Lucene search
+L

36 matches found

CVE
CVE
added 2025/01/18 12:32 a.m.403 views

CVE-2025-23209

Craft CMS (versions 4.x before 4.13.8 and 5.x before 5.5.8) is affected by a remote code execution vulnerability that requires a compromised security key. The issue is fixed in Craft 4.13.8 and 5.5.8; if updating is not possible, rotate the security keys and restrict exposure. Public sources also...

8.1CVSS7.8AI score0.04714EPSS
In wild
CVE
CVE
added 2026/03/04 4:26 p.m.302 views

CVE-2026-28697

Craft CMS (CMS, versions prior to 4.17.0-beta.1 and 5.9.0-beta.1) is affected by an authenticated-admin remote code execution (RCE) via Server-Side Template Injection (SSTI) in Twig template fields (for example, Email Templates). The underlying issue is exploitability through the craft.app.fs.wri...

9.4CVSS6.3AI score0.01067EPSS
CVE
CVE
added 2025/05/07 10:41 p.m.232 views

CVE-2025-35939

Craft CMS is affected by CVE-2025-35939 in versions prior to 5.7.5 and 4.15.3, where unauthenticated users can place arbitrary content (including PHP code) in server session files (sess_[value]) via unsanitized return URLs, potentially enabling local file manipulation or code execution. Remedies:...

6.9CVSS5.6AI score0.01174EPSS
In wild
CVE
CVE
added 2019/10/10 11:32 p.m.149 views

CVE-2019-17496

Craft CMS prior to 3.3.8 is affected by a stored XSS in the site deletion flow where the name field is mishandled. The issue enables injection through the name field and is limited to Craft CMS versions before 3.3.8; upgrading to 3.3.8 or later is the documented remediation. The CVE description a...

6.1CVSS5.8AI score0.00838EPSS
CVE
CVE
added 2024/06/25 12:0 a.m.119 views

CVE-2024-37843

Craft CMS

9.8CVSS7.9AI score0.51282EPSS
Web
CVE
CVE
added 2020/03/04 4:3 p.m.106 views

CVE-2020-9757

Craft CMS SEOmatic component before 3.3.0 is vulnerable to Server-Side Template Injection that can lead to remote code execution via malformed data submitted to the metacontainers controller. The CVE-2020-9757 entry is corroborated by multiple connected documents (Nuclei template, Red Hat advisor...

9.8CVSS8.6AI score0.73434EPSS
In wild
CVE
CVE
added 2022/04/03 5:28 p.m.100 views

CVE-2022-28378

Craft CMS vulnerability (CVE-2022-28378) : The XSS flaw affects Craft CMS versions before 3.7.29. Public sources attribute the issue to the FeedWidget.js input handling, where unfiltered links enable script injection. Impact is cross-site scripting with user interaction sometimes required dependi...

6.1CVSS6.2AI score0.00604EPSS
CVE
CVE
added 2024/11/13 4:4 p.m.83 views

CVE-2024-52293

Craft CMS prior to 4.12.2 and 5.4.3 is vulnerable due to missing normalizePath in FileHelper::absolutePath, enabling potential Remote Code Execution via Twig SSTI. This is a sequel to CVE-2023-40035. The issue is fixed in Craft 4.12.2 and 5.4.3. Affected versions should upgrade to the specified f...

7.2CVSS6.9AI score0.01308EPSS
CVE
CVE
added 2021/06/30 11:56 a.m.82 views

CVE-2021-27903

CVE-2021-27903 affects Craft CMS prior to 3.6.7. In certain conditions, a remote code execution vulnerability exists when an attacker can hijack an administrator’s session and exploit insufficient restrictions on administrative changes. Several connected advisories reiterate the same description....

