36 matches found
CVE-2025-23209
Craft CMS (versions 4.x before 4.13.8 and 5.x before 5.5.8) is affected by a remote code execution vulnerability that requires a compromised security key. The issue is fixed in Craft 4.13.8 and 5.5.8; if updating is not possible, rotate the security keys and restrict exposure. Public sources also...
CVE-2026-28697
Craft CMS (CMS, versions prior to 4.17.0-beta.1 and 5.9.0-beta.1) is affected by an authenticated-admin remote code execution (RCE) via Server-Side Template Injection (SSTI) in Twig template fields (for example, Email Templates). The underlying issue is exploitability through the craft.app.fs.wri...
CVE-2025-35939
Craft CMS is affected by CVE-2025-35939 in versions prior to 5.7.5 and 4.15.3, where unauthenticated users can place arbitrary content (including PHP code) in server session files (sess_[value]) via unsanitized return URLs, potentially enabling local file manipulation or code execution. Remedies:...
CVE-2019-17496
Craft CMS prior to 3.3.8 is affected by a stored XSS in the site deletion flow where the name field is mishandled. The issue enables injection through the name field and is limited to Craft CMS versions before 3.3.8; upgrading to 3.3.8 or later is the documented remediation. The CVE description a...
CVE-2024-37843
Craft CMS
CVE-2020-9757
Craft CMS SEOmatic component before 3.3.0 is vulnerable to Server-Side Template Injection that can lead to remote code execution via malformed data submitted to the metacontainers controller. The CVE-2020-9757 entry is corroborated by multiple connected documents (Nuclei template, Red Hat advisor...
CVE-2022-28378
Craft CMS vulnerability (CVE-2022-28378) : The XSS flaw affects Craft CMS versions before 3.7.29. Public sources attribute the issue to the FeedWidget.js input handling, where unfiltered links enable script injection. Impact is cross-site scripting with user interaction sometimes required dependi...
CVE-2024-52293
Craft CMS prior to 4.12.2 and 5.4.3 is vulnerable due to missing normalizePath in FileHelper::absolutePath, enabling potential Remote Code Execution via Twig SSTI. This is a sequel to CVE-2023-40035. The issue is fixed in Craft 4.12.2 and 5.4.3. Affected versions should upgrade to the specified f...
CVE-2021-27903
CVE-2021-27903 affects Craft CMS prior to 3.6.7. In certain conditions, a remote code execution vulnerability exists when an attacker can hijack an administrator’s session and exploit insufficient restrictions on administrative changes. Several connected advisories reiterate the same description....
CVE-2023-23927
Craft CMS is vulnerable to a stored XSS in the quick post widget on the admin dashboard when a payload is inserted into a label name or an entry type instruction. The issue affects Craft CMS prior to version 4.3.7 and has been fixed in 4.3.7. The CVE entry is supported by multiple connected sourc...
CVE-2021-27902
CVE-2021-27902 affects Craft CMS prior to 3.6.0. The connected documents describe a cross-site scripting (XSS) vulnerability in a front-end form that accepts user uploads. The root cause details and exploitation specifics are not provided in the documents. Scope is limited toCraft CMS versions be...
CVE-2021-32470
Craft CMS CVE-2021-32470 is an XSS vulnerability affecting Craft CMS versions prior to 3.6.13. The issue is that input/output handling allows cross-site scripting, potentially impacting users who load crafted content. A fixed release is 3.6.13; upgrade to that version to mitigate. No exploitation...
CVE-2019-12823
Craft CMS before 3.1.31 is vulnerable to cross-site scripting due to improper filtering of XML feeds. Affects Craft CMS core XML feed handling; attacker could inject and execute client-side scripts. CVSS metrics indicate MEDIUM severity (CVSS 3.1 base 6.1) with network access, no privileges requi...
CVE-2023-33197
Craft CMS is affected by a stored XSS in indexedVolumes via the Update Asset Index utility. The issue arises from insufficient sanitization in the AssetIndexer path, allowing injection of HTML/JS payloads into asset index results. Impact is described as Cross-Site Scripting with the payload able ...
CVE-2024-52291
CraftCMS has a local file system validation bypass flaw (CVE-2024-52291) that can be triggered by a double file:// scheme to point the base filesystem at sensitive folders. The root cause stems from FileHelper::normalizePath only removing a leading file://, enabling bypass when a second file:// i...
CVE-2023-36260
CVE-2023-36260 affects the Feed Me plugin (version 4.6.1) on Craft CMS (version 4.6.1). The issue allows remote attackers to cause a Denial of Service by supplying crafted strings to the Feed-Me Name and Feed-Me URL fields when saving a feed via an Asset element with no volume selected. The root ...
CVE-2023-36259
CVE-2023-36259 affects Craft CMS Audit Plugin prior to version 3.0.2. The issue arises from improper sanitization in the plugin’s handling of titles, enabling Cross Site Scripting (XSS) that can allow an attacker to inject arbitrary JavaScript during user creation. Several sources corroborate XSS...
CVE-2026-28782
CVE-2026-28782 affects Craft CMS prior to 5.9.0-beta.1 and 4.17.0-beta.1, allowing a user with only View Entries permission to bypass UI restrictions and duplicate other users’ entries by sending direct requests. The flaw is an improper permission check in the Duplicate action, enabling IDOR via ...
