or 5.5.2. If upgrading is not possible, the r...

9.8CVSS7.4AI score0.97446EPSS
In wild
CVE
CVE
added 2025/04/25 3:4 p.m.540 views

CVE-2025-32432

CVE-2025-32432 affects Craft CMS across 3.x (3.0.0-RC1–3.9.14), 4.x (4.0.0-RC1–4.14.14), and 5.x (5.0.0-RC1–5.6.16). The vulnerability is a remote code execution via insecure deserialization in the asset transform path (notably /actions/assets/generate-transform) that can be triggered by crafted ...

10CVSS9.7AI score0.99829EPSS
In wildWeb
CVE
CVE
added 2025/01/18 12:32 a.m.403 views

CVE-2025-23209

Craft CMS (versions 4.x before 4.13.8 and 5.x before 5.5.8) is affected by a remote code execution vulnerability that requires a compromised security key. The issue is fixed in Craft 4.13.8 and 5.5.8; if updating is not possible, rotate the security keys and restrict exposure. Public sources also...

8.1CVSS7.8AI score0.04714EPSS
In wild
CVE
CVE
added 2019/07/26 3:52 a.m.313 views

CVE-2019-14280

CVE-2019-14280 affects Craft CMS (versions prior to 2.7.10 and 3 prior to 3.2.6). The issue is an information disclosure where EXIF data is not stripped from user-uploaded images when configured to do so, potentially exposing personal/geolocation data. Red Hat and NVD entries reiterate the vulner...

5.3CVSS5.1AI score0.07968EPSS
CVE
CVE
added 2026/03/04 4:26 p.m.302 views

CVE-2026-28697

Craft CMS (CMS, versions prior to 4.17.0-beta.1 and 5.9.0-beta.1) is affected by an authenticated-admin remote code execution (RCE) via Server-Side Template Injection (SSTI) in Twig template fields (for example, Email Templates). The underlying issue is exploitability through the craft.app.fs.wri...

9.4CVSS6.3AI score0.01067EPSS
CVE
CVE
added 2024/01/03 4:51 p.m.232 views

CVE-2024-21622

CVE-2024-21622 is a Privilege Escalation issue in Craft CMS. The vulnerability affects Craft 3.x (prior to 3.9.6) and Craft 4.x (prior to 4.4.16) and arises under certain user permission configurations, allowing elevated access. The condition and root cause are described as a permission-checking ...

8.8CVSS8.7AI score0.00588EPSS
CVE
CVE
added 2023/09/13 7:45 p.m.231 views

CVE-2023-41892

CVE-2023-41892 affects Craft CMS Versions 4.0.0-RC1 through 4.4.14. The vulnerability is an unauthenticated remote code execution (RCE) caused by a PHP object creation in the craft\controllers\ConditionsController that can escalate to arbitrary PHP code execution (context involves GuzzleHttp\Psr7...

10CVSS9.3AI score0.92918EPSS
In wild
CVE
CVE
added 2025/05/07 10:41 p.m.231 views

CVE-2025-35939

Craft CMS is affected by CVE-2025-35939 in versions prior to 5.7.5 and 4.15.3, where unauthenticated users can place arbitrary content (including PHP code) in server session files (sess_[value]) via unsanitized return URLs, potentially enabling local file manipulation or code execution. Remedies:...

6.9CVSS5.6AI score0.01174EPSS
In wild
CVE
CVE
added 2019/10/10 11:32 p.m.149 views

CVE-2019-17496

Craft CMS prior to 3.3.8 is affected by a stored XSS in the site deletion flow where the name field is mishandled. The issue enables injection through the name field and is limited to Craft CMS versions before 3.3.8; upgrading to 3.3.8 or later is the documented remediation. The CVE description a...

6.1CVSS5.8AI score0.00831EPSS
CVE
CVE
added 2026/01/05 10:3 p.m.141 views

CVE-2025-68456

CVE-2025-68456 affects Craft CMS versions 5.0.0-RC1–5.8.20 and 3.0.0–4.16.16, where unauthenticated users can trigger database backup operations via the admin action path updater/backup. The underlying issue is exposed across all updater actions configured for anonymous access, enabling a backup ...

