VYPR
← All advisories
High severityNVD Advisory· Published Jan 30, 2024· Updated Oct 18, 2024

CVE-2023-36260

CVE-2023-36260

Description

Feed Me plugin 4.6.1 for Craft CMS allows remote DoS via crafted strings to feed fields when using an Asset element type with no volume selected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Feed Me plugin 4.6.1 for Craft CMS allows remote DoS via crafted strings to feed fields when using an Asset element type with no volume selected.

Vulnerability

Description

CVE-2023-36260 is a denial-of-service (DoS) vulnerability found in version 4.6.1 of the Feed Me plugin for Craft CMS [1]. The root cause is a PHP error triggered when saving a feed configured with an Asset element type, but where no volume has been selected [2]. Specifically, crafted input strings passed to the Feed-Me Name and Feed-Me URL fields can induce this condition, leading to an unhandled exception [1].

Exploitation

An attacker can remotely exploit this vulnerability without requiring any special privileges, as the plugin's feed configuration pages are accessible to authenticated users with suitable permissions [2]. By manipulating the Name or Feed URL fields with carefully constructed strings, the attacker causes the feed-saving operation to fail in a way that crashes the process or exhausts server resources, effectively denying service to legitimate users [2]. The attack takes advantage of the plugin's insufficient input validation and the missing volume selection, which together create an inconsistent state [2].

Impact

Successful exploitation results in the targeted Craft CMS website becoming non-responsive [2]. This can lead to significant financial losses and reputational harm due to site downtime [2]. Although the vulnerability does not directly lead to data theft or permanent damage, the interruption of service can be severe for organizations relying on the CMS for their web presence.

Mitigation

The vendor addressed this issue in Feed Me version 4.6.2, released on January 30, 2024 [3]. The release notes explicitly state that a PHP error occurring when saving a feed with an Asset element type and no volume selected has been fixed [4]. Users should upgrade to version 4.6.2 or later immediately. There are no known workarounds; the only effective mitigation is to update the plugin [2].

References
  1. NVD - CVE-2023-36260
  2. Threat Briefing: CRAFTCMS
  3. GitHub - craftcms/feed-me: Craft CMS plugin for importing entry data from XML, RSS or ATOM feeds—routine task or on-demand.
  4. Release 4.6.2 · craftcms/feed-me

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/cmsPackagist
< 4.6.24.6.2

Affected products

2

Patches

1
b5d6ede51848

Fixed a PHP error that could occur when saving a feed using an Asset element type with no volume selected.

https://github.com/craftcms/feed-meBrad BellMar 31, 2023via ghsa
commit
2 files changed · +15 0
  • CHANGELOG.md+4 0 modified
    @@ -1,5 +1,9 @@
 # Release Notes for Feed Me 4.x
 
+## Unreleased
+
+- Fixed a PHP error that could occur when saving a feed using an Asset element type with no volume selected.
+
 ## 4.6.1.1 - 2023-03-24 
 
 - Fixed a PHP error that could occur when importing into some 3rd party fields. ([#1264](https://github.com/craftcms/feed-me/issues/1264), [#1265](https://github.com/craftcms/feed-me/pull/1265))
  • src/controllers/FeedsController.php+11 0 modified
    @@ -152,6 +152,17 @@ public function actionSaveFeed()
     {
         $feed = $this->_getModelFromPost();
 
+        if ($feed->getErrors()) {
+            $this->setFailFlash(Craft::t('feed-me', 'Couldn’t save the feed.'));
+
+            // Send the category group back to the template
+            Craft::$app->getUrlManager()->setRouteParams([
+                'feed' => $feed,
+            ]);
+
+            return null;
+        }
+
         return $this->_saveAndRedirect($feed, 'feed-me/feeds/', true);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.