craftcms/cms Security Advisories for 5.9.18 (11)
-
[HIGH] Craft CMS: Potential authenticated Remote Code Execution via referrer redirect
PKSA-hvdm-8k9p-kcdw CVE-2026-55794 GHSA-f74w-488g-8x5r
Affected version: >=5.9.0,<5.10.0
Reported by:
GitHub -
[MEDIUM] Craft CMS: Stored XSS via Structure entry title in table view
PKSA-z4vj-1h29-pkrc CVE-2026-55793 GHSA-xrqc-p465-2xvg
Affected version: >=5.0.0-RC1,<5.9.22
Reported by:
GitHub -
[MEDIUM] Craft CMS: Sensitive File Disclosure / Server-Side File Read
PKSA-rvh7-y4k6-cn59 CVE-2026-55792 GHSA-287w-mxq6-x2cp
Affected version: >=5.0.0-RC1,<5.10.0|>=4.0.0-RC1,<4.18.0
Reported by:
GitHub -
[HIGH] Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget
PKSA-hm4p-n9yk-nz2c CVE-2026-55790 GHSA-24x4-j6x9-rfw5
Affected version: >=4.0.0-RC1,<4.17.15|>=5.0.0-RC1,<5.9.22
Reported by:
GitHub -
[HIGH] Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced Moves
PKSA-9z7r-2kcf-76cf CVE-2026-50282 GHSA-3w32-23wj-rxg3
Affected version: >=4.0.0-RC1,<4.17.14|>=5.0.0-RC1,<5.9.21
Reported by:
GitHub -
[HIGH] Craft CMS's mass assignment via id in newAttributes during bulk duplicate overwrites existing elements
PKSA-zn8p-45f7-kgv1 CVE-2026-50281 GHSA-x5m4-g2cq-52pq
Affected version: >=5.7.0,<5.9.21
Reported by:
GitHub -
[HIGH] Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assets
PKSA-fd42-dyd4-g3dq CVE-2026-50284 GHSA-7h62-6v23-v8fm
Affected version: >=4.0.0-RC1,<4.17.15|>=5.0.0-RC1,<5.9.22
Reported by:
GitHub -
[MEDIUM] Craft CMS: Unauthorized Deletion of Source Assets During File Replacement
PKSA-68rr-18x7-w4gg CVE-2026-50283 GHSA-qh45-9g5p-m2v4
Affected version: >=4.0.0-RC1,<4.17.14|>=5.0.0-RC1,<5.9.21
Reported by:
GitHub -
[MEDIUM] Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section save check
PKSA-nhns-q2yx-ct2v CVE-2026-50280 GHSA-43cq-c2gq-pfpw
Affected version: >=5.0.0-RC1,<5.9.21
Reported by:
GitHub -
[HIGH] Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap
PKSA-rg3c-2r2k-sf93 CVE-2026-50279 GHSA-qq2c-2q8j-jh27
Affected version: >=5.0.0-RC1,<5.9.21
Reported by:
GitHub -
[CRITICAL] Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs
PKSA-5xds-5mf3-ckxn CVE-2026-55791 GHSA-c55v-343g-5xff
Affected version: >=4.0.0-RC1,<4.18|>=5.0.0-RC1,<5.10
Reported by:
GitHub