9.1CVSS6.4AI score0.00471EPSS
CVE
CVE
added 2024/06/25 12:0 a.m.119 views

CVE-2024-37843

Craft CMS

9.8CVSS7.9AI score0.51282EPSS
Web
CVE
CVE
added 2023/08/23 8:5 p.m.110 views

CVE-2023-40035

CVE-2023-40035 affects Craft CMS. The vulnerability arises from bypassing or incomplete path normalization in FileHelper/absolutePath and related system path checks, enabling Remote Code Execution via Twig SSTI when a crafted path escapes system directories. Exploitation is described as requiring...

7.2CVSS7.3AI score0.01909EPSS
CVE
CVE
added 2020/03/04 4:3 p.m.106 views

CVE-2020-9757

Craft CMS SEOmatic component before 3.3.0 is vulnerable to Server-Side Template Injection that can lead to remote code execution via malformed data submitted to the metacontainers controller. The CVE-2020-9757 entry is corroborated by multiple connected documents (Nuclei template, Red Hat advisor...

9.8CVSS8.6AI score0.73434EPSS
In wild
CVE
CVE
added 2019/10/24 3:53 p.m.103 views

CVE-2019-15929

Craft CMS up to version 3.1.7 is affected by an authentication issue where the elevated session password prompt was not rate-limited, enabling brute-force attempts as described across multiple sources. The vulnerability affects the login flow for elevated sessions and is documented in CVE-2019-15...

9.8CVSS9.4AI score0.0161EPSS
Web
CVE
CVE
added 2022/04/03 5:28 p.m.100 views

CVE-2022-28378

Craft CMS vulnerability (CVE-2022-28378) : The XSS flaw affects Craft CMS versions before 3.7.29. Public sources attribute the issue to the FeedWidget.js input handling, where unfiltered links enable script injection. Impact is cross-site scripting with user interaction sometimes required dependi...

6.1CVSS6.2AI score0.00604EPSS
CVE
CVE
added 2022/05/09 5:48 p.m.100 views

CVE-2022-29933

Craft CMS up to version 3.7.36 is affected by a password-reset poisoning vulnerability. An unauthenticated attacker who knows a valid username can reset the target account by supplying a crafted HTTP header (X-Forwarded-Host) to the password-reset URL at /index.php?p=admin/actions/users/send-pass...

8.8CVSS8.6AI score0.04585EPSS
Web
CVE
CVE
added 2022/12/05 12:0 a.m.91 views

CVE-2022-37783

Craft CMS versions 3.0.0–3.7.32 disclose user password hashes via the CRAFT_CSRF_TOKEN cookie and corresponding HTML field; the hash can be decoded using Yii public functions. Impact is password hash disclosure (confidentiality). No explicit exploit details or fixed versions are provided in the c...

7.5CVSS7.5AI score0.01035EPSS
CVE
CVE
added 2023/05/19 7:40 p.m.85 views

CVE-2023-32679

Craft CMS is vulnerable to Remote Code Execution due to lack of file extension validation in template resolution (name parameter handling in View.php). Exploitation requires admin privileges on an environment configured for development/staging/production (e.g., ALLOW_ADMIN_CHANGES=true). The issu...

7.2CVSS7.5AI score0.01845EPSS
CVE
CVE
added 2022/09/16 8:54 p.m.84 views

CVE-2022-37251

Craft CMS 4.2.0.1 is affected by a Cross Site Scripting (XSS) vulnerability via Drafts/entry drafts. Multiple sources (NVD/NVD-derived CVE, GitHub GHSA advisory, Veracode entry, OSV entries, CVE lists, and related national vulnerabilities) corroborate that Craft CMS versions up to 4.2.0.1 (and ea...

5.4CVSS5.2AI score0.00422EPSS
CVE
CVE
added 2021/06/30 11:56 a.m.81 views

CVE-2021-27903

CVE-2021-27903 affects Craft CMS prior to 3.6.7. In certain conditions, a remote code execution vulnerability exists when an attacker can hijack an administrator’s session and exploit insufficient restrictions on administrative changes. Several connected advisories reiterate the same description....

9.8CVSS9.6AI score0.02819EPSS
CVE
CVE
added 2022/09/21 2:14 p.m.81 views

CVE-2022-37246

CVE-2022-37246 affects Craft CMS 4.2.0.1. The Cross-Site Scripting vulnerability exists in BaseElementSelectInput.js (src/web/assets/cp/src/js/BaseElementSelectInput.js), specifically on the line constructing elementInfo.label, due to insufficient sanitization. This can allow injected JavaScript ...

