Craftcms
Products
12- 70 CVEs
- 27 CVEs
- 23 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 0 CVEs
- 0 CVEs
- 0 CVEs
- 0 CVEs
Recent CVEs
124| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-37071 | Cri | 0.64 | 9.8 | 0.01 | Feb 3, 2026 | CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the… | ||
| CVE-2026-55791 | cri | 0.52 | — | — | Jun 19, 2026 | **1. Overview** Craft CMS is vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the `/actions/app/resource-js` endpoint. By exploiting the default permissive `trustedHosts` configuration, an attacker can poison the `Host` or… | ||
| CVE-2026-32272 | Hig | 0.50 | — | 0.00 | Apr 13, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a… | ||
| CVE-2026-32268 | Hig | 0.50 | — | 0.00 | Mar 18, 2026 | The Azure Blob Storage for Craft CMS plugin provides an Azure Blob Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.1.1, unauthenticated users can view a list of buckets the plugin has access to. The `DefaultController->actionLoadContainerData()`… | ||
| CVE-2026-44011 | Hig | 0.49 | — | 0.00 | May 12, 2026 | Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The… | ||
| CVE-2026-32261 | Hig | 0.48 | — | 0.00 | Mar 16, 2026 | Webhooks for Craft CMS plugin adds the ability to manage “webhooks” in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig’s… | ||
| CVE-2025-68538 | Hig | 0.46 | 7.1 | 0.00 | Jan 22, 2026 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through <= 2.3.6. | ||
| CVE-2026-32271 | Hig | 0.43 | — | 0.00 | Apr 13, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through… | ||
| CVE-2026-31266 | Hig | 0.40 | 7.3 | 0.00 | May 27, 2026 | Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint (/actions/app/migrate). | ||
| CVE-2017-8384 | Med | 0.40 | 6.1 | 0.01 | May 1, 2017 | Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052. | ||
| CVE-2026-44012 | Hig | 0.39 | — | 0.00 | May 12, 2026 | Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI… | ||
| CVE-2026-44010 | Hig | 0.39 | — | 0.00 | May 12, 2026 | Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege… | ||
| CVE-2026-32265 | Med | 0.38 | — | 0.00 | Mar 18, 2026 | The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users… | ||
| CVE-2017-9516 | Med | 0.38 | 5.4 | 0.02 | Jun 8, 2017 | Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file. | ||
| CVE-2017-8383 | Med | 0.35 | 5.3 | 0.01 | May 1, 2017 | Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder. | ||
| CVE-2017-8052 | Med | 0.33 | 6.1 | 0.01 | Apr 22, 2017 | Craft CMS before 2.6.2974 allows XSS attacks. | ||
| CVE-2026-41130 | Med | 0.29 | — | 0.00 | Apr 22, 2026 | Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly… | ||
| CVE-2026-41129 | Med | 0.29 | — | 0.00 | Apr 22, 2026 | Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the… | ||
| CVE-2017-8385 | Med | 0.28 | 5.3 | 0.01 | May 1, 2017 | Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message. | ||
| CVE-2026-41128 | Med | 0.27 | — | 0.00 | Apr 22, 2026 | Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for… |
- risk 0.64cvss 9.8epss 0.01
CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the…
- risk 0.52cvss —epss —
**1. Overview** Craft CMS is vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the `/actions/app/resource-js` endpoint. By exploiting the default permissive `trustedHosts` configuration, an attacker can poison the `Host` or…
- risk 0.50cvss —epss 0.00
Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a…
- risk 0.50cvss —epss 0.00
The Azure Blob Storage for Craft CMS plugin provides an Azure Blob Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.1.1, unauthenticated users can view a list of buckets the plugin has access to. The `DefaultController->actionLoadContainerData()`…
- risk 0.49cvss —epss 0.00
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The…
- risk 0.48cvss —epss 0.00
Webhooks for Craft CMS plugin adds the ability to manage “webhooks” in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig’s…
- risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through <= 2.3.6.
- risk 0.43cvss —epss 0.00
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through…
- risk 0.40cvss 7.3epss 0.00
Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint (/actions/app/migrate).
- risk 0.40cvss 6.1epss 0.01
Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.
- risk 0.39cvss —epss 0.00
Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI…
- risk 0.39cvss —epss 0.00
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege…
- risk 0.38cvss —epss 0.00
The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users…
- risk 0.38cvss 5.4epss 0.02
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
- risk 0.35cvss 5.3epss 0.01
Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder.
- risk 0.33cvss 6.1epss 0.01
Craft CMS before 2.6.2974 allows XSS attacks.
- risk 0.29cvss —epss 0.00
Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly…
- risk 0.29cvss —epss 0.00
Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the…
- risk 0.28cvss 5.3epss 0.01
Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.
- risk 0.27cvss —epss 0.00
Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for…