craftcms/cms Security Advisories for 5.9.10 (18)
-
[HIGH] Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
PKSA-tj2m-c963-6jtt CVE-2026-44012 GHSA-33m5-hqp9-97pw
Affected version: >=5.0.0-RC1,<5.9.18
Reported by:
GitHub -
[HIGH] Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior
PKSA-7b21-z11x-97gc CVE-2026-44011 GHSA-qrgm-p9w5-rrfw
Affected version: >=5.0.0,<5.9.18|>=4.0.0,<4.17.12
Reported by:
GitHub -
[HIGH] Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
PKSA-sxz1-z4jg-2vhh CVE-2026-44010 GHSA-gj2p-p9m4-c8gw
Affected version: >=4.0.0,<4.17.12|>=5.0.0,<5.9.18
Reported by:
GitHub -
[MEDIUM] Craft CMS has a host header injection leading to SSRF via resource-js endpoint
PKSA-ntd3-69q5-4cfy CVE-2026-41130 GHSA-95wr-3f2v-v2wh
Affected version: >=4.0.0-RC1,<=4.17.8|>=5.0.0-RC1,<=5.9.14
Reported by:
GitHub -
[MEDIUM] Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
PKSA-wb3t-ts8t-d4cj CVE-2026-41129 GHSA-3m9m-24vh-39wx
Affected version: >=4.0.0-RC1,<=4.17.8|>=5.0.0-RC1,<=5.9.14
Reported by:
GitHub -
[MEDIUM] Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action
PKSA-dmwd-n76s-m3f9 CVE-2026-41128 GHSA-jq2f-59pj-p3m3
Affected version: >=5.6.0,<5.9.15
Reported by:
GitHub -
[LOW] Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
PKSA-hq3k-cthz-b9zn GHSA-44px-qjjc-xrhq
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[MEDIUM] Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions
PKSA-7c6f-2hwc-ptwd CVE-2026-33162 GHSA-f582-6gf6-gx4g
Affected version: >=5.3.0,<=5.9.13
Reported by:
GitHub -
[LOW] Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users
PKSA-w984-dygq-7ryn CVE-2026-33161 GHSA-vgjg-248p-rfm2
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[LOW] Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL
PKSA-swp1-ty4d-gpzy CVE-2026-33160 GHSA-5pgf-h923-m958
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[MEDIUM] Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations
PKSA-rxrx-pcy1-2csw CVE-2026-33159 GHSA-6mrr-q3pj-h53w
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[MEDIUM] Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
PKSA-548y-fsbg-y9t7 CVE-2026-33158 GHSA-3pvf-vxrv-hh9c
Affected version: >=5.0.0-RC1,<=5.9.13|>=4.0.0-RC1,<=4.17.7
Reported by:
GitHub -
[HIGH] Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior
PKSA-twkq-r2c1-87qq CVE-2026-33157 GHSA-2fph-6v5w-89hh
Affected version: >=5.6.0,<=5.9.12
Reported by:
GitHub -
[MEDIUM] Craft CMS Vulnerable to Stored XSS in Revision Context Menu
PKSA-1n7m-zdqf-4n15 CVE-2026-33051 GHSA-3x4w-mxpf-fhqq
Affected version: >=5.9.0-beta.1,<=5.9.10
Reported by:
GitHub -
[HIGH] Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
PKSA-s8c8-j6wr-t4ds CVE-2026-32267 GHSA-cc7p-2j3x-x7xf
Affected version: >=5.0.0-RC1,<=5.9.11|>=4.0.0-RC1,<=4.17.5
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
PKSA-1qxd-z2sm-yssc CVE-2026-32264 GHSA-4484-8v2f-5748
Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to behavior injection RCE via EntryTypesController
PKSA-1n2n-7k4d-96rt CVE-2026-32263 GHSA-qx2q-q59v-wf3j
Affected version: >=5.6.0,<=5.9.10
Reported by:
GitHub -
[MEDIUM] Craft CMS has a Path Traversal Vulnerability in AssetsController
PKSA-y7v4-m2bd-8h2y CVE-2026-32262 GHSA-472v-j2g4-g9h2
Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4
Reported by:
GitHub