5.4CVSS5.2AI score0.0041EPSS
CVE
CVE
added 2024/11/13 4:4 p.m.81 views

CVE-2024-52293

Craft CMS prior to 4.12.2 and 5.4.3 is vulnerable due to missing normalizePath in FileHelper::absolutePath, enabling potential Remote Code Execution via Twig SSTI. This is a sequel to CVE-2023-40035. The issue is fixed in Craft 4.12.2 and 5.4.3. Affected versions should upgrade to the specified f...

7.2CVSS6.9AI score0.01308EPSS
CVE
CVE
added 2023/04/25 12:0 a.m.80 views

CVE-2023-30177

CraftCMS 3.7.59 is vulnerable to Cross-Site Scripting (XSS) via the Volume Name. The root cause is an XSS flaw in CraftCMS that allows injected JavaScript. Affected version according to sources: 3.7.59; remediation is to upgrade to 3.7.68 or later (CraftCMS patch) to mitigate. If upgrading is not...

6.1CVSS6.1AI score0.00395EPSS
CVE
CVE
added 2023/05/09 3:22 p.m.80 views

CVE-2023-31144

CVE-2023-31144 affects Craft CMS RSS/feed widget title handling. A malformed title can deliver a cross-site scripting payload. Affected versions are 3.0.0–3.8.3 and 4.0.0–4.4.3; the issue is fixed in 3.8.4 and 4.4.4. Public references from Craft CMS advisories and GitHub GHSA confirm the XSS, wit...

6.1CVSS5.8AI score0.00406EPSS
CVE
CVE
added 2022/09/16 8:27 p.m.79 views

CVE-2022-37247

CVE-2022-37247 concerns Craft CMS 4.2.0.1 with a stored XSS on the /admin/settings/fields page. Multiple connected sources corroborate the issue, including Red Hat and Veracode entries. The Veracode description attributes the vulnerability to improper encoding in Cp.php affecting the _fldTabHtml ...

5.4CVSS5.1AI score0.00463EPSS
Web
CVE
CVE
added 2023/05/26 12:0 a.m.76 views

CVE-2023-2817

The CVE-2023-2817 issue is a post-authentication stored cross-site scripting vulnerability in Craft CMS versions up to 4.4.11. It allows HTML/script injection in field names, which triggers when those fields are added to a category or section and visited on Categories/Entries pages. Several conne...

5.4CVSS5AI score0.00444EPSS
CVE
CVE
added 2019/12/31 4:15 p.m.75 views

CVE-2019-9554

Craft CMS 3.1.12 Pro contains a Cross-site Scripting (XSS) vulnerability in the header insertion field used when adding source code at the s/admin/entries/news/new URI. The issue is triggered by input in the header insertion field and is described as a stored XSS, potentially allowing an attacker...

6.1CVSS6AI score0.02591EPSS
Web
CVE
CVE
added 2021/09/29 11:19 p.m.75 views

CVE-2021-41824

Craft CMS before version 3.7.14 is vulnerable to CSV injection via export functionality. The root cause is lack of input sanitization/escaping when exporting data to CSV, allowing crafted input to trigger payloads in CSV readers (e.g., Excel). Affected software is Craft CMS (core) with CSV export...

8.8CVSS8.8AI score0.01329EPSS
CVE
CVE
added 2022/09/16 2:57 p.m.75 views

CVE-2022-37250

CVE-2022-37250 affects Craft CMS 4.2.0.1 with a Stored Cross-Site Scripting (XSS) in the admin path /admin/myaccount. The connected sources consistently describe a stored XSS condition but do not provide concrete technical details beyond the vulnerable location and vulnerability type, nor do they...

5.4CVSS5.2AI score0.0055EPSS
CVE
CVE
added 2023/03/03 9:58 p.m.75 views

CVE-2023-23927

Craft CMS is vulnerable to a stored XSS in the quick post widget on the admin dashboard when a payload is inserted into a label name or an entry type instruction. The issue affects Craft CMS prior to version 4.3.7 and has been fixed in 4.3.7. The CVE entry is supported by multiple connected sourc...

