craftcms/cms Security Advisories for 5.9.16 (3)
-
[HIGH] Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
PKSA-tj2m-c963-6jtt CVE-2026-44012 GHSA-33m5-hqp9-97pw
Affected version: >=5.0.0-RC1,<5.9.18
Reported by:
GitHub -
[HIGH] Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior
PKSA-7b21-z11x-97gc CVE-2026-44011 GHSA-qrgm-p9w5-rrfw
Affected version: >=5.0.0,<5.9.18|>=4.0.0,<4.17.12
Reported by:
GitHub -
[HIGH] Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
PKSA-sxz1-z4jg-2vhh CVE-2026-44010 GHSA-gj2p-p9m4-c8gw
Affected version: >=4.0.0,<4.17.12|>=5.0.0,<5.9.18
Reported by:
GitHub