craftcms/cms Security Advisories for 5.0.4 (36)
-
[HIGH] Craft CMS has unauthenticated activation email trigger with potential user enumeration
PKSA-s2xd-twzp-9yz7 CVE-2026-29069 GHSA-234q-vvw3-mrfq
Affected version: >=4.0.0-RC1,<4.17.0-beta.2|>=5.0.0-RC1,<5.9.0-beta.2
Reported by:
GitHub -
[MEDIUM] Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
PKSA-q22m-n7fg-cqgy CVE-2026-28784 GHSA-qc86-q28f-ggww
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
PKSA-c1gj-84dj-vvh3 CVE-2026-28782 GHSA-jxm3-pmm2-9gf6
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS has Twig Function Blocklist Bypass
PKSA-x1f7-3vrt-jvfj CVE-2026-28783 GHSA-5fvc-7894-ghp4
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS: Entries Authorship Spoofing via Mass Assignment
PKSA-zp4z-c8gp-zpww CVE-2026-28781 GHSA-2xfc-g69j-x2mp
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[CRITICAL] Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
PKSA-jqb9-4xf5-mdn1 CVE-2026-28697 GHSA-v47q-jxvr-p68x
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[LOW] Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options
PKSA-skz7-x8dk-h7t1 GHSA-4mgv-366x-qxvx
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[HIGH] Craft CMS has IDOR via GraphQL @parseRefs
PKSA-ts3n-khxn-xyvm CVE-2026-28696 GHSA-7x43-mpfg-r9wj
Affected version: >=5.0.0-RC1,<5.9.0-beta.1|>=4.0.0-RC1,<4.17.0-beta.1
Reported by:
GitHub -
[LOW] Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type
PKSA-cf9h-wtzj-5nwd GHSA-6j87-m5qx-9fqp
Affected version: >=5.0.0-RC1,<=5.8.22|>=4.5.0-beta.1,<=4.16.18
Reported by:
GitHub -
[MEDIUM] Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
PKSA-qgft-95tr-t5vt CVE-2026-27129 GHSA-v2gc-rm6g-wrw9
Affected version: >=3.5.0,<=4.16.18|>=5.0.0-RC1,<=5.8.22
Reported by:
GitHub -
[MEDIUM] Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
PKSA-k33k-b5qw-yqgp CVE-2026-27128 GHSA-6fx5-5cw5-4897
Affected version: >=5.0.0-RC1,<=5.8.22|>=4.5.0-RC1,<=4.16.18
Reported by:
GitHub -
[HIGH] Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
PKSA-ycmx-j7s8-wyxz CVE-2026-27127 GHSA-gp2f-7wcm-5fhx
Affected version: >=3.5.0,<=4.16.18|>=5.0.0-RC1,<=5.8.22
Reported by:
GitHub -
[MEDIUM] Craft CMS has Stored XSS in Table Field via "HTML" Column Type
PKSA-knkq-h2rk-yc48 CVE-2026-27126 GHSA-3jh3-prx3-w6wc
Affected version: >=5.0.0-RC1,<=5.8.22|>=4.5.0-RC1,<=4.16.18
Reported by:
GitHub -
[HIGH] Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
PKSA-g2n6-j3mn-x8xf CVE-2026-25498 GHSA-7jx7-3846-m7w7
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[HIGH] Craft CMS: GraphQL Asset Mutation Privilege Escalation
PKSA-zjy6-pdtw-mck8 CVE-2026-25497 GHSA-fxp3-g6gw-4r4v
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
PKSA-5pj5-nxp6-547h CVE-2026-25496 GHSA-9f5h-mmq6-2x78
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[HIGH] Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
PKSA-9dtd-sv51-7pmx CVE-2026-25495 GHSA-2453-mppf-46cj
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[MEDIUM] Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
PKSA-jsy4-k6z3-fcjb CVE-2026-25494 GHSA-m5r2-8p9x-hp5m
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[MEDIUM] Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
PKSA-1dbt-xzgs-7gw8 CVE-2026-25493 GHSA-8jr8-7hr4-vhfx
