craftcms/cms Security Advisories (102)
-
[HIGH] Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
PKSA-tj2m-c963-6jtt CVE-2026-44012 GHSA-33m5-hqp9-97pw
Affected version: >=5.0.0-RC1,<5.9.18
Reported by:
GitHub -
[HIGH] Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior
PKSA-7b21-z11x-97gc CVE-2026-44011 GHSA-qrgm-p9w5-rrfw
Affected version: >=5.0.0,<5.9.18|>=4.0.0,<4.17.12
Reported by:
GitHub -
[HIGH] Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
PKSA-sxz1-z4jg-2vhh CVE-2026-44010 GHSA-gj2p-p9m4-c8gw
Affected version: >=4.0.0,<4.17.12|>=5.0.0,<5.9.18
Reported by:
GitHub -
[MEDIUM] Craft CMS has a host header injection leading to SSRF via resource-js endpoint
PKSA-ntd3-69q5-4cfy CVE-2026-41130 GHSA-95wr-3f2v-v2wh
Affected version: >=4.0.0-RC1,<=4.17.8|>=5.0.0-RC1,<=5.9.14
Reported by:
GitHub -
[MEDIUM] Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
PKSA-wb3t-ts8t-d4cj CVE-2026-41129 GHSA-3m9m-24vh-39wx
Affected version: >=4.0.0-RC1,<=4.17.8|>=5.0.0-RC1,<=5.9.14
Reported by:
GitHub -
[MEDIUM] Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action
PKSA-dmwd-n76s-m3f9 CVE-2026-41128 GHSA-jq2f-59pj-p3m3
Affected version: >=5.6.0,<5.9.15
Reported by:
GitHub -
[LOW] Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
PKSA-hq3k-cthz-b9zn GHSA-44px-qjjc-xrhq
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[MEDIUM] Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions
PKSA-7c6f-2hwc-ptwd CVE-2026-33162 GHSA-f582-6gf6-gx4g
Affected version: >=5.3.0,<=5.9.13
Reported by:
GitHub -
[LOW] Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users
PKSA-w984-dygq-7ryn CVE-2026-33161 GHSA-vgjg-248p-rfm2
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[LOW] Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL
PKSA-swp1-ty4d-gpzy CVE-2026-33160 GHSA-5pgf-h923-m958
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[MEDIUM] Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations
PKSA-rxrx-pcy1-2csw CVE-2026-33159 GHSA-6mrr-q3pj-h53w
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[MEDIUM] Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
PKSA-548y-fsbg-y9t7 CVE-2026-33158 GHSA-3pvf-vxrv-hh9c
Affected version: >=5.0.0-RC1,<=5.9.13|>=4.0.0-RC1,<=4.17.7
Reported by:
GitHub -
[HIGH] Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior
PKSA-twkq-r2c1-87qq CVE-2026-33157 GHSA-2fph-6v5w-89hh
Affected version: >=5.6.0,<=5.9.12
Reported by:
GitHub -
[MEDIUM] Craft CMS Vulnerable to Stored XSS in Revision Context Menu
PKSA-1n7m-zdqf-4n15 CVE-2026-33051 GHSA-3x4w-mxpf-fhqq
Affected version: >=5.9.0-beta.1,<=5.9.10
Reported by:
GitHub -
[HIGH] Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
PKSA-s8c8-j6wr-t4ds CVE-2026-32267 GHSA-cc7p-2j3x-x7xf
Affected version: >=5.0.0-RC1,<=5.9.11|>=4.0.0-RC1,<=4.17.5
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
PKSA-1qxd-z2sm-yssc CVE-2026-32264 GHSA-4484-8v2f-5748
Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to behavior injection RCE via EntryTypesController
