craftcms/cms Security Advisories for 5.9.7 (7)
-
[MEDIUM] Craft CMS Vulnerable to Stored XSS in Revision Context Menu
PKSA-1n7m-zdqf-4n15 CVE-2026-33051 GHSA-3x4w-mxpf-fhqq
Affected version: >=5.9.0-beta.1,<=5.9.10
Reported by:
GitHub -
[HIGH] Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
PKSA-s8c8-j6wr-t4ds CVE-2026-32267 GHSA-cc7p-2j3x-x7xf
Affected version: >=5.0.0-RC1,<=5.9.11|>=4.0.0-RC1,<=4.17.5
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
PKSA-1qxd-z2sm-yssc CVE-2026-32264 GHSA-4484-8v2f-5748
Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to behavior injection RCE via EntryTypesController
PKSA-1n2n-7k4d-96rt CVE-2026-32263 GHSA-qx2q-q59v-wf3j
Affected version: >=5.6.0,<=5.9.10
Reported by:
GitHub -
[MEDIUM] Craft CMS has a Path Traversal Vulnerability in AssetsController
PKSA-y7v4-m2bd-8h2y CVE-2026-32262 GHSA-472v-j2g4-g9h2
Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4
Reported by:
GitHub -
[HIGH] CraftCMS has an RCE vulnerability via relational conditionals in the control panel
PKSA-w79g-q9vy-mw7b CVE-2026-31857 GHSA-fp5j-j7j4-mcxc
Affected version: >=4.0.0-beta.1,<=4.17.3|>=5.0.0-RC1,<=5.9.8
Reported by:
GitHub -
[HIGH] CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
PKSA-2bdn-bpjn-j9q4 CVE-2026-31858 GHSA-g7j6-fmwx-7vp8
Affected version: >=5.0.0-RC1,<=5.9.8
Reported by:
GitHub