Security Advisories - craftcms/cms - Packagist.org

craftcms/cms Security Advisories for 3.9.10 (8)

[HIGH] Unauthenticated Craft CMS users can trigger a database backup

PKSA-17hr-tk5g-ht8k CVE-2025-68456 GHSA-v64r-7wg9-23pr

Affected version: >=3.0.0,<=4.16.16|>=5.0.0-RC1,<=5.8.20

Reported by:
GitHub
[MEDIUM] Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation

PKSA-4gr3-459g-ssmq CVE-2025-68437 GHSA-x27p-wfqw-hfcc

Affected version: >=3.5.0,<=4.16.16|>=5.0.0-RC1,<=5.8.20

Reported by:
GitHub
[MEDIUM] Craft CMS stores arbitrary content provided by unauthenticated users in session files

PKSA-ht16-h36v-hxc7 CVE-2025-35939 GHSA-7vrx-9684-xrf2

Affected version: <4.15.3|>=5.0.0-alpha.1,<5.7.5

Reported by:
GitHub
[CRITICAL] Craft CMS Allows Remote Code Execution

PKSA-5c44-5nbz-c7cq CVE-2025-32432 GHSA-f3gw-9ww9-jmc3

Affected version: >=5.0.0-RC1,<=5.6.16|>=4.0.0-RC1,<=4.14.14|>=3.0.0-RC1,<=3.9.14

Reported by:
GitHub
[CRITICAL] Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled

PKSA-xh7q-jwpn-v1cd CVE-2024-56145 GHSA-2p6p-9rc9-62j9

Affected version: >=3.0.0,<3.9.14|>=4.0.0-RC1,<4.13.2|>=5.0.0-RC1,<5.5.2

Reported by:
GitHub
[HIGH] Craft CMS Arbitrary System File Read

PKSA-jkbm-w624-yb7q CVE-2024-52292 GHSA-cw6g-qmjq-6w2w

Affected version: >=3.5.13,<=4.12.6.1|>=5.0.0-alpha.1,<=5.4.7.1

Reported by:
GitHub
[HIGH] Craft CMS Feed-Me

PKSA-yq9g-7wmy-ph9w CVE-2023-36260 GHSA-6p78-f7h9-6838

Affected version: <4.6.2

Reported by:
GitHub
[MEDIUM] Craft CMS vulnerable to HTML injection

PKSA-htxf-m811-km69 CVE-2023-33495 GHSA-m3v5-gjj9-rg24

Affected version: <=4.4.9

Reported by:
GitHub