PKSA-1n2n-7k4d-96rt CVE-2026-32263 GHSA-qx2q-q59v-wf3j
Affected version: >=5.6.0,<=5.9.10
Reported by:
GitHub -
[MEDIUM] Craft CMS has a Path Traversal Vulnerability in AssetsController
PKSA-y7v4-m2bd-8h2y CVE-2026-32262 GHSA-472v-j2g4-g9h2
Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4
Reported by:
GitHub -
[LOW] Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page
PKSA-sc5m-6n1y-h7vz GHSA-g3hp-vvqf-8vw6
Affected version: >=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[HIGH] CraftCMS has an RCE vulnerability via relational conditionals in the control panel
PKSA-w79g-q9vy-mw7b CVE-2026-31857 GHSA-fp5j-j7j4-mcxc
Affected version: >=4.0.0-beta.1,<=4.17.3|>=5.0.0-RC1,<=5.9.8
Reported by:
GitHub -
[HIGH] CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
PKSA-2bdn-bpjn-j9q4 CVE-2026-31858 GHSA-g7j6-fmwx-7vp8
Affected version: >=5.0.0-RC1,<=5.9.8
Reported by:
GitHub -
[MEDIUM] CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
PKSA-t9v1-2frg-d2wy CVE-2026-31859 GHSA-fvwq-45qv-xvhv
Affected version: >=5.7.5,<=5.9.6|>=4.15.3,<=4.17.2
Reported by:
GitHub -
[LOW] Craft CMS has a potential information disclosure vulnerability in preview tokens
PKSA-24yr-dkzm-n9v5 CVE-2026-29113 GHSA-vg3j-hpm9-8v5v
Affected version: >=5.0.0-RC1,<5.9.6|>=4.0.0-RC1,<4.17.3
Reported by:
GitHub -
[HIGH] Craft CMS has unauthenticated activation email trigger with potential user enumeration
PKSA-s2xd-twzp-9yz7 CVE-2026-29069 GHSA-234q-vvw3-mrfq
Affected version: >=4.0.0-RC1,<4.17.0-beta.2|>=5.0.0-RC1,<5.9.0-beta.2
Reported by:
GitHub -
[MEDIUM] Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
PKSA-q22m-n7fg-cqgy CVE-2026-28784 GHSA-qc86-q28f-ggww
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
PKSA-c1gj-84dj-vvh3 CVE-2026-28782 GHSA-jxm3-pmm2-9gf6
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS has Twig Function Blocklist Bypass
PKSA-x1f7-3vrt-jvfj CVE-2026-28783 GHSA-5fvc-7894-ghp4
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS: Entries Authorship Spoofing via Mass Assignment
PKSA-zp4z-c8gp-zpww CVE-2026-28781 GHSA-2xfc-g69j-x2mp
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[CRITICAL] Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
PKSA-jqb9-4xf5-mdn1 CVE-2026-28697 GHSA-v47q-jxvr-p68x
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[LOW] Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options
PKSA-skz7-x8dk-h7t1 GHSA-4mgv-366x-qxvx
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[HIGH] Craft CMS has IDOR via GraphQL @parseRefs
PKSA-ts3n-khxn-xyvm CVE-2026-28696 GHSA-7x43-mpfg-r9wj
Affected version: >=5.0.0-RC1,<5.9.0-beta.1|>=4.0.0-RC1,<4.17.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
PKSA-n7dz-mnbq-y23y CVE-2026-28695 GHSA-94rc-cqvm-m4pw
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.8.7,<5.9.0-beta.1
Reported by:
GitHub -
[LOW] Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type
PKSA-cf9h-wtzj-5nwd GHSA-6j87-m5qx-9fqp