CVE-2026-25493
Craft CMS versions 4.0.0-RC1–4.16.17 and 5.0.0-RC1–5.8.21 contain an SSRF bypass in the saveAsset GraphQL mutation: the hostname/IP blocklist check is bypassed because Guzzle follows redirects by default, allowing an attacker to point redirects to cloud metadata endpoints or internal addresses. A...
CVE-2026-28695
Summary of CVE-2026-28695 : Craft CMS 5.8.21 is vulnerable to an authenticated RCE via Server-Side Template Injection using the Twig create() function to trigger a Symfony Process gadget chain. The create() function exposes Craft::createObject(), enabling instantiation of arbitrary PHP classes wi...
CVE-2026-25495
Craft CMS vulnerable to SQL injection in the element-indexes/get-elements endpoint via criteria[orderBy] in JSON body (versions 4.0.0-RC1–4.16.17 and 5.0.0-RC1–5.8.21). An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting...
CVE-2026-25497
CVE-2026-25497 : Privilege escalation in Craft CMS GraphQL API affecting versions 4.0.0-RC1 through before 4.17.0-beta.1 and 5.9.0-beta.1. An authenticated user with write access to one asset volume can escalate privileges and modify/transfer assets across volumes, including private or restricted...
CVE-2026-28783
CVE-2026-28783 affects Craft CMS (Craft CMS core) where a blocklist of potentially dangerous PHP functions is bypassable via Twig non-Closure arrow functions. Affected versions are prior to 5.9.0-beta.1 and 4.17.0-beta.1. Successful exploitation requires attacker permissions (production allowAdmi...
CVE-2026-25496
CVE-2026-25496 concerns Craft CMS where stored XSS exists in the Number field type settings across versions 4.0.0-RC1–4.16.17 and 5.0.0-RC1–5.8.21. The vulnerability stems from the Prefix and Suffix fields being rendered with the |md|raw Twig filter without sufficient escaping, enabling script ex...
CVE-2026-25498
Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 contain a Remote Code Execution (RCE) flaw in assembleLayoutFromPost() where user-supplied configuration data is not sanitized before passing to Craft::createObject(). This allows authenticated administrators to inject mali...
CVE-2026-27126
Craft CMS has a stored XSS vulnerability in the editableTable.twig component when using the html column type. Affects versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22. The issue is due to inadequate sanitization of the html column input, enabling arbitrary JavaScript execution when...
CVE-2026-29069
Craft CMS prior to versions 5.9.0-beta.2 and 4.17.0-beta.2 exposed a unauthenticated activation flow: the actionSendActivationEmail() endpoint did not require a permission check for pending users, allowing an attacker to trigger activation emails for any pending account by guessing a user ID. If ...
CVE-2026-28696
Craft CMS is affected by CVE-2026-28696 due to missing authorization in the GraphQL directive @parseRefs. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, authenticated users and unauthenticated guests (when Public Schema is enabled) could read sensitive attributes of CMS elements by abusing {type:ID:fie...
CVE-2026-33158
Craft CMS - CVE-2026-33158: A low-privileged authenticated user could read private asset content by calling assets/edit-image with an arbitrary assetId, bypassing per-asset view authorization. The endpoint returns image bytes or a preview redirect without enforcing access checks, enabling unautho...
CVE-2026-33159
CVE-2026-33159 affects Craft CMS. Guest users could access the Config Sync updater index and execute state-changing actions (regenerate-yaml, apply-yaml-changes) without authentication in: Craft CMS 4.0.0-RC1 up to before 4.17.8 and 5.0.0-RC1 up to before 5.9.14. The root cause is unauthenticated...
CVE-2026-25494
Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 are affected by a vulnerability in the saveAsset GraphQL mutation, where filter_var(..., FILTER_VALIDATE_IP) blocks a defined IP list but fails to recognize hexadecimal or mixed notations, allowing bypass of the blocklist t...
CVE-2026-27128
CVE-2026-27128 — Craft CMS TOCTOU token race : A TOCTOU race condition exists in Craft CMS’s token validation service for limited-use tokens. In affected versions (4.5.0-RC1–4.16.18 and 5.0.0-RC1–5.8.22), getTokenRoute() reads a token’s usage count, checks limits, then updates the database in non...
CVE-2026-28784
Craft CMS is affected by a Server-Side Template Injection (Twig map filter) vulnerability prior to versions 5.8.22 and 4.16.18. The issue arises in text fields that accept Twig input (Settings in the Craft Control Panel or via the System Messages utility), allowing an attacker with administrator ...
CVE-2026-33160
Summary: CVE-2026-33160 affects Craft CMS versions 4.0.0-RC1 through 4.17.7 and 5.0.0-RC1 through 5.9.13, where an unauthenticated user can call assets/generate-transform with a private assetId, obtain a valid transform URL, and fetch the transformed image bytes. The endpoint does not enforce per...
CVE-2026-33161
CVE-2026-33161 — Craft CMS : A low-privileged authenticated user could call the assets/image-editor endpoint with the ID of a private asset they cannot view and still receive editor response data, including focalPoint, due to missing per-asset authorization validation. Affected versions: 4.0.0-RC...
CVE-2026-28781
CVE-2026-28781 affects Craft CMS. Before versions 4.17.0-beta.1 and 5.9.0-beta.1, an entry creation flow permits Mass Assignment of the authorId attribute. A user with Create Entries permission can inject the parameters authorIds[] or authorId into a POST request, which the backend may process wi...