VYPR
Vendor

Craftcms

Products
12
CVEs
124
Across products
126
Status
Private

Products

12

Recent CVEs

124
View all 124 CVEs →
  • CVE-2020-37071CriFeb 3, 2026
    risk 0.64cvss 9.8epss 0.01

    CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the…

  • CVE-2026-55791criJun 19, 2026
    risk 0.52cvss epss

    **1. Overview** Craft CMS is vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the `/actions/app/resource-js` endpoint. By exploiting the default permissive `trustedHosts` configuration, an attacker can poison the `Host` or…

  • CVE-2026-32272HigApr 13, 2026
    risk 0.50cvss epss 0.00

    Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a…

  • CVE-2026-32268HigMar 18, 2026
    risk 0.50cvss epss 0.00

    The Azure Blob Storage for Craft CMS plugin provides an Azure Blob Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.1.1, unauthenticated users can view a list of buckets the plugin has access to. The `DefaultController->actionLoadContainerData()`…

  • CVE-2026-44011HigMay 12, 2026
    risk 0.49cvss epss 0.00

    Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The…

  • CVE-2026-32261HigMar 16, 2026
    risk 0.48cvss epss 0.00

    Webhooks for Craft CMS plugin adds the ability to manage “webhooks” in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig’s…

  • CVE-2025-68538HigJan 22, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through <= 2.3.6.

  • CVE-2026-32271HigApr 13, 2026
    risk 0.43cvss epss 0.00

    Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through…

  • CVE-2026-31266HigMay 27, 2026
    risk 0.40cvss 7.3epss 0.00

    Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint (/actions/app/migrate).

  • CVE-2017-8384MedMay 1, 2017
    risk 0.40cvss 6.1epss 0.01

    Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.

  • CVE-2026-44012HigMay 12, 2026
    risk 0.39cvss epss 0.00

    Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI…

  • CVE-2026-44010HigMay 12, 2026
    risk 0.39cvss epss 0.00

    Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege…

  • CVE-2026-32265MedMar 18, 2026
    risk 0.38cvss epss 0.00

    The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users…

  • CVE-2017-9516MedJun 8, 2017
    risk 0.38cvss 5.4epss 0.02

    Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.

  • CVE-2017-8383MedMay 1, 2017
    risk 0.35cvss 5.3epss 0.01

    Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder.

  • CVE-2017-8052MedApr 22, 2017
    risk 0.33cvss 6.1epss 0.01

    Craft CMS before 2.6.2974 allows XSS attacks.

  • CVE-2026-41130MedApr 22, 2026
    risk 0.29cvss epss 0.00

    Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly…

  • CVE-2026-41129MedApr 22, 2026
    risk 0.29cvss epss 0.00

    Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the…

  • CVE-2017-8385MedMay 1, 2017
    risk 0.28cvss 5.3epss 0.01

    Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.

  • CVE-2026-41128MedApr 22, 2026
    risk 0.27cvss epss 0.00

    Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for…