craftcms/cms Security Advisories for 4.17.4 (3)
-
[HIGH] Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
PKSA-s8c8-j6wr-t4ds CVE-2026-32267 GHSA-cc7p-2j3x-x7xf
Affected version: >=5.0.0-RC1,<=5.9.11|>=4.0.0-RC1,<=4.17.5
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
PKSA-1qxd-z2sm-yssc CVE-2026-32264 GHSA-4484-8v2f-5748
Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4
Reported by:
GitHub -
[MEDIUM] Craft CMS has a Path Traversal Vulnerability in AssetsController
PKSA-y7v4-m2bd-8h2y CVE-2026-32262 GHSA-472v-j2g4-g9h2
Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4
Reported by:
GitHub