craftcms/cms Security Advisories for 5.9.21 (6)
-
[HIGH] Craft CMS: Potential authenticated Remote Code Execution via referrer redirect
PKSA-hvdm-8k9p-kcdw CVE-2026-55794 GHSA-f74w-488g-8x5r
Affected version: >=5.9.0,<5.10.0
Reported by:
GitHub -
[MEDIUM] Craft CMS: Stored XSS via Structure entry title in table view
PKSA-z4vj-1h29-pkrc CVE-2026-55793 GHSA-xrqc-p465-2xvg
Affected version: >=5.0.0-RC1,<5.9.22
Reported by:
GitHub -
[MEDIUM] Craft CMS: Sensitive File Disclosure / Server-Side File Read
PKSA-rvh7-y4k6-cn59 CVE-2026-55792 GHSA-287w-mxq6-x2cp
Affected version: >=5.0.0-RC1,<5.10.0|>=4.0.0-RC1,<4.18.0
Reported by:
GitHub -
[HIGH] Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget
PKSA-hm4p-n9yk-nz2c CVE-2026-55790 GHSA-24x4-j6x9-rfw5
Affected version: >=4.0.0-RC1,<4.17.15|>=5.0.0-RC1,<5.9.22
Reported by:
GitHub -
[HIGH] Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assets
PKSA-fd42-dyd4-g3dq CVE-2026-50284 GHSA-7h62-6v23-v8fm
Affected version: >=4.0.0-RC1,<4.17.15|>=5.0.0-RC1,<5.9.22
Reported by:
GitHub -
[CRITICAL] Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs
PKSA-5xds-5mf3-ckxn CVE-2026-55791 GHSA-c55v-343g-5xff
Affected version: >=4.0.0-RC1,<4.18|>=5.0.0-RC1,<5.10
Reported by:
GitHub