97 matches found
CVE-2024-56145
Craft CMS is affected by CVE-2024-56145 due to a code execution vector triggered when php.ini register_argc_argv is enabled. Reports indicate an RCE vulnerability exists in affected versions, with remediation via upgrading to Craft CMS 3.9.14, 4.13.2, or 5.5.2. If upgrading is not possible, the r...
CVE-2025-32432
CVE-2025-32432 affects Craft CMS across 3.x (3.0.0-RC1–3.9.14), 4.x (4.0.0-RC1–4.14.14), and 5.x (5.0.0-RC1–5.6.16). The vulnerability is a remote code execution via insecure deserialization in the asset transform path (notably /actions/assets/generate-transform) that can be triggered by crafted ...
CVE-2025-23209
Craft CMS (versions 4.x before 4.13.8 and 5.x before 5.5.8) is affected by a remote code execution vulnerability that requires a compromised security key. The issue is fixed in Craft 4.13.8 and 5.5.8; if updating is not possible, rotate the security keys and restrict exposure. Public sources also...
CVE-2019-14280
CVE-2019-14280 affects Craft CMS (versions prior to 2.7.10 and 3 prior to 3.2.6). The issue is an information disclosure where EXIF data is not stripped from user-uploaded images when configured to do so, potentially exposing personal/geolocation data. Red Hat and NVD entries reiterate the vulner...
CVE-2026-28697
Craft CMS (CMS, versions prior to 4.17.0-beta.1 and 5.9.0-beta.1) is affected by an authenticated-admin remote code execution (RCE) via Server-Side Template Injection (SSTI) in Twig template fields (for example, Email Templates). The underlying issue is exploitability through the craft.app.fs.wri...
CVE-2024-21622
CVE-2024-21622 is a Privilege Escalation issue in Craft CMS. The vulnerability affects Craft 3.x (prior to 3.9.6) and Craft 4.x (prior to 4.4.16) and arises under certain user permission configurations, allowing elevated access. The condition and root cause are described as a permission-checking ...
CVE-2023-41892
CVE-2023-41892 affects Craft CMS Versions 4.0.0-RC1 through 4.4.14. The vulnerability is an unauthenticated remote code execution (RCE) caused by a PHP object creation in the craft\controllers\ConditionsController that can escalate to arbitrary PHP code execution (context involves GuzzleHttp\Psr7...
CVE-2025-35939
Craft CMS is affected by CVE-2025-35939 in versions prior to 5.7.5 and 4.15.3, where unauthenticated users can place arbitrary content (including PHP code) in server session files (sess_[value]) via unsanitized return URLs, potentially enabling local file manipulation or code execution. Remedies:...
CVE-2019-17496
Craft CMS prior to 3.3.8 is affected by a stored XSS in the site deletion flow where the name field is mishandled. The issue enables injection through the name field and is limited to Craft CMS versions before 3.3.8; upgrading to 3.3.8 or later is the documented remediation. The CVE description a...
CVE-2025-68456
CVE-2025-68456 affects Craft CMS versions 5.0.0-RC1–5.8.20 and 3.0.0–4.16.16, where unauthenticated users can trigger database backup operations via the admin action path updater/backup. The underlying issue is exposed across all updater actions configured for anonymous access, enabling a backup ...
CVE-2024-37843
Craft CMS
CVE-2023-40035
CVE-2023-40035 affects Craft CMS. The vulnerability arises from bypassing or incomplete path normalization in FileHelper/absolutePath and related system path checks, enabling Remote Code Execution via Twig SSTI when a crafted path escapes system directories. Exploitation is described as requiring...
CVE-2020-9757
Craft CMS SEOmatic component before 3.3.0 is vulnerable to Server-Side Template Injection that can lead to remote code execution via malformed data submitted to the metacontainers controller. The CVE-2020-9757 entry is corroborated by multiple connected documents (Nuclei template, Red Hat advisor...
CVE-2019-15929
Craft CMS up to version 3.1.7 is affected by an authentication issue where the elevated session password prompt was not rate-limited, enabling brute-force attempts as described across multiple sources. The vulnerability affects the login flow for elevated sessions and is documented in CVE-2019-15...
CVE-2022-28378
Craft CMS vulnerability (CVE-2022-28378) : The XSS flaw affects Craft CMS versions before 3.7.29. Public sources attribute the issue to the FeedWidget.js input handling, where unfiltered links enable script injection. Impact is cross-site scripting with user interaction sometimes required dependi...
CVE-2022-29933
Craft CMS up to version 3.7.36 is affected by a password-reset poisoning vulnerability. An unauthenticated attacker who knows a valid username can reset the target account by supplying a crafted HTTP header (X-Forwarded-Host) to the password-reset URL at /index.php?p=admin/actions/users/send-pass...
CVE-2022-37783
Craft CMS versions 3.0.0–3.7.32 disclose user password hashes via the CRAFT_CSRF_TOKEN cookie and corresponding HTML field; the hash can be decoded using Yii public functions. Impact is password hash disclosure (confidentiality). No explicit exploit details or fixed versions are provided in the c...