9.8CVSS9.6AI score0.02819EPSS
CVE
CVE
added 2023/03/03 9:58 p.m.75 views

CVE-2023-23927

Craft CMS is vulnerable to a stored XSS in the quick post widget on the admin dashboard when a payload is inserted into a label name or an entry type instruction. The issue affects Craft CMS prior to version 4.3.7 and has been fixed in 4.3.7. The CVE entry is supported by multiple connected sourc...

6.1CVSS5.5AI score0.00801EPSS
CVE
CVE
added 2021/06/30 11:56 a.m.71 views

CVE-2021-27902

CVE-2021-27902 affects Craft CMS prior to 3.6.0. The connected documents describe a cross-site scripting (XSS) vulnerability in a front-end form that accepts user uploads. The root cause details and exploitation specifics are not provided in the documents. Scope is limited toCraft CMS versions be...

6.1CVSS5.9AI score0.00987EPSS
CVE
CVE
added 2021/05/07 5:2 p.m.71 views

CVE-2021-32470

Craft CMS CVE-2021-32470 is an XSS vulnerability affecting Craft CMS versions prior to 3.6.13. The issue is that input/output handling allows cross-site scripting, potentially impacting users who load crafted content. A fixed release is 3.6.13; upgrade to that version to mitigate. No exploitation...

6.1CVSS5.9AI score0.00733EPSS
CVE
CVE
added 2019/06/18 12:6 p.m.67 views

CVE-2019-12823

Craft CMS before 3.1.31 is vulnerable to cross-site scripting due to improper filtering of XML feeds. Affects Craft CMS core XML feed handling; attacker could inject and execute client-side scripts. CVSS metrics indicate MEDIUM severity (CVSS 3.1 base 6.1) with network access, no privileges requi...

6.1CVSS6.3AI score0.00943EPSS
CVE
CVE
added 2023/05/26 7:17 p.m.67 views

CVE-2023-33197

Craft CMS is affected by a stored XSS in indexedVolumes via the Update Asset Index utility. The issue arises from insufficient sanitization in the AssetIndexer path, allowing injection of HTML/JS payloads into asset index results. Impact is described as Cross-Site Scripting with the payload able ...

5.5CVSS5.4AI score0.00681EPSS
CVE
CVE
added 2024/11/13 4:12 p.m.66 views

CVE-2024-52291

CraftCMS has a local file system validation bypass flaw (CVE-2024-52291) that can be triggered by a double file:// scheme to point the base filesystem at sensitive folders. The root cause stems from FileHelper::normalizePath only removing a leading file://, enabling bypass when a second file:// i...

8.4CVSS7.8AI score0.01138EPSS
CVE
CVE
added 2024/01/30 12:0 a.m.64 views

CVE-2023-36260

CVE-2023-36260 affects the Feed Me plugin (version 4.6.1) on Craft CMS (version 4.6.1). The issue allows remote attackers to cause a Denial of Service by supplying crafted strings to the Feed-Me Name and Feed-Me URL fields when saving a feed via an Asset element with no volume selected. The root ...

7.5CVSS7.5AI score0.01073EPSS
CVE
CVE
added 2024/01/30 12:0 a.m.58 views

CVE-2023-36259

CVE-2023-36259 affects Craft CMS Audit Plugin prior to version 3.0.2. The issue arises from improper sanitization in the plugin’s handling of titles, enabling Cross Site Scripting (XSS) that can allow an attacker to inject arbitrary JavaScript during user creation. Several sources corroborate XSS...

5.4CVSS5.4AI score0.0038EPSS
CVE
CVE
added 2026/03/04 4:36 p.m.32 views

CVE-2026-28782

CVE-2026-28782 affects Craft CMS prior to 5.9.0-beta.1 and 4.17.0-beta.1, allowing a user with only View Entries permission to bypass UI restrictions and duplicate other users’ entries by sending direct requests. The flaw is an improper permission check in the Duplicate action, enabling IDOR via ...

5.3CVSS6AI score0.00234EPSS
CVE
CVE
added 2026/02/09 7:36 p.m.28 views

CVE-2026-25493

Craft CMS versions 4.0.0-RC1–4.16.17 and 5.0.0-RC1–5.8.21 contain an SSRF bypass in the saveAsset GraphQL mutation: the hostname/IP blocklist check is bypassed because Guzzle follows redirects by default, allowing an attacker to point redirects to cloud metadata endpoints or internal addresses. A...

6.9CVSS5.6AI score0.00359EPSS
CVE
CVE
added 2026/03/04 4:15 p.m.28 views

CVE-2026-28695

Summary of CVE-2026-28695 : Craft CMS 5.8.21 is vulnerable to an authenticated RCE via Server-Side Template Injection using the Twig create() function to trigger a Symfony Process gadget chain. The create() function exposes Craft::createObject(), enabling instantiation of arbitrary PHP classes wi...

7.5CVSS6AI score0.00556EPSS
CVE
CVE
added 2026/02/09 7:42 p.m.27 views

CVE-2026-25495

Craft CMS vulnerable to SQL injection in the element-indexes/get-elements endpoint via criteria[orderBy] in JSON body (versions 4.0.0-RC1–4.16.17 and 5.0.0-RC1–5.8.21). An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting...

8.8CVSS6.2AI score0.00502EPSS
Web
CVE
CVE
added 2026/02/09 7:50 p.m.26 views

CVE-2026-25497

CVE-2026-25497 : Privilege escalation in Craft CMS GraphQL API affecting versions 4.0.0-RC1 through before 4.17.0-beta.1 and 5.9.0-beta.1. An authenticated user with write access to one asset volume can escalate privileges and modify/transfer assets across volumes, including private or restricted...

8.8CVSS5.6AI score0.00426EPSS
CVE
CVE
added 2026/03/04 4:50 p.m.26 views

CVE-2026-28783

CVE-2026-28783 affects Craft CMS (Craft CMS core) where a blocklist of potentially dangerous PHP functions is bypassable via Twig non-Closure arrow functions. Affected versions are prior to 5.9.0-beta.1 and 4.17.0-beta.1. Successful exploitation requires attacker permissions (production allowAdmi...

9.4CVSS6.1AI score0.00464EPSS
CVE
CVE
added 2026/02/09 7:45 p.m.22 views

CVE-2026-25496

CVE-2026-25496 concerns Craft CMS where stored XSS exists in the Number field type settings across versions 4.0.0-RC1–4.16.17 and 5.0.0-RC1–5.8.21. The vulnerability stems from the Prefix and Suffix fields being rendered with the |md|raw Twig filter without sufficient escaping, enabling script ex...

4.8CVSS5.7AI score0.0036EPSS
CVE
CVE
added 2026/02/09 7:55 p.m.21 views

CVE-2026-25498

Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 contain a Remote Code Execution (RCE) flaw in assembleLayoutFromPost() where user-supplied configuration data is not sanitized before passing to Craft::createObject(). This allows authenticated administrators to inject mali...

8.6CVSS6.2AI score0.0097EPSS
CVE
CVE
added 2026/02/24 2:30 a.m.21 views

CVE-2026-27126

Craft CMS has a stored XSS vulnerability in the editableTable.twig component when using the html column type. Affects versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22. The issue is due to inadequate sanitization of the html column input, enabling arbitrary JavaScript execution when...

5.9CVSS5.9AI score0.00217EPSS
CVE
CVE
added 2026/03/04 4:57 p.m.21 views

CVE-2026-29069

Craft CMS prior to versions 5.9.0-beta.2 and 4.17.0-beta.2 exposed a unauthenticated activation flow: the actionSendActivationEmail() endpoint did not require a permission check for pending users, allowing an attacker to trigger activation emails for any pending account by guessing a user ID. If ...

