Craft Cms Security Vulnerabilities and Issues — Craft Cms CVE List

Lucene search

CraftcmsCraft Cms

14 matches found

CVE•added 2025/05/07 11:15 p.m.•154 views

CVE-2025-35939

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '...

6.9CVSS5.6AI score0.44911EPSS

CVE•added 2019/10/11 12:15 a.m.•136 views

CVE-2019-17496

Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion.

6.1CVSS5.8AI score0.00328EPSS

CVE•added 2022/04/03 6:15 p.m.•81 views

CVE-2022-28378

Craft CMS before 3.7.29 allows XSS.

6.1CVSS6.2AI score0.00311EPSS

CVE•added 2023/05/09 4:15 p.m.•66 views

CVE-2023-31144

Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4.

6.1CVSS5.8AI score0.00455EPSS

CVE•added 2023/03/03 10:15 p.m.•63 views

CVE-2023-23927

Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.

6.1CVSS5.5AI score0.10791EPSS

CVE•added 2019/12/31 5:15 p.m.•57 views

CVE-2019-9554

In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI.

6.1CVSS6AI score0.01546EPSS

CVE•added 2023/04/25 6:15 p.m.•57 views

CVE-2023-30177

CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.

6.1CVSS6.1AI score0.00098EPSS

CVE•added 2021/06/30 12:15 p.m.•53 views

CVE-2021-27902

An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.

6.1CVSS5.9AI score0.00419EPSS

CVE•added 2021/05/07 7:31 p.m.•52 views

CVE-2021-32470

Craft CMS before 3.6.13 has an XSS vulnerability.

6.1CVSS5.9AI score0.00328EPSS

CVE•added 2019/06/18 1:15 p.m.•50 views

CVE-2019-12823

Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS.

6.1CVSS6.3AI score0.00212EPSS

CVE•added 2023/05/27 4:15 a.m.•44 views

CVE-2023-33195

Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.

6.1CVSS5.4AI score0.0055EPSS

CVE•added 2023/06/20 1:15 p.m.•38 views

CVE-2023-33495

Craft CMS through 4.4.9 is vulnerable to HTML Injection.

6.1CVSS6.1AI score0.00181EPSS

CVE•added 2017/04/22 1:59 a.m.•35 views

CVE-2017-8052

Craft CMS before 2.6.2974 allows XSS attacks.

6.1CVSS5.8AI score0.00353EPSS

CVE•added 2017/05/01 6:59 a.m.•34 views

CVE-2017-8384

Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.

6.1CVSS6AI score0.00353EPSS