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[LOW] Craft CMS Vulnerable to Stored XSS in Entry Types Name
PKSA-v2dw-c4ss-13bw CVE-2026-25491 GHSA-7pr4-wx9w-mqwr
Affected version: >=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
PKSA-hcvs-d728-5zyw CVE-2025-68455 GHSA-255j-qw47-wjh5
Affected version: >=4.0.0-RC1,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[HIGH] Unauthenticated Craft CMS users can trigger a database backup
PKSA-17hr-tk5g-ht8k CVE-2025-68456 GHSA-v64r-7wg9-23pr
Affected version: >=3.0.0,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[MEDIUM] Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
PKSA-9rbz-gy92-qjtd CVE-2025-68454 GHSA-742x-x762-7383
Affected version: >=4.0.0-RC1,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[MEDIUM] Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
PKSA-4gr3-459g-ssmq CVE-2025-68437 GHSA-x27p-wfqw-hfcc
Affected version: >=3.5.0,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[MEDIUM] Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
PKSA-yj3g-znh5-93sd CVE-2025-68436 GHSA-53vf-c43h-j2x9
Affected version: >=4.0.0-RC1,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[MEDIUM] Craft CMS Potential Remote Code Execution via Twig SSTI
PKSA-cbq7-fhfn-fyt5 CVE-2025-57811 GHSA-crcq-738g-pqvc
Affected version: >=5.0.0-RC1,<=5.8.6|>=4.0.0-RC1,<=4.16.5
Reported by:
GitHub -
[MEDIUM] Craft CMS stores arbitrary content provided by unauthenticated users in session files
PKSA-ht16-h36v-hxc7 CVE-2025-35939 GHSA-7vrx-9684-xrf2
Affected version: <4.15.3|>=5.0.0-alpha.1,<5.7.5
Reported by:
GitHub -
[HIGH] Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI
PKSA-8gxy-mg5h-z15w CVE-2025-46731 GHSA-7c58-g782-9j38
Affected version: >=5.0.0-RC1,<=5.6.14|>=4.0.0-RC1,<=4.14.12
Reported by:
GitHub -
[CRITICAL] Craft CMS Allows Remote Code Execution
PKSA-5c44-5nbz-c7cq CVE-2025-32432 GHSA-f3gw-9ww9-jmc3
Affected version: >=5.0.0-RC1,<=5.6.16|>=4.0.0-RC1,<=4.14.14|>=3.0.0-RC1,<=3.9.14
Reported by:
GitHub -
[HIGH] Craft CMS has a potential RCE with a compromised security key
PKSA-nfqr-ns8g-wkkx CVE-2025-23209 GHSA-x684-96hh-833x
Affected version: >=4.0.0-RC1,<4.13.8|>=5.0.0-RC1,<5.5.5
Reported by:
GitHub -
[CRITICAL] Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
PKSA-xh7q-jwpn-v1cd CVE-2024-56145 GHSA-2p6p-9rc9-62j9
Affected version: >=3.0.0,<3.9.14|>=4.0.0-RC1,<4.13.2|>=5.0.0-RC1,<5.5.2
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
PKSA-4wwj-2m42-9pp5 CVE-2024-52293 GHSA-f3cw-hg6r-chfv
Affected version: >=5.0.0-RC1,<=5.4.2|>=4.0.0-RC1,<=4.12.1
Reported by:
GitHub -
[HIGH] Craft CMS Arbitrary System File Read
PKSA-jkbm-w624-yb7q CVE-2024-52292 GHSA-cw6g-qmjq-6w2w
Affected version: >=3.5.13,<=4.12.6.1|>=5.0.0-alpha.1,<=5.4.7.1
Reported by:
GitHub -
[HIGH] Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution
PKSA-mtjx-x487-29s9 CVE-2024-52291 GHSA-jrh5-vhr9-qh7q
Affected version: >=4.0.0-RC1,<=4.12.4.1|>=5.0.0-RC1,<=5.4.5.1
Reported by:
GitHub -
[MEDIUM] Craft CMS vulnerable to stored XSS in breadcrumb list and title fields
PKSA-8qn2-9hhy-cmx1 CVE-2024-45406 GHSA-28h4-788g-rh42
Affected version: >=5.0.0,<5.1.2
Reported by:
GitHub -
[MEDIUM] Craft CMS Allows TOTP Token To Stay Valid After Use
PKSA-56qm-r9zg-vprk CVE-2024-41800 GHSA-wmx7-pw49-88jx
Affected version: >=5.0.0-beta.1,<=5.2.2
Reported by:
GitHub