Security Advisories - craftcms/cms - Packagist.org

craftcms/cms Security Advisories for 5.9.10 (5)

[MEDIUM] Craft CMS Vulnerable to Stored XSS in Revision Context Menu

PKSA-1n7m-zdqf-4n15 CVE-2026-33051 GHSA-3x4w-mxpf-fhqq

Affected version: >=5.9.0-beta.1,<=5.9.10

Reported by:
GitHub
[HIGH] Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()

PKSA-s8c8-j6wr-t4ds CVE-2026-32267 GHSA-cc7p-2j3x-x7xf

Affected version: >=5.0.0-RC1,<=5.9.11|>=4.0.0-RC1,<=4.17.5

Reported by:
GitHub
[HIGH] Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController

PKSA-1qxd-z2sm-yssc CVE-2026-32264 GHSA-4484-8v2f-5748

Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4

Reported by:
GitHub
[HIGH] Craft CMS vulnerable to behavior injection RCE via EntryTypesController

PKSA-1n2n-7k4d-96rt CVE-2026-32263 GHSA-qx2q-q59v-wf3j

Affected version: >=5.6.0,<=5.9.10

Reported by:
GitHub
[MEDIUM] Craft CMS has a Path Traversal Vulnerability in AssetsController

PKSA-y7v4-m2bd-8h2y CVE-2026-32262 GHSA-472v-j2g4-g9h2

Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4

Reported by:
GitHub