Packagist (Composer) package
craftcms/cms
pkg:composer/craftcms/cms
Vulnerabilities (98)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44012 | Hig | — | >= 5.0.0-RC1, < 5.9.18 | 5.9.18 | May 12, 2026 | Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI pa | |
| CVE-2026-44011 | Hig | — | >= 4.0.0, < 4.17.12 | 4.17.12 | May 12, 2026 | Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The | |
| CVE-2026-44010 | Hig | — | >= 5.0.0, < 5.9.18 | 5.9.18 | May 12, 2026 | Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege use | |
| CVE-2026-41130 | Med | — | >= 5.0.0-RC1, < 5.9.15 | 5.9.15 | Apr 22, 2026 | Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly res | |
| CVE-2026-41129 | Med | — | >= 5.0.0-RC1, < 5.9.15 | 5.9.15 | Apr 22, 2026 | Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the <Vo | |
| CVE-2026-41128 | Med | — | >= 5.6.0, < 5.9.15 | 5.9.15 | Apr 22, 2026 | Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for a | |
| CVE-2026-33162 | — | >= 5.3.0, < 5.9.14 | 5.9.14 | Mar 24, 2026 | Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} perm | ||
| CVE-2026-33161 | — | >= 5.0.0-RC1, < 5.9.14 | 5.9.14 | Mar 24, 2026 | Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive | ||
| CVE-2026-33160 | — | >= 5.0.0-RC1, < 5.9.14 | 5.9.14 | Mar 24, 2026 | Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transfo | ||
| CVE-2026-33159 | — | >= 5.0.0-RC1, < 5.9.14 | 5.9.14 | Mar 24, 2026 | Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-ya | ||
| CVE-2026-33158 | — | >= 4.0.0-RC1, < 4.17.8 | 4.17.8 | Mar 24, 2026 | Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they | ||
| CVE-2026-33157 | — | >= 5.6.0, < 5.9.13 | 5.9.13 | Mar 24, 2026 | Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing | ||
| CVE-2026-33051 | — | >= 5.9.0-beta.1, < 5.9.11 | 5.9.11 | Mar 20, 2026 | Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privile | ||
| CVE-2026-32267 | — | >= 4.0.0-RC1, < 4.17.6 | 4.17.6 | Mar 16, 2026 | Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing | ||
| CVE-2026-32264 | — | >= 4.0.0-RC1, < 4.17.5 | 4.17.5 | Mar 16, 2026 | Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator | ||
| CVE-2026-32263 | — | >= 5.6.0, < 5.9.11 | 5.9.11 | Mar 16, 2026 | Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 beh | ||
| CVE-2026-32262 | — | >= 4.0.0-RC1, < 4.17.5 | 4.17.5 | Mar 16, 2026 | Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call befo | ||
| CVE-2026-31859 | — | >= 4.15.3, < 4.17.3 | 4.17.3 | Mar 11, 2026 | Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not in | ||
| CVE-2026-31858 | — | >= 5.0.0-RC1, < 5.9.9 | 5.9.9 | Mar 11, 2026 | Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original a | ||
| CVE-2026-31857 | — | >= 5.0.0-RC1, < 5.9.9 | 5.9.9 | Mar 11, 2026 | Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() |
- affected >= 5.0.0-RC1, < 5.9.18fixed 5.9.18
Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI pa
- affected >= 4.0.0, < 4.17.12fixed 4.17.12
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The
- affected >= 5.0.0, < 5.9.18fixed 5.9.18
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege use
- affected >= 5.0.0-RC1, < 5.9.15fixed 5.9.15
Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly res
- affected >= 5.0.0-RC1, < 5.9.15fixed 5.9.15
Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the <Vo
- affected >= 5.6.0, < 5.9.15fixed 5.9.15
Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for a
- CVE-2026-33162Mar 24, 2026affected >= 5.3.0, < 5.9.14fixed 5.9.14
Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} perm
- CVE-2026-33161Mar 24, 2026affected >= 5.0.0-RC1, < 5.9.14fixed 5.9.14
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive
- CVE-2026-33160Mar 24, 2026affected >= 5.0.0-RC1, < 5.9.14fixed 5.9.14
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transfo
- CVE-2026-33159Mar 24, 2026affected >= 5.0.0-RC1, < 5.9.14fixed 5.9.14
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-ya
- CVE-2026-33158Mar 24, 2026affected >= 4.0.0-RC1, < 4.17.8fixed 4.17.8
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they
- CVE-2026-33157Mar 24, 2026affected >= 5.6.0, < 5.9.13fixed 5.9.13
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing
- CVE-2026-33051Mar 20, 2026affected >= 5.9.0-beta.1, < 5.9.11fixed 5.9.11
Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privile
- CVE-2026-32267Mar 16, 2026affected >= 4.0.0-RC1, < 4.17.6fixed 4.17.6
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing
- CVE-2026-32264Mar 16, 2026affected >= 4.0.0-RC1, < 4.17.5fixed 4.17.5
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator
- CVE-2026-32263Mar 16, 2026affected >= 5.6.0, < 5.9.11fixed 5.9.11
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 beh
- CVE-2026-32262Mar 16, 2026affected >= 4.0.0-RC1, < 4.17.5fixed 4.17.5
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call befo
- CVE-2026-31859Mar 11, 2026affected >= 4.15.3, < 4.17.3fixed 4.17.3
Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not in
- CVE-2026-31858Mar 11, 2026affected >= 5.0.0-RC1, < 5.9.9fixed 5.9.9
Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original a
- CVE-2026-31857Mar 11, 2026affected >= 5.0.0-RC1, < 5.9.9fixed 5.9.9
Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate()
Page 1 of 5