Craft Cms Security Vulnerabilities and Issues — Craft Cms CVE List

Lucene search

CraftcmsCraft Cms

8 matches found

CVE•added 2025/01/18 1:15 a.m.•308 views

CVE-2025-23209

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a co...

8.1CVSS7.8AI score0.05173EPSS

CVE•added 2024/01/03 5:15 p.m.•218 views

CVE-2024-21622

Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure...

8.8CVSS8.7AI score0.00103EPSS

CVE•added 2022/05/09 6:15 p.m.•82 views

CVE-2022-29933

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must sen...

8.8CVSS8.6AI score0.02008EPSS

CVE•added 2021/09/30 12:15 a.m.•59 views

CVE-2021-41824

Craft CMS before 3.7.14 allows CSV injection.

8.8CVSS8.8AI score0.0051EPSS

CVE•added 2023/05/12 11:15 a.m.•49 views

CVE-2023-30130

An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.

8.8CVSS8.8AI score0.05521EPSS

CVE•added 2025/05/05 8:15 p.m.•45 views

CVE-2025-46731

Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and ALLOW_ADMIN_CHANGES must be enabled for this to work. U...

8.6CVSS7.5AI score0.00148EPSS

CVE•added 2018/01/01 8:29 p.m.•40 views

CVE-2018-3814

Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension.

8.8CVSS9AI score0.00698EPSS

CVE•added 2024/11/13 5:15 p.m.•40 views

CVE-2024-52291

Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to potential file overw...

8.4CVSS7.8AI score0.00202EPSS