Affected version: >=5.0.0-RC1,<=5.8.22|>=4.5.0-beta.1,<=4.16.18
Reported by:
GitHub -
[MEDIUM] Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
PKSA-qgft-95tr-t5vt CVE-2026-27129 GHSA-v2gc-rm6g-wrw9
Affected version: >=3.5.0,<=4.16.18|>=5.0.0-RC1,<=5.8.22
Reported by:
GitHub -
[MEDIUM] Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
PKSA-k33k-b5qw-yqgp CVE-2026-27128 GHSA-6fx5-5cw5-4897
Affected version: >=5.0.0-RC1,<=5.8.22|>=4.5.0-RC1,<=4.16.18
Reported by:
GitHub -
[HIGH] Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
PKSA-ycmx-j7s8-wyxz CVE-2026-27127 GHSA-gp2f-7wcm-5fhx
Affected version: >=3.5.0,<=4.16.18|>=5.0.0-RC1,<=5.8.22
Reported by:
GitHub -
[MEDIUM] Craft CMS has Stored XSS in Table Field via "HTML" Column Type
PKSA-knkq-h2rk-yc48 CVE-2026-27126 GHSA-3jh3-prx3-w6wc
Affected version: >=5.0.0-RC1,<=5.8.22|>=4.5.0-RC1,<=4.16.18
Reported by:
GitHub -
[HIGH] Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
PKSA-g2n6-j3mn-x8xf CVE-2026-25498 GHSA-7jx7-3846-m7w7
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[HIGH] Craft CMS: GraphQL Asset Mutation Privilege Escalation
PKSA-zjy6-pdtw-mck8 CVE-2026-25497 GHSA-fxp3-g6gw-4r4v
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
PKSA-5pj5-nxp6-547h CVE-2026-25496 GHSA-9f5h-mmq6-2x78
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[HIGH] Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
PKSA-9dtd-sv51-7pmx CVE-2026-25495 GHSA-2453-mppf-46cj
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[MEDIUM] Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
PKSA-jsy4-k6z3-fcjb CVE-2026-25494 GHSA-m5r2-8p9x-hp5m
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[MEDIUM] Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
PKSA-1dbt-xzgs-7gw8 CVE-2026-25493 GHSA-8jr8-7hr4-vhfx
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[LOW] Craft CMS Vulnerable to Stored XSS in Entry Types Name
PKSA-v2dw-c4ss-13bw CVE-2026-25491 GHSA-7pr4-wx9w-mqwr
Affected version: >=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
PKSA-hcvs-d728-5zyw CVE-2025-68455 GHSA-255j-qw47-wjh5
Affected version: >=4.0.0-RC1,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[HIGH] Unauthenticated Craft CMS users can trigger a database backup
PKSA-17hr-tk5g-ht8k CVE-2025-68456 GHSA-v64r-7wg9-23pr
Affected version: >=3.0.0,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[MEDIUM] Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
PKSA-9rbz-gy92-qjtd CVE-2025-68454 GHSA-742x-x762-7383
Affected version: >=4.0.0-RC1,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[MEDIUM] Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
PKSA-4gr3-459g-ssmq CVE-2025-68437 GHSA-x27p-wfqw-hfcc
Affected version: >=3.5.0,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[MEDIUM] Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
PKSA-yj3g-znh5-93sd CVE-2025-68436 GHSA-53vf-c43h-j2x9
Affected version: >=4.0.0-RC1,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[MEDIUM] Craft CMS Potential Remote Code Execution via Twig SSTI
