craftcms/cms Security Advisories for 5.8.23 (10)
-
[HIGH] Craft CMS has unauthenticated activation email trigger with potential user enumeration
PKSA-s2xd-twzp-9yz7 CVE-2026-29069 GHSA-234q-vvw3-mrfq
Affected version: >=4.0.0-RC1,<4.17.0-beta.2|>=5.0.0-RC1,<5.9.0-beta.2
Reported by:
GitHub -
[MEDIUM] Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
PKSA-q22m-n7fg-cqgy CVE-2026-28784 GHSA-qc86-q28f-ggww
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
PKSA-c1gj-84dj-vvh3 CVE-2026-28782 GHSA-jxm3-pmm2-9gf6
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS has Twig Function Blocklist Bypass
PKSA-x1f7-3vrt-jvfj CVE-2026-28783 GHSA-5fvc-7894-ghp4
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS: Entries Authorship Spoofing via Mass Assignment
PKSA-zp4z-c8gp-zpww CVE-2026-28781 GHSA-2xfc-g69j-x2mp
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[CRITICAL] Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
PKSA-jqb9-4xf5-mdn1 CVE-2026-28697 GHSA-v47q-jxvr-p68x
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[LOW] Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options
PKSA-skz7-x8dk-h7t1 GHSA-4mgv-366x-qxvx
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[HIGH] Craft CMS has IDOR via GraphQL @parseRefs
PKSA-ts3n-khxn-xyvm CVE-2026-28696 GHSA-7x43-mpfg-r9wj
Affected version: >=5.0.0-RC1,<5.9.0-beta.1|>=4.0.0-RC1,<4.17.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
PKSA-n7dz-mnbq-y23y CVE-2026-28695 GHSA-94rc-cqvm-m4pw
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.8.7,<5.9.0-beta.1
Reported by:
GitHub -
[HIGH] Craft CMS: GraphQL Asset Mutation Privilege Escalation
PKSA-zjy6-pdtw-mck8 CVE-2026-25497 GHSA-fxp3-g6gw-4r4v
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub