VYPR

Vendor CVEs

Craftcms

All CVEs

124 total · sorted by risk
  • CVE-2020-37071CriFeb 3, 2026
    risk 0.64cvss 9.8epss 0.01

    CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the…

  • CVE-2026-55791criJun 19, 2026
    risk 0.52cvss epss

    **1. Overview** Craft CMS is vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the `/actions/app/resource-js` endpoint. By exploiting the default permissive `trustedHosts` configuration, an attacker can poison the `Host` or…

  • CVE-2026-32272HigApr 13, 2026
    risk 0.50cvss epss 0.00

    Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a…

  • CVE-2026-32268HigMar 18, 2026
    risk 0.50cvss epss 0.00

    The Azure Blob Storage for Craft CMS plugin provides an Azure Blob Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.1.1, unauthenticated users can view a list of buckets the plugin has access to. The `DefaultController->actionLoadContainerData()`…

  • CVE-2026-44011HigMay 12, 2026
    risk 0.49cvss epss 0.00

    Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The…

  • CVE-2026-32261HigMar 16, 2026
    risk 0.48cvss epss 0.00

    Webhooks for Craft CMS plugin adds the ability to manage “webhooks” in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig’s…

  • CVE-2025-68538HigJan 22, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through <= 2.3.6.

  • CVE-2026-32271HigApr 13, 2026
    risk 0.43cvss epss 0.00

    Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through…

  • CVE-2026-31266HigMay 27, 2026
    risk 0.40cvss 7.3epss 0.00

    Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint (/actions/app/migrate).

  • CVE-2017-8384MedMay 1, 2017
    risk 0.40cvss 6.1epss 0.01

    Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.

  • CVE-2026-44012HigMay 12, 2026
    risk 0.39cvss epss 0.00

    Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI…

  • CVE-2026-44010HigMay 12, 2026
    risk 0.39cvss epss 0.00

    Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege…

  • CVE-2026-32265MedMar 18, 2026
    risk 0.38cvss epss 0.00

    The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users…

  • CVE-2017-9516MedJun 8, 2017
    risk 0.38cvss 5.4epss 0.02

    Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.

  • CVE-2017-8383MedMay 1, 2017
    risk 0.35cvss 5.3epss 0.01

    Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder.

  • CVE-2017-8052MedApr 22, 2017
    risk 0.33cvss 6.1epss 0.01

    Craft CMS before 2.6.2974 allows XSS attacks.

  • CVE-2026-41130MedApr 22, 2026
    risk 0.29cvss epss 0.00

    Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly…

  • CVE-2026-41129MedApr 22, 2026
    risk 0.29cvss epss 0.00

    Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the…

  • CVE-2017-8385MedMay 1, 2017
    risk 0.28cvss 5.3epss 0.01

    Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.

  • CVE-2026-41128MedApr 22, 2026
    risk 0.27cvss epss 0.00

    Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for…

  • CVE-2025-32432KEVApr 25, 2025
    risk 0.16cvss epss 1.00

    Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a…

  • CVE-2024-56145KEVDec 18, 2024
    risk 0.16cvss epss 0.97

    Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code…

  • CVE-2026-32266LowMar 18, 2026
    risk 0.09cvss epss 0.00

    The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of…

  • CVE-2025-23209KEVJan 18, 2025
    risk 0.05cvss epss 0.05

    Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched…

  • CVE-2026-32270LowApr 13, 2026
    risk 0.04cvss epss 0.00

    Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous…

  • CVE-2023-41892Sep 13, 2023
    risk 0.03cvss epss 0.93

    Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.

  • CVE-2019-9554Dec 31, 2019
    risk 0.03cvss epss 0.03

    In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI.

  • CVE-2023-30130May 12, 2023
    risk 0.01cvss epss 0.01

    An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.

  • CVE-2026-56394Jun 21, 2026
    risk 0.00cvss epss 0.00

    Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to…

  • CVE-2026-56393Jun 21, 2026
    risk 0.00cvss epss 0.00

    Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{…

  • CVE-2026-56385Jun 21, 2026
    risk 0.00cvss epss 0.00

    Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to…

  • CVE-2026-56384Jun 21, 2026
    risk 0.00cvss epss 0.00

    Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback…

  • CVE-2026-56383Jun 21, 2026
    risk 0.00cvss epss 0.00

    Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with…

  • CVE-2026-56382Jun 21, 2026
    risk 0.00cvss epss 0.00

    Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling…

  • CVE-2026-56381Jun 21, 2026
    risk 0.00cvss epss 0.00

    Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that…

  • CVE-2026-55795Jun 19, 2026
    risk 0.00cvss epss

    ### Summary The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided. ### Details When an attacker submits coupon codes against the session-based cart (without passing a 'number' parameter), no rate…

  • CVE-2026-33162Mar 24, 2026
    risk 0.00cvss epss 0.00

    Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid}…

  • CVE-2026-33161Mar 24, 2026
    risk 0.00cvss epss 0.00

    Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive…

  • CVE-2026-33160Mar 24, 2026
    risk 0.00cvss epss 0.00

    Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch…

  • CVE-2026-33159Mar 24, 2026
    risk 0.00cvss epss 0.00

    Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions…

  • CVE-2026-33158Mar 24, 2026
    risk 0.00cvss epss 0.00

    Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that…

  • CVE-2026-33157Mar 24, 2026
    risk 0.00cvss epss 0.01

    Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing…

  • CVE-2026-33051Mar 20, 2026
    risk 0.00cvss epss 0.00

    Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A…

  • CVE-2026-32267Mar 16, 2026
    risk 0.00cvss epss 0.08

    Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing…

  • CVE-2026-32264Mar 16, 2026
    risk 0.00cvss epss 0.01

    Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel…

  • CVE-2026-32263Mar 16, 2026
    risk 0.00cvss epss 0.01

    Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2…

  • CVE-2026-32262Mar 16, 2026
    risk 0.00cvss epss 0.00

    Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call…

  • CVE-2026-31867Mar 11, 2026
    risk 0.00cvss epss 0.00

    Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character…

  • CVE-2026-31859Mar 11, 2026
    risk 0.00cvss epss 0.00

    Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not…

  • CVE-2026-31858Mar 11, 2026
    risk 0.00cvss epss 0.00

    Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original…

Page 1 of 3