Packagist (Composer) package

craftcms/cms

pkg:composer/craftcms/cms

Vulnerabilities (98)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-29113	—	>= 4.0.0-RC1, < 4.17.4	4.17.4	Mar 10, 2026	Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce
CVE-2026-29069	—	>= 5.0.0-RC1, < 5.9.0-beta.2	5.9.0-beta.2	Mar 4, 2026	Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation
CVE-2026-28784	—	>= 5.0.0-RC1, < 5.9.0-beta.1	5.9.0-beta.1	Mar 4, 2026	Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to
CVE-2026-28783	—	>= 5.0.0-RC1, < 5.9.0-beta.1	5.9.0-beta.1	Mar 4, 2026	Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, yo
CVE-2026-28782	—	>= 5.0.0-RC1, < 5.9.0-beta.1	5.9.0-beta.1	Mar 4, 2026	Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Dupli
CVE-2026-28781	—	>= 5.0.0-RC1, < 5.9.0-beta.1	5.9.0-beta.1	Mar 4, 2026	Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request,
CVE-2026-28697	—	>= 5.0.0-RC1, < 5.9.0-beta.1	5.9.0-beta.1	Mar 4, 2026	Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling t
CVE-2026-28696	—	>= 4.0.0-RC1, < 4.17.0-beta.1	4.17.0-beta.1	Mar 4, 2026	Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is ena
CVE-2026-28695	—	>= 5.8.7, < 5.9.0-beta.1	5.9.0-beta.1	Mar 4, 2026	Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which al
CVE-2026-27129	—	>= 5.0.0-RC1, < 5.8.23	5.8.23	Feb 24, 2026	Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the
CVE-2026-27128	—	>= 4.5.0-RC1, < 4.16.19	4.16.19	Feb 24, 2026	Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()`
CVE-2026-27127	—	>= 5.0.0-RC1, < 5.8.23	5.8.23	Feb 24, 2026	Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerabilit
CVE-2026-27126	—	>= 4.5.0-RC1, < 4.16.19	4.16.19	Feb 24, 2026	Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the
CVE-2026-25498	—	>= 5.0.0-RC1, < 5.8.22	5.8.22	Feb 9, 2026	Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-
CVE-2026-25497	—	>= 5.0.0-RC1, < 5.9.0-beta.1	5.9.0-beta.1	Feb 9, 2026	Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to esc
CVE-2026-25496	—	>= 5.0.0-RC1, < 5.8.22	5.8.22	Feb 9, 2026	Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the \|md\|raw Twig filter without pro
CVE-2026-25495	—	>= 5.0.0-RC1, < 5.8.22	5.8.22	Feb 9, 2026	Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanit
CVE-2026-25494	—	>= 5.0.0-RC1, < 5.8.22	5.8.22	Feb 9, 2026	Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (he
CVE-2026-25493	—	>= 5.0.0-RC1, < 5.8.22	5.8.22	Feb 9, 2026	Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An
CVE-2026-25491	—	>= 5.0.0-RC1, < 5.8.22	5.8.22	Feb 9, 2026	Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.

CVE-2026-29113Mar 10, 2026
affected >= 4.0.0-RC1, < 4.17.4fixed 4.17.4
Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce
CVE-2026-29069Mar 4, 2026
affected >= 5.0.0-RC1, < 5.9.0-beta.2fixed 5.9.0-beta.2
Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation
CVE-2026-28784Mar 4, 2026
affected >= 5.0.0-RC1, < 5.9.0-beta.1fixed 5.9.0-beta.1
Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to
CVE-2026-28783Mar 4, 2026
affected >= 5.0.0-RC1, < 5.9.0-beta.1fixed 5.9.0-beta.1
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, yo
CVE-2026-28782Mar 4, 2026
affected >= 5.0.0-RC1, < 5.9.0-beta.1fixed 5.9.0-beta.1
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Dupli
CVE-2026-28781Mar 4, 2026
affected >= 5.0.0-RC1, < 5.9.0-beta.1fixed 5.9.0-beta.1
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request,
CVE-2026-28697Mar 4, 2026
affected >= 5.0.0-RC1, < 5.9.0-beta.1fixed 5.9.0-beta.1
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling t
CVE-2026-28696Mar 4, 2026
affected >= 4.0.0-RC1, < 4.17.0-beta.1fixed 4.17.0-beta.1
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is ena
CVE-2026-28695Mar 4, 2026
affected >= 5.8.7, < 5.9.0-beta.1fixed 5.9.0-beta.1
Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which al
CVE-2026-27129Feb 24, 2026
affected >= 5.0.0-RC1, < 5.8.23fixed 5.8.23
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the
CVE-2026-27128Feb 24, 2026
affected >= 4.5.0-RC1, < 4.16.19fixed 4.16.19
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()`
CVE-2026-27127Feb 24, 2026
affected >= 5.0.0-RC1, < 5.8.23fixed 5.8.23
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerabilit
CVE-2026-27126Feb 24, 2026
affected >= 4.5.0-RC1, < 4.16.19fixed 4.16.19
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the
CVE-2026-25498Feb 9, 2026
affected >= 5.0.0-RC1, < 5.8.22fixed 5.8.22
Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-
CVE-2026-25497Feb 9, 2026
affected >= 5.0.0-RC1, < 5.9.0-beta.1fixed 5.9.0-beta.1
Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to esc
CVE-2026-25496Feb 9, 2026
affected >= 5.0.0-RC1, < 5.8.22fixed 5.8.22
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without pro
CVE-2026-25495Feb 9, 2026
affected >= 5.0.0-RC1, < 5.8.22fixed 5.8.22
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanit
CVE-2026-25494Feb 9, 2026
affected >= 5.0.0-RC1, < 5.8.22fixed 5.8.22
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (he
CVE-2026-25493Feb 9, 2026
affected >= 5.0.0-RC1, < 5.8.22fixed 5.8.22
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An
CVE-2026-25491Feb 9, 2026
affected >= 5.0.0-RC1, < 5.8.22fixed 5.8.22
Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.

Page 2 of 5