6.9CVSS6AI score0.00273EPSS
CVE
CVE
added 2026/03/04 4:21 p.m.20 views

CVE-2026-28696

Craft CMS is affected by CVE-2026-28696 due to missing authorization in the GraphQL directive @parseRefs. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, authenticated users and unauthenticated guests (when Public Schema is enabled) could read sensitive attributes of CMS elements by abusing {type:ID:fie...

8.7CVSS5.9AI score0.00447EPSS
CVE
CVE
added 2026/03/24 5:26 p.m.19 views

CVE-2026-33158

Craft CMS - CVE-2026-33158: A low-privileged authenticated user could read private asset content by calling assets/edit-image with an arbitrary assetId, bypassing per-asset view authorization. The endpoint returns image bytes or a preview redirect without enforcing access checks, enabling unautho...

7.1CVSS5.8AI score0.00353EPSS
Web
CVE
CVE
added 2026/03/24 5:28 p.m.19 views

CVE-2026-33159

CVE-2026-33159 affects Craft CMS. Guest users could access the Config Sync updater index and execute state-changing actions (regenerate-yaml, apply-yaml-changes) without authentication in: Craft CMS 4.0.0-RC1 up to before 4.17.8 and 5.0.0-RC1 up to before 5.9.14. The root cause is unauthenticated...

6.9CVSS5.8AI score0.00308EPSS
CVE
CVE
added 2026/02/09 7:41 p.m.18 views

CVE-2026-25494

Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 are affected by a vulnerability in the saveAsset GraphQL mutation, where filter_var(..., FILTER_VALIDATE_IP) blocks a defined IP list but fails to recognize hexadecimal or mixed notations, allowing bypass of the blocklist t...

6.9CVSS5.5AI score0.00359EPSS
CVE
CVE
added 2026/02/24 2:42 a.m.16 views

CVE-2026-27128

CVE-2026-27128 — Craft CMS TOCTOU token race : A TOCTOU race condition exists in Craft CMS’s token validation service for limited-use tokens. In affected versions (4.5.0-RC1–4.16.18 and 5.0.0-RC1–5.8.22), getTokenRoute() reads a token’s usage count, checks limits, then updates the database in non...

6.9CVSS5.5AI score0.00176EPSS
CVE
CVE
added 2026/03/04 4:53 p.m.16 views

CVE-2026-28784

Craft CMS is affected by a Server-Side Template Injection (Twig map filter) vulnerability prior to versions 5.8.22 and 4.16.18. The issue arises in text fields that accept Twig input (Settings in the Craft Control Panel or via the System Messages utility), allowing an attacker with administrator ...

8.6CVSS6AI score0.00514EPSS
CVE
CVE
added 2026/03/24 5:30 p.m.13 views

CVE-2026-33160

Summary: CVE-2026-33160 affects Craft CMS versions 4.0.0-RC1 through 4.17.7 and 5.0.0-RC1 through 5.9.13, where an unauthenticated user can call assets/generate-transform with a private assetId, obtain a valid transform URL, and fetch the transformed image bytes. The endpoint does not enforce per...

6.9CVSS5.7AI score0.00355EPSS
Web
CVE
CVE
added 2026/03/24 5:31 p.m.13 views

CVE-2026-33161

CVE-2026-33161 — Craft CMS : A low-privileged authenticated user could call the assets/image-editor endpoint with the ID of a private asset they cannot view and still receive editor response data, including focalPoint, due to missing per-asset authorization validation. Affected versions: 4.0.0-RC...

5.3CVSS5.7AI score0.00215EPSS
Web
CVE
CVE
added 2026/03/04 4:31 p.m.12 views

CVE-2026-28781

CVE-2026-28781 affects Craft CMS. Before versions 4.17.0-beta.1 and 5.9.0-beta.1, an entry creation flow permits Mass Assignment of the authorId attribute. A user with Create Entries permission can inject the parameters authorIds[] or authorId into a POST request, which the backend may process wi...

7.1CVSS6AI score0.00326EPSS