Craft CMS
by Craftcms
Source repositories
CVEs (27)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-55791 | cri | 0.52 | — | — | Jun 19, 2026 | **1. Overview** Craft CMS is vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the `/actions/app/resource-js` endpoint. By exploiting the default permissive `trustedHosts` configuration, an attacker can poison the `Host` or… | ||
| CVE-2025-68538 | Hig | 0.46 | 7.1 | 0.00 | Jan 22, 2026 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through <= 2.3.6. | ||
| CVE-2026-31266 | Hig | 0.40 | 7.3 | 0.00 | May 27, 2026 | Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint (/actions/app/migrate). | ||
| CVE-2017-8384 | Med | 0.40 | 6.1 | 0.01 | May 1, 2017 | Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052. | ||
| CVE-2017-9516 | Med | 0.38 | 5.4 | 0.02 | Jun 8, 2017 | Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file. | ||
| CVE-2017-8383 | Med | 0.35 | 5.3 | 0.01 | May 1, 2017 | Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder. | ||
| CVE-2017-8052 | Med | 0.33 | 6.1 | 0.01 | Apr 22, 2017 | Craft CMS before 2.6.2974 allows XSS attacks. | ||
| CVE-2017-8385 | Med | 0.28 | 5.3 | 0.01 | May 1, 2017 | Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message. | ||
| CVE-2019-9554 | 0.03 | — | 0.03 | Dec 31, 2019 | In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI. | |||
| CVE-2023-30130 | 0.01 | — | 0.01 | May 12, 2023 | An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. | |||
| CVE-2026-56394 | 0.00 | — | 0.00 | Jun 21, 2026 | Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to… | |||
| CVE-2026-56393 | 0.00 | — | 0.00 | Jun 21, 2026 | Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{… | |||
| CVE-2026-56385 | 0.00 | — | 0.00 | Jun 21, 2026 | Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to… | |||
| CVE-2026-56384 | 0.00 | — | 0.00 | Jun 21, 2026 | Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback… | |||
| CVE-2026-56382 | 0.00 | — | 0.00 | Jun 21, 2026 | Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling… | |||
| CVE-2026-56381 | 0.00 | — | 0.00 | Jun 21, 2026 | Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that… | |||
| CVE-2023-30179 | 0.00 | — | 0.02 | Jun 13, 2023 | CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this… | |||
| CVE-2023-2817 | 0.00 | — | 0.00 | May 26, 2023 | A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries… | |||
| CVE-2023-30177 | 0.00 | — | 0.00 | Apr 25, 2023 | CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name. | |||
| CVE-2022-37783 | 0.00 | — | 0.01 | Dec 5, 2022 | All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site… |
- risk 0.52cvss —epss —
**1. Overview** Craft CMS is vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the `/actions/app/resource-js` endpoint. By exploiting the default permissive `trustedHosts` configuration, an attacker can poison the `Host` or…
- risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through <= 2.3.6.
- risk 0.40cvss 7.3epss 0.00
Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint (/actions/app/migrate).
- risk 0.40cvss 6.1epss 0.01
Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.
- risk 0.38cvss 5.4epss 0.02
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
- risk 0.35cvss 5.3epss 0.01
Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder.
- risk 0.33cvss 6.1epss 0.01
Craft CMS before 2.6.2974 allows XSS attacks.
- risk 0.28cvss 5.3epss 0.01
Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.
- CVE-2019-9554Dec 31, 2019risk 0.03cvss —epss 0.03
In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI.
- CVE-2023-30130May 12, 2023risk 0.01cvss —epss 0.01
An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.
- CVE-2026-56394Jun 21, 2026risk 0.00cvss —epss 0.00
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to…
- CVE-2026-56393Jun 21, 2026risk 0.00cvss —epss 0.00
Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{…
- CVE-2026-56385Jun 21, 2026risk 0.00cvss —epss 0.00
Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to…
- CVE-2026-56384Jun 21, 2026risk 0.00cvss —epss 0.00
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback…
- CVE-2026-56382Jun 21, 2026risk 0.00cvss —epss 0.00
Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling…
- CVE-2026-56381Jun 21, 2026risk 0.00cvss —epss 0.00
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that…
- CVE-2023-30179Jun 13, 2023risk 0.00cvss —epss 0.02
CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this…
- CVE-2023-2817May 26, 2023risk 0.00cvss —epss 0.00
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries…
- CVE-2023-30177Apr 25, 2023risk 0.00cvss —epss 0.00
CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.
- CVE-2022-37783Dec 5, 2022risk 0.00cvss —epss 0.01
All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site…
Page 1 of 2