Security Advisories - craftcms/cms

craftcms/cms Security Advisories for 4.17.0-beta.1 (14)

[MEDIUM] Craft CMS has a host header injection leading to SSRF via resource-js endpoint

PKSA-ntd3-69q5-4cfy CVE-2026-41130 GHSA-95wr-3f2v-v2wh

Affected version: >=4.0.0-RC1,<=4.17.8|>=5.0.0-RC1,<=5.9.14

Reported by:
GitHub
[MEDIUM] Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations

PKSA-wb3t-ts8t-d4cj CVE-2026-41129 GHSA-3m9m-24vh-39wx

Affected version: >=4.0.0-RC1,<=4.17.8|>=5.0.0-RC1,<=5.9.14

Reported by:
GitHub
[LOW] Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata

PKSA-hq3k-cthz-b9zn GHSA-44px-qjjc-xrhq

Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13

Reported by:
GitHub
[LOW] Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users

PKSA-w984-dygq-7ryn CVE-2026-33161 GHSA-vgjg-248p-rfm2

Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13

Reported by:
GitHub
[LOW] Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL

PKSA-swp1-ty4d-gpzy CVE-2026-33160 GHSA-5pgf-h923-m958

Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13

Reported by:
GitHub
[MEDIUM] Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations

PKSA-rxrx-pcy1-2csw CVE-2026-33159 GHSA-6mrr-q3pj-h53w

Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13

Reported by:
GitHub
[MEDIUM] Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)

PKSA-548y-fsbg-y9t7 CVE-2026-33158 GHSA-3pvf-vxrv-hh9c

Affected version: >=5.0.0-RC1,<=5.9.13|>=4.0.0-RC1,<=4.17.7

Reported by:
GitHub
[HIGH] Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()

PKSA-s8c8-j6wr-t4ds CVE-2026-32267 GHSA-cc7p-2j3x-x7xf

Affected version: >=5.0.0-RC1,<=5.9.11|>=4.0.0-RC1,<=4.17.5

Reported by:
GitHub
[HIGH] Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController

PKSA-1qxd-z2sm-yssc CVE-2026-32264 GHSA-4484-8v2f-5748

Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4

Reported by:
GitHub
[MEDIUM] Craft CMS has a Path Traversal Vulnerability in AssetsController

PKSA-y7v4-m2bd-8h2y CVE-2026-32262 GHSA-472v-j2g4-g9h2

Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4

Reported by:
GitHub
[HIGH] CraftCMS has an RCE vulnerability via relational conditionals in the control panel

PKSA-w79g-q9vy-mw7b CVE-2026-31857 GHSA-fp5j-j7j4-mcxc

Affected version: >=4.0.0-beta.1,<=4.17.3|>=5.0.0-RC1,<=5.9.8

Reported by:
GitHub
[MEDIUM] CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization

PKSA-t9v1-2frg-d2wy CVE-2026-31859 GHSA-fvwq-45qv-xvhv

Affected version: >=5.7.5,<=5.9.6|>=4.15.3,<=4.17.2

Reported by:
GitHub
[LOW] Craft CMS has a potential information disclosure vulnerability in preview tokens

PKSA-24yr-dkzm-n9v5 CVE-2026-29113 GHSA-vg3j-hpm9-8v5v

Affected version: >=5.0.0-RC1,<5.9.6|>=4.0.0-RC1,<4.17.3

Reported by:
GitHub
[HIGH] Craft CMS has unauthenticated activation email trigger with potential user enumeration

PKSA-s2xd-twzp-9yz7 CVE-2026-29069 GHSA-234q-vvw3-mrfq

Affected version: >=4.0.0-RC1,<4.17.0-beta.2|>=5.0.0-RC1,<5.9.0-beta.2

Reported by:
GitHub

craftcms/cms Security Advisories for 4.17.0-beta.1 (14)

[MEDIUM] Craft CMS has a host header injection leading to SSRF via resource-js endpoint

[MEDIUM] Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations

[LOW] Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata

[LOW] Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users

[LOW] Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL

[MEDIUM] Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations

[MEDIUM] Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)

[HIGH] Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()

[HIGH] Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController

[MEDIUM] Craft CMS has a Path Traversal Vulnerability in AssetsController

[HIGH] CraftCMS has an RCE vulnerability via relational conditionals in the control panel

[MEDIUM] CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization

[LOW] Craft CMS has a potential information disclosure vulnerability in preview tokens

[HIGH] Craft CMS has unauthenticated activation email trigger with potential user enumeration