CVE-2023-32679
Craft CMS is vulnerable to Remote Code Execution due to lack of file extension validation in template resolution (name parameter handling in View.php). Exploitation requires admin privileges on an environment configured for development/staging/production (e.g., ALLOW_ADMIN_CHANGES=true). The issu...
CVE-2022-37251
Craft CMS 4.2.0.1 is affected by a Cross Site Scripting (XSS) vulnerability via Drafts/entry drafts. Multiple sources (NVD/NVD-derived CVE, GitHub GHSA advisory, Veracode entry, OSV entries, CVE lists, and related national vulnerabilities) corroborate that Craft CMS versions up to 4.2.0.1 (and ea...
CVE-2021-27903
CVE-2021-27903 affects Craft CMS prior to 3.6.7. In certain conditions, a remote code execution vulnerability exists when an attacker can hijack an administrator’s session and exploit insufficient restrictions on administrative changes. Several connected advisories reiterate the same description....
CVE-2022-37246
CVE-2022-37246 affects Craft CMS 4.2.0.1. The Cross-Site Scripting vulnerability exists in BaseElementSelectInput.js (src/web/assets/cp/src/js/BaseElementSelectInput.js), specifically on the line constructing elementInfo.label, due to insufficient sanitization. This can allow injected JavaScript ...
CVE-2024-52293
Craft CMS prior to 4.12.2 and 5.4.3 is vulnerable due to missing normalizePath in FileHelper::absolutePath, enabling potential Remote Code Execution via Twig SSTI. This is a sequel to CVE-2023-40035. The issue is fixed in Craft 4.12.2 and 5.4.3. Affected versions should upgrade to the specified f...
CVE-2023-30177
CraftCMS 3.7.59 is vulnerable to Cross-Site Scripting (XSS) via the Volume Name. The root cause is an XSS flaw in CraftCMS that allows injected JavaScript. Affected version according to sources: 3.7.59; remediation is to upgrade to 3.7.68 or later (CraftCMS patch) to mitigate. If upgrading is not...
CVE-2023-31144
CVE-2023-31144 affects Craft CMS RSS/feed widget title handling. A malformed title can deliver a cross-site scripting payload. Affected versions are 3.0.0–3.8.3 and 4.0.0–4.4.3; the issue is fixed in 3.8.4 and 4.4.4. Public references from Craft CMS advisories and GitHub GHSA confirm the XSS, wit...
CVE-2022-37247
CVE-2022-37247 concerns Craft CMS 4.2.0.1 with a stored XSS on the /admin/settings/fields page. Multiple connected sources corroborate the issue, including Red Hat and Veracode entries. The Veracode description attributes the vulnerability to improper encoding in Cp.php affecting the _fldTabHtml ...
CVE-2023-2817
The CVE-2023-2817 issue is a post-authentication stored cross-site scripting vulnerability in Craft CMS versions up to 4.4.11. It allows HTML/script injection in field names, which triggers when those fields are added to a category or section and visited on Categories/Entries pages. Several conne...
CVE-2019-9554
Craft CMS 3.1.12 Pro contains a Cross-site Scripting (XSS) vulnerability in the header insertion field used when adding source code at the s/admin/entries/news/new URI. The issue is triggered by input in the header insertion field and is described as a stored XSS, potentially allowing an attacker...
CVE-2021-41824
Craft CMS before version 3.7.14 is vulnerable to CSV injection via export functionality. The root cause is lack of input sanitization/escaping when exporting data to CSV, allowing crafted input to trigger payloads in CSV readers (e.g., Excel). Affected software is Craft CMS (core) with CSV export...
CVE-2022-37250
CVE-2022-37250 affects Craft CMS 4.2.0.1 with a Stored Cross-Site Scripting (XSS) in the admin path /admin/myaccount. The connected sources consistently describe a stored XSS condition but do not provide concrete technical details beyond the vulnerable location and vulnerability type, nor do they...
CVE-2023-23927
Craft CMS is vulnerable to a stored XSS in the quick post widget on the admin dashboard when a payload is inserted into a label name or an entry type instruction. The issue affects Craft CMS prior to version 4.3.7 and has been fixed in 4.3.7. The CVE entry is supported by multiple connected sourc...
CVE-2018-20418
CVE-2018-20418 affects Craft CMS, version 3.0.25. The vulnerability is a cross-site scripting (XSS) flaw in the handling of the title during saving through the admin action endpoint: http://…/admin/actions/entries/save-entry. Saving a new title from the console tab is reported to enable XSS. The ...
CVE-2021-32470
Craft CMS CVE-2021-32470 is an XSS vulnerability affecting Craft CMS versions prior to 3.6.13. The issue is that input/output handling allows cross-site scripting, potentially impacting users who load crafted content. A fixed release is 3.6.13; upgrade to that version to mitigate. No exploitation...
CVE-2021-27902
CVE-2021-27902 affects Craft CMS prior to 3.6.0. The connected documents describe a cross-site scripting (XSS) vulnerability in a front-end form that accepts user uploads. The root cause details and exploitation specifics are not provided in the documents. Scope is limited toCraft CMS versions be...
CVE-2023-30130
Summary (CVE-2023-30130) CraftCMS v3.8.1 contains a code-injection vulnerability exploited by a crafted Script in the Section parameter. The issue arises from inadequate filtering/escaping of user-supplied data, enabling a remote attacker to execute arbitrary code. The CVSS 3.1 baseline indicates...
CVE-2022-37248
Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) through src/helpers/Cp.php. The issue involves improper encoding in functions related to tab/groupName handling (as cited by GHSA and Veracode reports), enabling injection/execution of malicious JavaScript. CVE-2022-37248 has a NVD CVS...
CVE-2018-3814
Craft CMS 2.6.3000 is affected by a remote code execution vulnerability that occurs when using the Assets→Upload files screen followed by Replace it, allowing a .jpg file to carry embedded PHP code and be renamed to a .php extension. This is the official CVE description and is echoed across multi...
CVE-2019-12823
Craft CMS before 3.1.31 is vulnerable to cross-site scripting due to improper filtering of XML feeds. Affects Craft CMS core XML feed handling; attacker could inject and execute client-side scripts. CVSS metrics indicate MEDIUM severity (CVSS 3.1 base 6.1) with network access, no privileges requi...
CVE-2023-33195
CVE-2023-33195 affects Craft CMS prior to 4.4.6, where a malformed RSS feed in the RSS widget could deliver a Cross‑Site Scripting (XSS) payload via the feed, enabling script execution. The issue is addressed by upgrading to Craft CMS 4.4.6 or later (patch referenced in the project release notes ...
CVE-2023-33197
Craft CMS is affected by a stored XSS in indexedVolumes via the Update Asset Index utility. The issue arises from insufficient sanitization in the AssetIndexer path, allowing injection of HTML/JS payloads into asset index results. Impact is described as Cross-Site Scripting with the payload able ...
CVE-2024-52291
CraftCMS has a local file system validation bypass flaw (CVE-2024-52291) that can be triggered by a double file:// scheme to point the base filesystem at sensitive folders. The root cause stems from FileHelper::normalizePath only removing a leading file://, enabling bypass when a second file:// i...
CVE-2025-46731
CVE-2025-46731 affects Craft CMS on the 4.x line prior to 4.14.13 and the 5.x line prior to 5.6.16, with a remote code execution vulnerability exploitable via Twig SSTI. An attacker must have administrator access and ALLOW_ADMIN_CHANGES enabled for exploitation. Remediation is to upgrade to patch...
CVE-2024-52292
CVE-2024-52292 affects Craft CMS. The dataUrl function can exfiltrate the contents of arbitrary server files when an attacker has write permissions on system notification templates and can trigger a system email. By embedding a path to a sensitive file, the Base64-encoded content is sent via an e...
CVE-2023-36260
CVE-2023-36260 affects the Feed Me plugin (version 4.6.1) on Craft CMS (version 4.6.1). The issue allows remote attackers to cause a Denial of Service by supplying crafted strings to the Feed-Me Name and Feed-Me URL fields when saving a feed via an Asset element with no volume selected. The root ...
CVE-2023-33495
CVE-2023-33495 affects Craft CMS up to version 4.4.9, where an HTML Injection vulnerability exists in the CMS (the exact root cause is described only as HTML Injection in the sources). Impact is described as enabling injection of HTML content, with a CVSS v3.1 base score of 6.1 (Medium). The avai...
CVE-2023-30179
CraftCMS is affected by a Server-Side Template Injection (SSTI) in version 3.7.59, where an authenticated user can inject Twig templates into the User Photo Location in User Settings, potentially enabling Remote Code Execution. The root cause cited is lack of input validation for the Twig code in...
CVE-2024-45406
Summary: CVE-2024-45406 affects Craft CMS (5.x). The vulnerability is a stored XSS in breadcrumb list and title fields that can be triggered by user input. This is documented across multiple sources (CVE entries, GHSA advisory, and OSV/NVD mirrors) and is described as a stored XSS impacting Craft...
CVE-2023-33194
CVE-2023-33194 affects CraftCMS, where the Quick Post validation error message did not filter input or encode output, enabling a stored XSS payload via the label/Quick Post components. The issue was reported across multiple sources and is explicitly patched in CraftCMS 4.4.6. Some connected recor...
CVE-2023-33196
CVE-2023-33196 corresponds to a stored XSS vulnerability in Craft CMS triggered via review volumes during asset indexing. Public descriptions consistently state that the issue was fixed in version 4.4.7. The root cause revolves around insufficient sanitization of data in the review/asset-indexing...
CVE-2023-36259
CVE-2023-36259 affects Craft CMS Audit Plugin prior to version 3.0.2. The issue arises from improper sanitization in the plugin’s handling of titles, enabling Cross Site Scripting (XSS) that can allow an attacker to inject arbitrary JavaScript during user creation. Several sources corroborate XSS...
CVE-2017-9516
CVE-2017-9516 describes a cross-site scripting (XSS) vulnerability in Craft CMS prior to version 2.6.2982. The issue arises when a malicious SVG file is uploaded, enabling an attacker to inject or execute arbitrary scripts in the context of the affected site. The available connected documents cor...