6.1CVSS5.5AI score0.00801EPSS
CVE
CVE
added 2018/12/24 4:0 a.m.73 views

CVE-2018-20418

CVE-2018-20418 affects Craft CMS, version 3.0.25. The vulnerability is a cross-site scripting (XSS) flaw in the handling of the title during saving through the admin action endpoint: http://…/admin/actions/entries/save-entry. Saving a new title from the console tab is reported to enable XSS. The ...

4.8CVSS4.7AI score0.03702EPSS
Web
CVE
CVE
added 2021/05/07 5:2 p.m.71 views

CVE-2021-32470

Craft CMS CVE-2021-32470 is an XSS vulnerability affecting Craft CMS versions prior to 3.6.13. The issue is that input/output handling allows cross-site scripting, potentially impacting users who load crafted content. A fixed release is 3.6.13; upgrade to that version to mitigate. No exploitation...

6.1CVSS5.9AI score0.00733EPSS
CVE
CVE
added 2021/06/30 11:56 a.m.69 views

CVE-2021-27902

CVE-2021-27902 affects Craft CMS prior to 3.6.0. The connected documents describe a cross-site scripting (XSS) vulnerability in a front-end form that accepts user uploads. The root cause details and exploitation specifics are not provided in the documents. Scope is limited toCraft CMS versions be...

6.1CVSS5.9AI score0.00987EPSS
CVE
CVE
added 2023/05/12 12:0 a.m.69 views

CVE-2023-30130

Summary (CVE-2023-30130) CraftCMS v3.8.1 contains a code-injection vulnerability exploited by a crafted Script in the Section parameter. The issue arises from inadequate filtering/escaping of user-supplied data, enabling a remote attacker to execute arbitrary code. The CVSS 3.1 baseline indicates...

8.8CVSS8.8AI score0.01416EPSS
CVE
CVE
added 2022/09/16 3:9 p.m.68 views

CVE-2022-37248

Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) through src/helpers/Cp.php. The issue involves improper encoding in functions related to tab/groupName handling (as cited by GHSA and Veracode reports), enabling injection/execution of malicious JavaScript. CVE-2022-37248 has a NVD CVS...

5.4CVSS5.2AI score0.00536EPSS
CVE
CVE
added 2018/01/01 8:0 p.m.67 views

CVE-2018-3814

Craft CMS 2.6.3000 is affected by a remote code execution vulnerability that occurs when using the Assets→Upload files screen followed by Replace it, allowing a .jpg file to carry embedded PHP code and be renamed to a .php extension. This is the official CVE description and is echoed across multi...

8.8CVSS9AI score0.01353EPSS
CVE
CVE
added 2019/06/18 12:6 p.m.67 views

CVE-2019-12823

Craft CMS before 3.1.31 is vulnerable to cross-site scripting due to improper filtering of XML feeds. Affects Craft CMS core XML feed handling; attacker could inject and execute client-side scripts. CVSS metrics indicate MEDIUM severity (CVSS 3.1 base 6.1) with network access, no privileges requi...

6.1CVSS6.3AI score0.00943EPSS
CVE
CVE
added 2023/05/27 3:51 a.m.67 views

CVE-2023-33195

CVE-2023-33195 affects Craft CMS prior to 4.4.6, where a malformed RSS feed in the RSS widget could deliver a Cross‑Site Scripting (XSS) payload via the feed, enabling script execution. The issue is addressed by upgrading to Craft CMS 4.4.6 or later (patch referenced in the project release notes ...

6.1CVSS5.4AI score0.00651EPSS
CVE
CVE
added 2023/05/26 7:17 p.m.67 views

CVE-2023-33197

Craft CMS is affected by a stored XSS in indexedVolumes via the Update Asset Index utility. The issue arises from insufficient sanitization in the AssetIndexer path, allowing injection of HTML/JS payloads into asset index results. Impact is described as Cross-Site Scripting with the payload able ...

5.5CVSS5.4AI score0.00681EPSS
CVE
CVE
added 2024/11/13 4:12 p.m.66 views

CVE-2024-52291

CraftCMS has a local file system validation bypass flaw (CVE-2024-52291) that can be triggered by a double file:// scheme to point the base filesystem at sensitive folders. The root cause stems from FileHelper::normalizePath only removing a leading file://, enabling bypass when a second file:// i...