PKSA-cbq7-fhfn-fyt5 CVE-2025-57811 GHSA-crcq-738g-pqvc
Affected version: >=5.0.0-RC1,<=5.8.6|>=4.0.0-RC1,<=4.16.5
Reported by:
GitHub -
[MEDIUM] Craft CMS has a theoretical bypass for CVE-2025-23209
PKSA-xnt5-5jkh-xr5x CVE-2025-54417 GHSA-2vcf-qxv3-2mgw
Affected version: >=5.5.8,<5.8.4|>=4.13.8,<4.16.3
Reported by:
GitHub -
[MEDIUM] Craft CMS stores arbitrary content provided by unauthenticated users in session files
PKSA-ht16-h36v-hxc7 CVE-2025-35939 GHSA-7vrx-9684-xrf2
Affected version: <4.15.3|>=5.0.0-alpha.1,<5.7.5
Reported by:
GitHub -
[HIGH] Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI
PKSA-8gxy-mg5h-z15w CVE-2025-46731 GHSA-7c58-g782-9j38
Affected version: >=5.0.0-RC1,<=5.6.14|>=4.0.0-RC1,<=4.14.12
Reported by:
GitHub -
[CRITICAL] Craft CMS Allows Remote Code Execution
PKSA-5c44-5nbz-c7cq CVE-2025-32432 GHSA-f3gw-9ww9-jmc3
Affected version: >=5.0.0-RC1,<=5.6.16|>=4.0.0-RC1,<=4.14.14|>=3.0.0-RC1,<=3.9.14
Reported by:
GitHub -
[HIGH] Craft CMS has a potential RCE with a compromised security key
PKSA-nfqr-ns8g-wkkx CVE-2025-23209 GHSA-x684-96hh-833x
Affected version: >=4.0.0-RC1,<4.13.8|>=5.0.0-RC1,<5.5.5
Reported by:
GitHub -
[CRITICAL] Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
PKSA-xh7q-jwpn-v1cd CVE-2024-56145 GHSA-2p6p-9rc9-62j9
Affected version: >=3.0.0,<3.9.14|>=4.0.0-RC1,<4.13.2|>=5.0.0-RC1,<5.5.2
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
PKSA-4wwj-2m42-9pp5 CVE-2024-52293 GHSA-f3cw-hg6r-chfv
Affected version: >=5.0.0-RC1,<=5.4.2|>=4.0.0-RC1,<=4.12.1
Reported by:
GitHub -
[HIGH] Craft CMS Arbitrary System File Read
PKSA-jkbm-w624-yb7q CVE-2024-52292 GHSA-cw6g-qmjq-6w2w
Affected version: >=3.5.13,<=4.12.6.1|>=5.0.0-alpha.1,<=5.4.7.1
Reported by:
GitHub -
[HIGH] Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution
PKSA-mtjx-x487-29s9 CVE-2024-52291 GHSA-jrh5-vhr9-qh7q
Affected version: >=4.0.0-RC1,<=4.12.4.1|>=5.0.0-RC1,<=5.4.5.1
Reported by:
GitHub -
[MEDIUM] Craft CMS vulnerable to stored XSS in breadcrumb list and title fields
PKSA-8qn2-9hhy-cmx1 CVE-2024-45406 GHSA-28h4-788g-rh42
Affected version: >=5.0.0,<5.1.2
Reported by:
GitHub -
[MEDIUM] Craft CMS Allows TOTP Token To Stay Valid After Use
PKSA-56qm-r9zg-vprk CVE-2024-41800 GHSA-wmx7-pw49-88jx
Affected version: >=5.0.0-beta.1,<=5.2.2
Reported by:
GitHub -
[CRITICAL] Craft CMS SQL injection vulnerability via the GraphQL API endpoint
PKSA-5d9d-qr6t-qn95 CVE-2024-37843 GHSA-hq4f-mv3q-8wcv
Affected version: <=3.7.31
Reported by:
GitHub -
[HIGH] Craft CMS Feed-Me
PKSA-yq9g-7wmy-ph9w CVE-2023-36260 GHSA-6p78-f7h9-6838
Affected version: <4.6.2
Reported by:
GitHub -
[MEDIUM] Craft CMS Privilege Escalation
PKSA-gcgv-38nz-y8bs CVE-2024-21622 GHSA-j5g9-j7r4-6qvx
Affected version: >=3.0.0,<=3.9.5|>=4.0.0-RC1,<=4.5.10
Reported by:
GitHub -
[CRITICAL] Craft CMS Remote Code Execution vulnerability
PKSA-zdwv-2yjx-tdbf CVE-2023-41892 GHSA-4w8r-3xrw-v25g
Affected version: >=4.0.0-RC1,<=4.4.14
