Security Advisories - craftcms/cms

craftcms/cms Security Advisories for 3.6.0 (24)

[MEDIUM] Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution

PKSA-qgft-95tr-t5vt CVE-2026-27129 GHSA-v2gc-rm6g-wrw9

Affected version: >=3.5.0,<=4.16.18|>=5.0.0-RC1,<=5.8.22

Reported by:
GitHub
[HIGH] Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding

PKSA-ycmx-j7s8-wyxz CVE-2026-27127 GHSA-gp2f-7wcm-5fhx

Affected version: >=3.5.0,<=4.16.18|>=5.0.0-RC1,<=5.8.22

Reported by:
GitHub
[HIGH] Unauthenticated Craft CMS users can trigger a database backup

PKSA-17hr-tk5g-ht8k CVE-2025-68456 GHSA-v64r-7wg9-23pr

Affected version: >=3.0.0,<=4.16.16|>=5.0.0-RC1,<=5.8.20

Reported by:
GitHub
[MEDIUM] Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation

PKSA-4gr3-459g-ssmq CVE-2025-68437 GHSA-x27p-wfqw-hfcc

Affected version: >=3.5.0,<=4.16.16|>=5.0.0-RC1,<=5.8.20

Reported by:
GitHub
[MEDIUM] Craft CMS stores arbitrary content provided by unauthenticated users in session files

PKSA-ht16-h36v-hxc7 CVE-2025-35939 GHSA-7vrx-9684-xrf2

Affected version: <4.15.3|>=5.0.0-alpha.1,<5.7.5

Reported by:
GitHub
[CRITICAL] Craft CMS Allows Remote Code Execution

PKSA-5c44-5nbz-c7cq CVE-2025-32432 GHSA-f3gw-9ww9-jmc3

Affected version: >=5.0.0-RC1,<=5.6.16|>=4.0.0-RC1,<=4.14.14|>=3.0.0-RC1,<=3.9.14

Reported by:
GitHub
[CRITICAL] Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled

PKSA-xh7q-jwpn-v1cd CVE-2024-56145 GHSA-2p6p-9rc9-62j9

Affected version: >=3.0.0,<3.9.14|>=4.0.0-RC1,<4.13.2|>=5.0.0-RC1,<5.5.2

Reported by:
GitHub
[HIGH] Craft CMS Arbitrary System File Read

PKSA-jkbm-w624-yb7q CVE-2024-52292 GHSA-cw6g-qmjq-6w2w

Affected version: >=3.5.13,<=4.12.6.1|>=5.0.0-alpha.1,<=5.4.7.1

Reported by:
GitHub
[CRITICAL] Craft CMS SQL injection vulnerability via the GraphQL API endpoint

PKSA-5d9d-qr6t-qn95 CVE-2024-37843 GHSA-hq4f-mv3q-8wcv

Affected version: <=3.7.31

Reported by:
GitHub
[HIGH] Craft CMS Feed-Me

PKSA-yq9g-7wmy-ph9w CVE-2023-36260 GHSA-6p78-f7h9-6838

Affected version: <4.6.2

Reported by:
GitHub
[MEDIUM] Craft CMS Privilege Escalation

PKSA-gcgv-38nz-y8bs CVE-2024-21622 GHSA-j5g9-j7r4-6qvx

Affected version: >=3.0.0,<=3.9.5|>=4.0.0-RC1,<=4.5.10

Reported by:
GitHub
[HIGH] Craft CMS vulnerable to Remote Code Execution via validatePath bypass

PKSA-cdfq-1syy-3hcn CVE-2023-40035 GHSA-44wr-rmwq-3phw

Affected version: >=3.0.0,<=3.8.14|>=4.0.0-RC1,<=4.4.14

Reported by:
GitHub
[MEDIUM] Craft CMS vulnerable to HTML injection

PKSA-htxf-m811-km69 CVE-2023-33495 GHSA-m3v5-gjj9-rg24

Affected version: <=4.4.9

Reported by:
GitHub
[LOW] CraftCMS stored XSS in Quick Post widget error message

PKSA-yhf6-73qh-nrcp CVE-2023-33194 GHSA-3wxg-w96j-8hq9

Affected version: >=3.0.0,<=3.8.5|>=4.0.0-RC1,<4.4.6

Reported by:
GitHub
[HIGH] CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter

PKSA-2kbt-tv7g-v7px CVE-2023-30130 GHSA-fjx5-xm7q-whvj

Affected version: <=3.8.1

Reported by:
GitHub
[MEDIUM] craftcms/cms vulnerable to cross site scripting in RSS feed widget

PKSA-wgr5-shk8-4nmh CVE-2023-31144 GHSA-j4mx-98hw-6rv6

Affected version: >=4.0.0,<=4.4.3|>=3.0.0,<=3.8.3

Reported by:
GitHub
[MEDIUM] Cross Site Scripting in CraftCMS

PKSA-t4fh-cwff-qj8q CVE-2023-30177 GHSA-wv7j-rc2q-9j67

Affected version: <3.7.68

Reported by:
GitHub
[HIGH] Craft CMS discloses password hashes

PKSA-rgy6-34nm-mk1h CVE-2022-37783 GHSA-h972-v458-m892

Affected version: >=3.0.0,<=3.7.32

Reported by:
GitHub
[HIGH] Improper account password reset in Craft CMS

PKSA-61st-bdmf-2n6s CVE-2022-29933 GHSA-5cjr-78cq-3wrg

Affected version: <3.7.36

Reported by:
GitHub
[LOW] XSS Injection Vulnerability

PKSA-6kk8-kc6h-1vr1 GHSA-wf98-vxv9-jqfv

Affected version: <3.7.29

Reported by:
GitHub
[MEDIUM] Cross-site Scripting in craftcms/cms

PKSA-1ktx-1md2-qf47 CVE-2022-28378 GHSA-7xj5-fwqr-5378

Affected version: <3.7.29

Reported by:
GitHub
[MEDIUM] Craft CMS Cross-site Scripting Vulnerability

PKSA-n1f2-zc53-b6z3 CVE-2021-32470 GHSA-h2rj-8wgg-mm43

Affected version: <3.6.13

Reported by:
GitHub
[HIGH] CSV Injection Vulnerability

PKSA-6q3k-247g-652k CVE-2021-41824 GHSA-h7vq-5qgw-jwwq

Affected version: >=3.4.0,<3.7.14

Reported by:
GitHub
[CRITICAL] Craft CMS Remote Code Injection

PKSA-fqry-snd1-rj28 CVE-2021-27903 GHSA-x2j7-6hxm-87p3

Affected version: <3.6.7

Reported by:
GitHub

craftcms/cms Security Advisories for 3.6.0 (24)

[MEDIUM] Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution

[HIGH] Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding

[HIGH] Unauthenticated Craft CMS users can trigger a database backup

[MEDIUM] Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation

[MEDIUM] Craft CMS stores arbitrary content provided by unauthenticated users in session files

[CRITICAL] Craft CMS Allows Remote Code Execution

[CRITICAL] Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled

[HIGH] Craft CMS Arbitrary System File Read

[CRITICAL] Craft CMS SQL injection vulnerability via the GraphQL API endpoint

[HIGH] Craft CMS Feed-Me

[MEDIUM] Craft CMS Privilege Escalation

[HIGH] Craft CMS vulnerable to Remote Code Execution via validatePath bypass

[MEDIUM] Craft CMS vulnerable to HTML injection

[LOW] CraftCMS stored XSS in Quick Post widget error message

[HIGH] CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter

[MEDIUM] craftcms/cms vulnerable to cross site scripting in RSS feed widget

[MEDIUM] Cross Site Scripting in CraftCMS

[HIGH] Craft CMS discloses password hashes

[HIGH] Improper account password reset in Craft CMS

[LOW] XSS Injection Vulnerability

[MEDIUM] Cross-site Scripting in craftcms/cms

[MEDIUM] Craft CMS Cross-site Scripting Vulnerability

[HIGH] CSV Injection Vulnerability

[CRITICAL] Craft CMS Remote Code Injection