Craft CMS: Nine Vulnerabilities Including RCE and SSRF Disclosed in Batch
Craft CMS and Craft Commerce users face critical risks from nine vulnerabilities disclosed June 19-21, 2026, including RCE, SSRF, and XSS flaws.

Key findings
- Nine vulnerabilities disclosed for Craft CMS and Craft Commerce between June 19-21, 2026.
- Flaws include RCE, SSRF, path traversal, authorization bypass, and multiple stored XSS vulnerabilities.
- Affected versions span Craft CMS 4.x and 5.x, with specific ranges detailed for each CVE.
- Critical vulnerabilities CVE-2026-56382 (RCE) and CVE-2026-55791 (SSRF) require immediate patching.
- Craft Commerce coupon code brute-force vulnerability CVE-2026-55795 also disclosed.
On June 21, 2026, a batch of seven vulnerabilities was disclosed for Craft CMS, impacting versions 4.x and 5.x. These flaws, detailed by security researchers, range in severity and include path traversal, cross-site scripting (XSS), authorization bypass, and remote code execution. The vulnerabilities primarily affect the asset management and user configuration functionalities within the CMS. Additionally, two separate vulnerabilities affecting Craft Commerce and Craft CMS were disclosed on June 19, 2026, concerning coupon code brute-force and server-side request forgery (SSRF) with arbitrary JavaScript injection.
Several vulnerabilities center around the asset management system. CVE-2026-56394, an authenticated path traversal flaw in the assets/icon endpoint, allows attackers to read local files by manipulating the extension parameter. Similarly, CVE-2026-56385 and CVE-2026-56384 describe authorization bypass and missing authorization issues in the assets/preview-file and assets/preview-thumb endpoints, respectively. These allow authenticated users with low privileges to access or preview private assets they should not have access to.
Cross-site scripting (XSS) vulnerabilities are also prevalent. CVE-2026-56393 highlights multiple stored XSS flaws in settings names and field option labels across Craft CMS 4.x and 5.x, where unsanitized input in templates like checkbox.twig can be exploited. CVE-2026-56383 details a stored XSS vulnerability in the Table Field when using the 'Row Heading' column type, allowing arbitrary code injection through default row heading values. Another stored XSS vulnerability, CVE-2026-56381, exists in the User Permissions page, where user group names are not properly escaped, enabling attackers with admin access to inject JavaScript.
A critical vulnerability, CVE-2026-56382, presents a remote code execution (RCE) risk in the FieldsController::actionRenderCardPreview() method. This occurs because the fieldLayoutConfig parameter is passed directly to Fields::createLayout() without proper sanitization, enabling authenticated users to execute arbitrary code.
Beyond the core CMS, two other vulnerabilities were disclosed around the same time. CVE-2026-55795 affects Craft Commerce, allowing coupon code brute-force attacks due to a bypass of rate limiting when the 'number' parameter is not provided. CVE-2026-55791, a critical vulnerability in Craft CMS, enables blind SSRF and arbitrary JavaScript injection via the /actions/app/resource-js endpoint. This is achieved by poisoning the Host or X-Forwarded-Host header, exploiting a permissive default trustedHosts configuration.
The affected versions for the Craft CMS vulnerabilities disclosed on June 21st include Craft CMS 4.x (>= 4.0.0-RC1) and 5.x (>= 5.0.0-RC1). Specific version ranges are mentioned for individual CVEs, with patches available in later releases. For CVE-2026-56393, versions prior to 4.17.0-beta.1 and 5.9.0-beta.1 are affected. CVE-2026-56382 impacts Craft CMS versions >= 5.5.0 and <= 5.9.13. The SSRF and RCE vulnerabilities necessitate immediate attention for administrators of affected Craft CMS installations. Users are advised to consult the official Craft CMS security advisories for detailed patch information and recommended upgrade paths.
This cluster of vulnerabilities underscores the importance of regularly updating Craft CMS and its associated plugins. The presence of RCE and SSRF flaws, alongside authorization bypasses and XSS, presents a significant risk to data integrity and system security. Administrators should prioritize patching these vulnerabilities to prevent potential exploitation and maintain the security posture of their Craft CMS environments. The disclosure of these issues together highlights a focused period of security scrutiny for the platform.