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to Remote Code Execution via validatePath bypass
PKSA-cdfq-1syy-3hcn CVE-2023-40035 GHSA-44wr-rmwq-3phw
Affected version: >=3.0.0,<=3.8.14|>=4.0.0-RC1,<=4.4.14
Reported by:
GitHub -
[MEDIUM] Craft CMS vulnerable to HTML injection
PKSA-htxf-m811-km69 CVE-2023-33495 GHSA-m3v5-gjj9-rg24
Affected version: <=4.4.9
Reported by:
GitHub -
[MEDIUM] Stored cross site scripting in Craft CMS
PKSA-j8mx-rm6f-69pz CVE-2023-2817 GHSA-7x94-jx75-3gh6
Affected version: >=4.0.0-RC1,<4.4.12
Reported by:
GitHub -
[MEDIUM] Craft CMS stored XSS in indexedVolumes
PKSA-xrqk-w2n4-gbx4 CVE-2023-33197 GHSA-6qjx-787v-6pxr
Affected version: >=4.0.0-RC1,<=4.4.5
Reported by:
GitHub -
[MEDIUM] Craft CMS stored XSS in review volume
PKSA-d3nn-kdfd-kcm5 CVE-2023-33196 GHSA-cjmm-x9x9-m2w5
Affected version: >=4.0.0-RC1,<=4.4.6
Reported by:
GitHub -
[MEDIUM] Craft CMS XSS in RSS widget feed
PKSA-nyt9-b7wg-tdq3 CVE-2023-33195 GHSA-qpgm-gjgf-8c2x
Affected version: >=4.3.0,<=4.4.5
Reported by:
GitHub -
[LOW] CraftCMS stored XSS in Quick Post widget error message
PKSA-yhf6-73qh-nrcp CVE-2023-33194 GHSA-3wxg-w96j-8hq9
Affected version: >=3.0.0,<=3.8.5|>=4.0.0-RC1,<4.4.6
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to Remote Code Execution via unrestricted file extension
PKSA-trjg-y1pb-yh98 CVE-2023-32679 GHSA-vqxf-r9ph-cc9c
Affected version: >=4.0.0,<4.4.6
Reported by:
GitHub -
[HIGH] CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter
PKSA-2kbt-tv7g-v7px CVE-2023-30130 GHSA-fjx5-xm7q-whvj
Affected version: <=3.8.1
Reported by:
GitHub -
[MEDIUM] craftcms/cms vulnerable to cross site scripting in RSS feed widget
PKSA-wgr5-shk8-4nmh CVE-2023-31144 GHSA-j4mx-98hw-6rv6
Affected version: >=4.0.0,<=4.4.3|>=3.0.0,<=3.8.3
Reported by:
GitHub -
[MEDIUM] Cross Site Scripting in CraftCMS
PKSA-t4fh-cwff-qj8q CVE-2023-30177 GHSA-wv7j-rc2q-9j67
Affected version: <3.7.68
Reported by:
GitHub -
[MEDIUM] Craft CMS Stored Cross-site Scripting Injection Vulnerability
PKSA-y2n7-ny47-ym4h CVE-2023-23927 GHSA-qcrj-6ffc-v7hq
Affected version: >=3.7.24,<3.7.64|>=4.0.0-RC1,<4.3.7
Reported by:
GitHub -
[HIGH] Craft CMS discloses password hashes
PKSA-rgy6-34nm-mk1h CVE-2022-37783 GHSA-h972-v458-m892
Affected version: >=3.0.0,<=3.7.32
Reported by:
GitHub -
[MEDIUM] Craft CMS Cross-site Scripting vulnerability
PKSA-nm2h-kht2-h3cj CVE-2022-37246 GHSA-f546-v666-559x
Affected version: >=3.7.39,<3.7.51|>=4.0.0-RC1,<4.2.1
Reported by:
GitHub -
[MEDIUM] Craft CMS Cross site Scripting vulnerability
PKSA-1cn6-mp7y-tdn1 CVE-2022-37248 GHSA-wxvf-839f-jqmh
Affected version: >=4.0.0-RC1,<4.2.1
Reported by:
GitHub -
[MEDIUM] Craft CMS Stored Cross-site Scripting in User Addresses Title
PKSA-fjpm-r2z5-3msf CVE-2022-37250 GHSA-8r89-x93x-mjq2
Affected version: >=4.0.0-RC1,<4.2.1
Reported by:
GitHub -
[MEDIUM] Craft CMS vulnerable to stored Cross-site Scripting via /admin/settings/fields page
PKSA-qn7t-x4ck-qyd5 CVE-2022-37247 GHSA-3cvm-7wrh-qrf9
Affected version: >=4.0.0-RC1,<4.2.1
