VYPR

Craft CMS

by Craftcms

Source repositories

CVEs (27)

  • CVE-2026-55791criJun 19, 2026
    risk 0.52cvss epss

    **1. Overview** Craft CMS is vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the `/actions/app/resource-js` endpoint. By exploiting the default permissive `trustedHosts` configuration, an attacker can poison the `Host` or…

  • CVE-2025-68538HigJan 22, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through <= 2.3.6.

  • CVE-2026-31266HigMay 27, 2026
    risk 0.40cvss 7.3epss 0.00

    Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint (/actions/app/migrate).

  • CVE-2017-8384MedMay 1, 2017
    risk 0.40cvss 6.1epss 0.01

    Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.

  • CVE-2017-9516MedJun 8, 2017
    risk 0.38cvss 5.4epss 0.02

    Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.

  • CVE-2017-8383MedMay 1, 2017
    risk 0.35cvss 5.3epss 0.01

    Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder.

  • CVE-2017-8052MedApr 22, 2017
    risk 0.33cvss 6.1epss 0.01

    Craft CMS before 2.6.2974 allows XSS attacks.

  • CVE-2017-8385MedMay 1, 2017
    risk 0.28cvss 5.3epss 0.01

    Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.

  • CVE-2019-9554Dec 31, 2019
    risk 0.03cvss epss 0.03

    In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI.

  • CVE-2023-30130May 12, 2023
    risk 0.01cvss epss 0.01

    An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.

  • CVE-2026-56394Jun 21, 2026
    risk 0.00cvss epss 0.00

    Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to…

  • CVE-2026-56393Jun 21, 2026
    risk 0.00cvss epss 0.00

    Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{…

  • CVE-2026-56385Jun 21, 2026
    risk 0.00cvss epss 0.00

    Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to…

  • CVE-2026-56384Jun 21, 2026
    risk 0.00cvss epss 0.00

    Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback…

  • CVE-2026-56382Jun 21, 2026
    risk 0.00cvss epss 0.00

    Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling…

  • CVE-2026-56381Jun 21, 2026
    risk 0.00cvss epss 0.00

    Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that…

  • CVE-2023-30179Jun 13, 2023
    risk 0.00cvss epss 0.02

    CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this…

  • CVE-2023-2817May 26, 2023
    risk 0.00cvss epss 0.00

    A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries…

  • CVE-2023-30177Apr 25, 2023
    risk 0.00cvss epss 0.00

    CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.

  • CVE-2022-37783Dec 5, 2022
    risk 0.00cvss epss 0.01

    All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site…

Page 1 of 2