CMS
by Craftcms
Source repositories
CVEs (70)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-25498 | 0.00 | — | 0.01 | Feb 9, 2026 | Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize… | |||
| CVE-2026-25497 | 0.00 | — | 0.00 | Feb 9, 2026 | Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to… | |||
| CVE-2026-25496 | 0.00 | — | 0.00 | Feb 9, 2026 | Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without… | |||
| CVE-2026-25495 | 0.00 | — | 0.01 | Feb 9, 2026 | Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to… | |||
| CVE-2026-25494 | 0.00 | — | 0.00 | Feb 9, 2026 | Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations… | |||
| CVE-2026-25493 | 0.00 | — | 0.00 | Feb 9, 2026 | Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An… | |||
| CVE-2026-25492 | 0.00 | — | 0.00 | Feb 9, 2026 | Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname… | |||
| CVE-2026-25491 | 0.00 | — | 0.00 | Feb 9, 2026 | Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22. | |||
| CVE-2025-68456 | 0.00 | — | 0.00 | Jan 5, 2026 | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.… | |||
| CVE-2025-68455 | 0.00 | — | 0.01 | Jan 5, 2026 | Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft… | |||
| CVE-2025-68454 | 0.00 | — | 0.01 | Jan 5, 2026 | Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel,… | |||
| CVE-2025-68437 | 0.00 | — | 0.00 | Jan 5, 2026 | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save__Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file`… | |||
| CVE-2025-68436 | 0.00 | — | 0.00 | Jan 5, 2026 | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users… | |||
| CVE-2025-57811 | 0.00 | — | 0.01 | Aug 25, 2025 | Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has… | |||
| CVE-2025-54417 | 0.00 | — | 0.00 | Aug 9, 2025 | Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must… | |||
| CVE-2025-46731 | 0.00 | — | 0.01 | May 5, 2025 | Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be… | |||
| CVE-2024-52291 | 0.00 | — | 0.01 | Nov 13, 2024 | Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to… | |||
| CVE-2024-52292 | 0.00 | — | 0.01 | Nov 13, 2024 | Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By… | |||
| CVE-2024-52293 | 0.00 | — | 0.01 | Nov 13, 2024 | Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in… | |||
| CVE-2024-45406 | 0.00 | — | 0.00 | Sep 9, 2024 | Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input. |
- CVE-2026-25498Feb 9, 2026risk 0.00cvss —epss 0.01
Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize…
- CVE-2026-25497Feb 9, 2026risk 0.00cvss —epss 0.00
Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to…
- CVE-2026-25496Feb 9, 2026risk 0.00cvss —epss 0.00
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without…
- CVE-2026-25495Feb 9, 2026risk 0.00cvss —epss 0.01
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to…
- CVE-2026-25494Feb 9, 2026risk 0.00cvss —epss 0.00
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations…
- CVE-2026-25493Feb 9, 2026risk 0.00cvss —epss 0.00
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An…
- CVE-2026-25492Feb 9, 2026risk 0.00cvss —epss 0.00
Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname…
- CVE-2026-25491Feb 9, 2026risk 0.00cvss —epss 0.00
Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.
- CVE-2025-68456Jan 5, 2026risk 0.00cvss —epss 0.00
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.…
- CVE-2025-68455Jan 5, 2026risk 0.00cvss —epss 0.01
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft…
- CVE-2025-68454Jan 5, 2026risk 0.00cvss —epss 0.01
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel,…
- CVE-2025-68437Jan 5, 2026risk 0.00cvss —epss 0.00
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save__Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file`…
- CVE-2025-68436Jan 5, 2026risk 0.00cvss —epss 0.00
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users…
- CVE-2025-57811Aug 25, 2025risk 0.00cvss —epss 0.01
Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has…
- CVE-2025-54417Aug 9, 2025risk 0.00cvss —epss 0.00
Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must…
- CVE-2025-46731May 5, 2025risk 0.00cvss —epss 0.01
Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be…
- CVE-2024-52291Nov 13, 2024risk 0.00cvss —epss 0.01
Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to…
- CVE-2024-52292Nov 13, 2024risk 0.00cvss —epss 0.01
Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By…
- CVE-2024-52293Nov 13, 2024risk 0.00cvss —epss 0.01
Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in…
- CVE-2024-45406Sep 9, 2024risk 0.00cvss —epss 0.00
Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.
Page 3 of 4