Reported by:
GitHub -
[MEDIUM] Craft CMS vulnerable to Cross-site Scripting via entry revisions and drafts
PKSA-hq26-n3zb-ct5n CVE-2022-37251 GHSA-mw37-wx8p-gp45
Affected version: >=4.0.0-RC1,<4.2.1|>=3.7.0-beta.1,<3.7.55.2
Reported by:
GitHub -
[MEDIUM] Craft CMS Cross-site Scripting Vulnerability
PKSA-ngqg-qdtb-rm3d CVE-2020-19626 GHSA-33jj-92px-m4g7
Affected version: <3.1.33
Reported by:
GitHub -
[CRITICAL] Craft CMS possibility of brute force attempts
PKSA-1y5n-q5z7-8cgs CVE-2019-15929 GHSA-wvr4-w6cw-4px8
Affected version: <3.1.7
Reported by:
GitHub -
[MEDIUM] Craft CMS XSS Vulnerability
PKSA-5swg-jxtx-ftv4 CVE-2019-17496 GHSA-f3xr-q258-h7m9
Affected version: <3.3.8
Reported by:
GitHub -
[MEDIUM] Craft CMS XSS Vulnerability
PKSA-fv5t-gxkj-6y82 CVE-2019-12823 GHSA-w5q4-q7wp-qww6
Affected version: <3.1.31
Reported by:
GitHub -
[MEDIUM] Craft CMS XSS Vulnerability
PKSA-kq4p-4cmz-my81 CVE-2017-8052 GHSA-xv5f-2997-qhrq
Affected version: <2.6.2974
Reported by:
GitHub -
[MEDIUM] Craft CMS XSS Vulnerability
PKSA-ghfb-4pk5-qhrj CVE-2017-8384 GHSA-9mcw-mwxv-grwj
Affected version: <2.6.2976
Reported by:
GitHub -
[MEDIUM] Craft CMS subject to URL forgery
PKSA-2z2h-k3wy-w25s CVE-2017-8385 GHSA-j27g-r58q-624w
Affected version: <2.6.2976
Reported by:
GitHub -
[MEDIUM] Craft CMS XSS Vulnerability
PKSA-gpt3-vsnf-hfrt CVE-2017-9516 GHSA-6pvw-hh48-jx7p
Affected version: <2.6.2982
Reported by:
GitHub -
[MEDIUM] Craft CMS Cross-site Scripting (XSS) Vulnerability
PKSA-4gm9-3p9z-44t6 CVE-2018-20418 GHSA-72pf-cvwq-vgqg
Affected version: <=3.0.25
Reported by:
GitHub -
[HIGH] Craft CMS Vulnerable to Server-Side Template Injection
PKSA-9b83-4qd6-4szn CVE-2018-20465 GHSA-j7fx-v37j-v3w7
Affected version: <=3.0.34
Reported by:
GitHub -
[MEDIUM] Craft CMS Unauthorized View
PKSA-3cvb-x36b-p3nr CVE-2017-8383 GHSA-7qq6-fgpw-xw45
Affected version: <2.6.2976
Reported by:
GitHub -
[HIGH] Craft CMS PHP Code Injection Vulnerability
PKSA-f9g7-q3qs-w8nw CVE-2018-3814 GHSA-r342-vjc4-wrmj
Affected version: <=2.6.3000
Reported by:
GitHub -
[HIGH] Improper account password reset in Craft CMS
PKSA-61st-bdmf-2n6s CVE-2022-29933 GHSA-5cjr-78cq-3wrg
Affected version: <3.7.36
Reported by:
GitHub -
Reported by:
GitHub -
[MEDIUM] Cross-site Scripting in craftcms/cms
PKSA-1ktx-1md2-qf47 CVE-2022-28378 GHSA-7xj5-fwqr-5378
Affected version: <3.7.29
Reported by:
GitHub -
[MEDIUM] Craft CMS Cross-site Scripting Vulnerability
PKSA-n1f2-zc53-b6z3 CVE-2021-32470 GHSA-h2rj-8wgg-mm43
Affected version: <3.6.13
Reported by:
GitHub -
[HIGH] CSV Injection Vulnerability
PKSA-6q3k-247g-652k CVE-2021-41824 GHSA-h7vq-5qgw-jwwq
Affected version: >=3.4.0,<3.7.14
Reported by:
GitHub -
[CRITICAL] Craft CMS Remote Code Injection
PKSA-fqry-snd1-rj28 CVE-2021-27903 GHSA-x2j7-6hxm-87p3
Affected version: <3.6.7
Reported by:
GitHub -
[MEDIUM] Craft CMS Cross-site Scripting Vulnerability
PKSA-p8kz-63g9-6c6r CVE-2021-27902 GHSA-3jxh-789f-p7m6
Affected version: <3.6.0
Reported by:
GitHub