8.4CVSS7.8AI score0.01138EPSS
CVE
CVE
added 2025/05/05 7:35 p.m.66 views

CVE-2025-46731

CVE-2025-46731 affects Craft CMS on the 4.x line prior to 4.14.13 and the 5.x line prior to 5.6.16, with a remote code execution vulnerability exploitable via Twig SSTI. An attacker must have administrator access and ALLOW_ADMIN_CHANGES enabled for exploitation. Remediation is to upgrade to patch...

8.6CVSS7.5AI score0.01221EPSS
CVE
CVE
added 2024/01/30 12:0 a.m.64 views

CVE-2023-36260

CVE-2023-36260 affects the Feed Me plugin (version 4.6.1) on Craft CMS (version 4.6.1). The issue allows remote attackers to cause a Denial of Service by supplying crafted strings to the Feed-Me Name and Feed-Me URL fields when saving a feed via an Asset element with no volume selected. The root ...

7.5CVSS7.5AI score0.01073EPSS
CVE
CVE
added 2024/11/13 4:8 p.m.64 views

CVE-2024-52292

CVE-2024-52292 affects Craft CMS. The dataUrl function can exfiltrate the contents of arbitrary server files when an attacker has write permissions on system notification templates and can trigger a system email. By embedding a path to a sensitive file, the Base64-encoded content is sent via an e...

7.7CVSS6.7AI score0.00657EPSS
CVE
CVE
added 2023/06/13 12:0 a.m.62 views

CVE-2023-30179

CraftCMS is affected by a Server-Side Template Injection (SSTI) in version 3.7.59, where an authenticated user can inject Twig templates into the User Photo Location in User Settings, potentially enabling Remote Code Execution. The root cause cited is lack of input validation for the Twig code in...

7.2CVSS7.2AI score0.02203EPSS
CVE
CVE
added 2023/06/20 12:0 a.m.62 views

CVE-2023-33495

CVE-2023-33495 affects Craft CMS up to version 4.4.9, where an HTML Injection vulnerability exists in the CMS (the exact root cause is described only as HTML Injection in the sources). Impact is described as enabling injection of HTML content, with a CVSS v3.1 base score of 6.1 (Medium). The avai...

6.1CVSS6.1AI score0.00497EPSS
CVE
CVE
added 2024/09/09 4:46 p.m.61 views

CVE-2024-45406

Summary: CVE-2024-45406 affects Craft CMS (5.x). The vulnerability is a stored XSS in breadcrumb list and title fields that can be triggered by user input. This is documented across multiple sources (CVE entries, GHSA advisory, and OSV/NVD mirrors) and is described as a stored XSS impacting Craft...

5.5CVSS5AI score0.00334EPSS
CVE
CVE
added 2023/05/26 8:30 p.m.59 views

CVE-2023-33194

CVE-2023-33194 affects CraftCMS, where the Quick Post validation error message did not filter input or encode output, enabling a stored XSS payload via the label/Quick Post components. The issue was reported across multiple sources and is explicitly patched in CraftCMS 4.4.6. Some connected recor...

4.8CVSS4.4AI score0.00617EPSS
CVE
CVE
added 2023/05/26 8:22 p.m.59 views

CVE-2023-33196

CVE-2023-33196 corresponds to a stored XSS vulnerability in Craft CMS triggered via review volumes during asset indexing. Public descriptions consistently state that the issue was fixed in version 4.4.7. The root cause revolves around insufficient sanitization of data in the review/asset-indexing...

5.5CVSS5.3AI score0.00653EPSS
CVE
CVE
added 2024/01/30 12:0 a.m.58 views

CVE-2023-36259

CVE-2023-36259 affects Craft CMS Audit Plugin prior to version 3.0.2. The issue arises from improper sanitization in the plugin’s handling of titles, enabling Cross Site Scripting (XSS) that can allow an attacker to inject arbitrary JavaScript during user creation. Several sources corroborate XSS...

5.4CVSS5.4AI score0.0038EPSS
CVE
CVE
added 2017/06/08 1:0 p.m.56 views

CVE-2017-9516

CVE-2017-9516 describes a cross-site scripting (XSS) vulnerability in Craft CMS prior to version 2.6.2982. The issue arises when a malicious SVG file is uploaded, enabling an attacker to inject or execute arbitrary scripts in the context of the affected site. The available connected documents cor...

5.4CVSS5.2AI score0.02314EPSS
Total number of security vulnerabilities97