craftcms/cms Security Advisories for 4.17.13.1 (6)
-
[MEDIUM] Craft CMS: Sensitive File Disclosure / Server-Side File Read
PKSA-rvh7-y4k6-cn59 CVE-2026-55792 GHSA-287w-mxq6-x2cp
Affected version: >=5.0.0-RC1,<5.10.0|>=4.0.0-RC1,<4.18.0
Reported by:
GitHub -
[HIGH] Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget
PKSA-hm4p-n9yk-nz2c CVE-2026-55790 GHSA-24x4-j6x9-rfw5
Affected version: >=4.0.0-RC1,<4.17.15|>=5.0.0-RC1,<5.9.22
Reported by:
GitHub -
[HIGH] Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced Moves
PKSA-9z7r-2kcf-76cf CVE-2026-50282 GHSA-3w32-23wj-rxg3
Affected version: >=4.0.0-RC1,<4.17.14|>=5.0.0-RC1,<5.9.21
Reported by:
GitHub -
[HIGH] Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assets
PKSA-fd42-dyd4-g3dq CVE-2026-50284 GHSA-7h62-6v23-v8fm
Affected version: >=4.0.0-RC1,<4.17.15|>=5.0.0-RC1,<5.9.22
Reported by:
GitHub -
[MEDIUM] Craft CMS: Unauthorized Deletion of Source Assets During File Replacement
PKSA-68rr-18x7-w4gg CVE-2026-50283 GHSA-qh45-9g5p-m2v4
Affected version: >=4.0.0-RC1,<4.17.14|>=5.0.0-RC1,<5.9.21
Reported by:
GitHub -
[CRITICAL] Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs
PKSA-5xds-5mf3-ckxn CVE-2026-55791 GHSA-c55v-343g-5xff
Affected version: >=4.0.0-RC1,<4.18|>=5.0.0-RC1,<5.10
Reported by:
GitHub