craftcms/cms Security Advisories for 5.9.23 (3)
-
[HIGH] Craft CMS: Potential authenticated Remote Code Execution via referrer redirect
PKSA-hvdm-8k9p-kcdw CVE-2026-55794 GHSA-f74w-488g-8x5r
Affected version: >=5.9.0,<5.10.0
Reported by:
GitHub -
[MEDIUM] Craft CMS: Sensitive File Disclosure / Server-Side File Read
PKSA-rvh7-y4k6-cn59 CVE-2026-55792 GHSA-287w-mxq6-x2cp
Affected version: >=5.0.0-RC1,<5.10.0|>=4.0.0-RC1,<4.18.0
Reported by:
GitHub -
[CRITICAL] Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs
PKSA-5xds-5mf3-ckxn CVE-2026-55791 GHSA-c55v-343g-5xff
Affected version: >=4.0.0-RC1,<4.18|>=5.0.0-RC1,<5.10
Reported by:
GitHub