Lucene search

K

16 matches found

CVE
CVE
added 2025/01/18 1:15 a.m.340 views

CVE-2025-23209

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a co...

8.1CVSS7.8AI score0.03622EPSS
In wild
CVE
CVE
added 2025/05/07 11:15 p.m.181 views

CVE-2025-35939

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '...

6.9CVSS5.6AI score0.40503EPSS
In wild
CVE
CVE
added 2019/10/11 12:15 a.m.138 views

CVE-2019-17496

Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion.

6.1CVSS5.8AI score0.00328EPSS
CVE
CVE
added 2024/06/25 9:15 p.m.94 views

CVE-2024-37843

Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.

9.8CVSS7.9AI score0.87249EPSS
Web
CVE
CVE
added 2020/03/04 5:15 p.m.85 views

CVE-2020-9757

The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.

9.8CVSS8.6AI score0.93272EPSS
In wild
CVE
CVE
added 2022/04/03 6:15 p.m.82 views

CVE-2022-28378

Craft CMS before 3.7.29 allows XSS.

6.1CVSS6.2AI score0.00311EPSS
CVE
CVE
added 2023/03/03 10:15 p.m.64 views

CVE-2023-23927

Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.

6.1CVSS5.5AI score0.13016EPSS
CVE
CVE
added 2021/06/30 12:15 p.m.59 views

CVE-2021-27903

An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session).

9.8CVSS9.6AI score0.03824EPSS
CVE
CVE
added 2024/11/13 4:15 p.m.58 views

CVE-2024-52293

Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.

7.2CVSS6.9AI score0.04524EPSS
CVE
CVE
added 2021/06/30 12:15 p.m.56 views

CVE-2021-27902

An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.

6.1CVSS5.9AI score0.00419EPSS
CVE
CVE
added 2021/05/07 7:31 p.m.53 views

CVE-2021-32470

Craft CMS before 3.6.13 has an XSS vulnerability.

6.1CVSS5.9AI score0.00328EPSS
CVE
CVE
added 2019/06/18 1:15 p.m.52 views

CVE-2019-12823

Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS.

6.1CVSS6.3AI score0.00212EPSS
CVE
CVE
added 2023/05/26 8:15 p.m.49 views

CVE-2023-33197

Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.

5.5CVSS5.4AI score0.00298EPSS
CVE
CVE
added 2024/01/30 9:15 a.m.46 views

CVE-2023-36260

An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about cod...

7.5CVSS7.5AI score0.00365EPSS
CVE
CVE
added 2024/01/30 9:15 a.m.45 views

CVE-2023-36259

Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation.

5.4CVSS5.4AI score0.00087EPSS
CVE
CVE
added 2024/11/13 5:15 p.m.41 views

CVE-2024-52291

Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to potential file overw...

8.4CVSS7.8AI score0.00224EPSS