Packagist (Composer) package
craftcms/cms
pkg:composer/craftcms/cms
Vulnerabilities (98)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-68456 | — | >= 5.0.0-RC1, < 5.8.21 | 5.8.21 | Jan 5, 2026 | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Us | ||
| CVE-2025-68455 | — | >= 5.0.0-RC1, < 5.8.21 | 5.8.21 | Jan 5, 2026 | Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft C | ||
| CVE-2025-68454 | — | >= 5.0.0-RC1, < 5.8.21 | 5.8.21 | Jan 5, 2026 | Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, | ||
| CVE-2025-68437 | — | >= 5.0.0-RC1, < 5.8.21 | 5.8.21 | Jan 5, 2026 | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save__Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` in | ||
| CVE-2025-68436 | — | >= 5.0.0-RC1, < 5.8.21 | 5.8.21 | Jan 5, 2026 | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users sho | ||
| CVE-2025-57811 | — | >= 4.0.0-RC1, < 4.16.6 | 4.16.6 | Aug 25, 2025 | Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has b | ||
| CVE-2025-54417 | — | >= 4.13.8, < 4.16.3 | 4.16.3 | Aug 9, 2025 | Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must me | ||
| CVE-2025-35939 | — | KEV | >= 5.0.0-alpha.1, < 5.7.5 | 5.7.5 | May 7, 2025 | Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file | |
| CVE-2025-46731 | — | >= 4.0.0-RC1, < 4.14.13 | 4.14.13 | May 5, 2025 | Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enable | ||
| CVE-2025-32432 | — | KEV | >= 3.0.0-RC1, < 3.9.15 | 3.9.15 | Apr 25, 2025 | Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact | |
| CVE-2025-23209 | — | KEV | >= 5.0.0-RC1, < 5.5.8 | 5.5.8 | Jan 18, 2025 | Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version | |
| CVE-2024-56145 | — | KEV | >= 5.0.0-RC1, < 5.5.2 | 5.5.2 | Dec 18, 2024 | Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code executio | |
| CVE-2024-52291 | — | >= 5.0.0-RC1, < 5.4.6 | 5.4.6 | Nov 13, 2024 | Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to p | ||
| CVE-2024-52292 | — | >= 5.0.0-alpha.1, < 5.4.9 | 5.4.9 | Nov 13, 2024 | Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By embeddi | ||
| CVE-2024-52293 | — | >= 4.0.0-RC1, < 4.12.2 | 4.12.2 | Nov 13, 2024 | Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12. | ||
| CVE-2024-45406 | — | >= 5.0.0, < 5.1.2 | 5.1.2 | Sep 9, 2024 | Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input. | ||
| CVE-2024-41800 | — | >= 5.0.0-beta.1, < 5.2.3 | 5.2.3 | Jul 25, 2024 | Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's | ||
| CVE-2024-37843 | — | <= 3.7.31 | — | Jun 25, 2024 | Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint. | ||
| CVE-2023-36260 | Hig | 7.5 | < 4.6.2 | 4.6.2 | Jan 30, 2024 | An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not | |
| CVE-2024-21622 | Med | 5.4 | >= 4.0.0-RC1, < 4.5.11 | 4.5.11 | Jan 3, 2024 | Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. |
- CVE-2025-68456Jan 5, 2026affected >= 5.0.0-RC1, < 5.8.21fixed 5.8.21
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Us
- CVE-2025-68455Jan 5, 2026affected >= 5.0.0-RC1, < 5.8.21fixed 5.8.21
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft C
- CVE-2025-68454Jan 5, 2026affected >= 5.0.0-RC1, < 5.8.21fixed 5.8.21
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel,
- CVE-2025-68437Jan 5, 2026affected >= 5.0.0-RC1, < 5.8.21fixed 5.8.21
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save__Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` in
- CVE-2025-68436Jan 5, 2026affected >= 5.0.0-RC1, < 5.8.21fixed 5.8.21
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users sho
- CVE-2025-57811Aug 25, 2025affected >= 4.0.0-RC1, < 4.16.6fixed 4.16.6
Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has b
- CVE-2025-54417Aug 9, 2025affected >= 4.13.8, < 4.16.3fixed 4.16.3
Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must me
- affected >= 5.0.0-alpha.1, < 5.7.5fixed 5.7.5
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file
- CVE-2025-46731May 5, 2025affected >= 4.0.0-RC1, < 4.14.13fixed 4.14.13
Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enable
- affected >= 3.0.0-RC1, < 3.9.15fixed 3.9.15
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact
- affected >= 5.0.0-RC1, < 5.5.8fixed 5.5.8
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version
- affected >= 5.0.0-RC1, < 5.5.2fixed 5.5.2
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code executio
- CVE-2024-52291Nov 13, 2024affected >= 5.0.0-RC1, < 5.4.6fixed 5.4.6
Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to p
- CVE-2024-52292Nov 13, 2024affected >= 5.0.0-alpha.1, < 5.4.9fixed 5.4.9
Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By embeddi
- CVE-2024-52293Nov 13, 2024affected >= 4.0.0-RC1, < 4.12.2fixed 4.12.2
Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.
- CVE-2024-45406Sep 9, 2024affected >= 5.0.0, < 5.1.2fixed 5.1.2
Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.
- CVE-2024-41800Jul 25, 2024affected >= 5.0.0-beta.1, < 5.2.3fixed 5.2.3
Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's
- CVE-2024-37843Jun 25, 2024affected <= 3.7.31
Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
- affected < 4.6.2fixed 4.6.2
An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not
- affected >= 4.0.0-RC1, < 4.5.11fixed 4.5.11
Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6.
Page 3 of 5