Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/209980?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/209980?format=api", "purl": "pkg:composer/craftcms/cms@2.3.0-alpha.2610", "type": "composer", "namespace": "craftcms", "name": "cms", "version": "2.3.0-alpha.2610", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.17.12", "latest_non_vulnerable_version": "5.9.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38578?format=api", "vulnerability_id": "VCID-3n7p-999s-r3f3", "summary": "File and Directory Information Exposure\nCraft CMS does not properly restrict viewing the contents of files in the `craft/app/` folder.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-8383", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.55056", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54998", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-8383" }, { "reference_url": "https://craftcms.com/changelog#2-6-2976", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://craftcms.com/changelog#2-6-2976" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://twitter.com/CraftCMS/status/857743080224473088", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://twitter.com/CraftCMS/status/857743080224473088" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8383", "reference_id": "CVE-2017-8383", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8383" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53532?format=api", "purl": "pkg:composer/craftcms/cms@2.6.2975", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-3twn-e7up-2ugq" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-9kjs-xj6x-y3gb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-adak-sn51-23gd" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dgvz-qam7-23c1" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-rx96-8kfy-4ugu" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-xc5n-1vqa-tqaz" }, { "vulnerability": "VCID-xv52-rc7v-yba8" }, { "vulnerability": "VCID-y99n-vz47-qyfh" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@2.6.2975" }, { "url": "http://public2.vulnerablecode.io/api/packages/151100?format=api", "purl": "pkg:composer/craftcms/cms@2.6.2976", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-3twn-e7up-2ugq" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-9kjs-xj6x-y3gb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-adak-sn51-23gd" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dgvz-qam7-23c1" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-rx96-8kfy-4ugu" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-xc5n-1vqa-tqaz" }, { "vulnerability": "VCID-xv52-rc7v-yba8" }, { "vulnerability": "VCID-y99n-vz47-qyfh" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@2.6.2976" } ], "aliases": [ "CVE-2017-8383", "GHSA-7qq6-fgpw-xw45" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3n7p-999s-r3f3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42836?format=api", "vulnerability_id": "VCID-3r9x-ax4j-3yha", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCraft CMS before 3.7.29 allows XSS.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-28378", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00328", "scoring_system": "epss", "scoring_elements": "0.56045", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00328", "scoring_system": "epss", "scoring_elements": "0.561", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-28378" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3729---2022-01-18", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3729---2022-01-18" }, { "reference_url": "https://github.com/craftcms/cms/commit/7ca2b2d2ccecfb524525afc8ceac6f6e44f84b88", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/7ca2b2d2ccecfb524525afc8ceac6f6e44f84b88" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28378", "reference_id": "CVE-2022-28378", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28378" }, { "reference_url": "https://github.com/advisories/GHSA-7xj5-fwqr-5378", "reference_id": "GHSA-7xj5-fwqr-5378", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7xj5-fwqr-5378" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61257?format=api", "purl": "pkg:composer/craftcms/cms@3.7.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-eecq-8t4y-kka3" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.29" } ], "aliases": [ "CVE-2022-28378", "GHSA-7xj5-fwqr-5378" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3r9x-ax4j-3yha" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40555?format=api", "vulnerability_id": "VCID-3twn-e7up-2ugq", "summary": "Missing Encryption of Sensitive Data\nCraft CMS allows remote authenticated administrators to read sensitive information via server-side template injection which causes a cleartext username and password to be displayed in a URI field.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-20465", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00664", "scoring_system": "epss", "scoring_elements": "0.71581", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00664", "scoring_system": "epss", "scoring_elements": "0.71626", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-20465" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/master/CHANGELOG-v3.md", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/blob/master/CHANGELOG-v3.md" }, { "reference_url": "https://github.com/phuctam/Server-Side-Template-Injection-in-CraftCMS-/issues/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/phuctam/Server-Side-Template-Injection-in-CraftCMS-/issues/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20465", "reference_id": "CVE-2018-20465", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20465" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57237?format=api", "purl": "pkg:composer/craftcms/cms@3.0.35", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-9kjs-xj6x-y3gb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-adak-sn51-23gd" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-eecq-8t4y-kka3" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-rx96-8kfy-4ugu" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-xc5n-1vqa-tqaz" }, { "vulnerability": "VCID-xv52-rc7v-yba8" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.0.35" } ], "aliases": [ "CVE-2018-20465", "GHSA-j7fx-v37j-v3w7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3twn-e7up-2ugq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44568?format=api", "vulnerability_id": "VCID-41y2-tucq-ykaj", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCraft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-23927", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02749", "scoring_system": "epss", "scoring_elements": "0.8627", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02749", "scoring_system": "epss", "scoring_elements": "0.86292", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-23927" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#437---2023-02-03", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:35Z/" } ], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#437---2023-02-03" }, { "reference_url": "https://user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:35Z/" } ], "url": "https://user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23927", "reference_id": "CVE-2023-23927", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23927" }, { "reference_url": "https://github.com/advisories/GHSA-qcrj-6ffc-v7hq", "reference_id": "GHSA-qcrj-6ffc-v7hq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qcrj-6ffc-v7hq" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-qcrj-6ffc-v7hq", "reference_id": "GHSA-qcrj-6ffc-v7hq", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:35Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qcrj-6ffc-v7hq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137658?format=api", "purl": "pkg:composer/craftcms/cms@3.7.64", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.64" }, { "url": "http://public2.vulnerablecode.io/api/packages/64107?format=api", "purl": "pkg:composer/craftcms/cms@4.3.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1468-4fdx-kbfr" }, { "vulnerability": "VCID-1mb5-28xp-ckd2" }, { "vulnerability": "VCID-2vn9-2cs3-vbg3" }, { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-4wkr-jx1w-77hn" }, { "vulnerability": "VCID-5cxe-tjpb-3qan" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-71sv-62m4-z3er" }, { "vulnerability": "VCID-7y4f-ef7t-47eb" }, { "vulnerability": "VCID-83rt-3tyj-qbgx" }, { "vulnerability": "VCID-8u2j-17a4-q7eh" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-9enr-b6zd-mbh8" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-akrv-yqnf-1kg8" }, { "vulnerability": "VCID-azr5-12f8-hfbm" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-cys8-jnmu-77ec" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-eaxm-rjr7-xudb" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-efwv-r3nc-73h9" }, { "vulnerability": "VCID-f7gc-cgka-tycr" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-fpke-p7sz-nfc9" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-hyct-5gap-7kdu" }, { "vulnerability": "VCID-jeyh-3jxd-z3g6" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-jxz8-g6fq-dubw" }, { "vulnerability": "VCID-kbrc-85av-nfcn" }, { "vulnerability": "VCID-m5rf-usae-yfb7" }, { "vulnerability": "VCID-nmzu-mefv-tqeh" }, { "vulnerability": "VCID-ppet-ruae-1kav" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-qwmy-d2e8-5khw" }, { "vulnerability": "VCID-qywv-vf4r-8bh9" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-rvrz-498f-2uet" }, { "vulnerability": "VCID-rzq4-h1ms-nqef" }, { "vulnerability": "VCID-sa99-8awj-eycd" }, { "vulnerability": "VCID-twuy-wzb7-k7g3" }, { "vulnerability": "VCID-tzjk-x116-ayge" }, { "vulnerability": "VCID-vasz-rnn1-67ev" }, { "vulnerability": "VCID-w9yn-1573-hyau" }, { "vulnerability": "VCID-wcx6-wed9-gub2" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.3.7" } ], "aliases": [ "CVE-2023-23927", "GHSA-qcrj-6ffc-v7hq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-41y2-tucq-ykaj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45280?format=api", "vulnerability_id": "VCID-5pur-jy1x-gfhv", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCraft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-33197", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00848", "scoring_system": "epss", "scoring_elements": "0.75246", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-33197" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:32:08Z/" } ], "url": "https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.4.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:32:08Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.4.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33197", "reference_id": "CVE-2023-33197", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33197" }, { "reference_url": "https://github.com/advisories/GHSA-6qjx-787v-6pxr", "reference_id": "GHSA-6qjx-787v-6pxr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6qjx-787v-6pxr" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr", "reference_id": "GHSA-6qjx-787v-6pxr", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:32:08Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65150?format=api", "purl": "pkg:composer/craftcms/cms@4.4.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1468-4fdx-kbfr" }, { "vulnerability": "VCID-1mb5-28xp-ckd2" }, { "vulnerability": "VCID-2vn9-2cs3-vbg3" }, { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-4wkr-jx1w-77hn" }, { "vulnerability": "VCID-5cxe-tjpb-3qan" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-71sv-62m4-z3er" }, { "vulnerability": "VCID-7y4f-ef7t-47eb" }, { "vulnerability": "VCID-83rt-3tyj-qbgx" }, { "vulnerability": "VCID-8u2j-17a4-q7eh" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-9enr-b6zd-mbh8" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-akrv-yqnf-1kg8" }, { "vulnerability": "VCID-azr5-12f8-hfbm" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-cys8-jnmu-77ec" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-eaxm-rjr7-xudb" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-efwv-r3nc-73h9" }, { "vulnerability": "VCID-f7gc-cgka-tycr" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-fpke-p7sz-nfc9" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hyct-5gap-7kdu" }, { "vulnerability": "VCID-jeyh-3jxd-z3g6" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-jxz8-g6fq-dubw" }, { "vulnerability": "VCID-kbrc-85av-nfcn" }, { "vulnerability": "VCID-m5rf-usae-yfb7" }, { "vulnerability": "VCID-nmzu-mefv-tqeh" }, { "vulnerability": "VCID-ppet-ruae-1kav" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-qwmy-d2e8-5khw" }, { "vulnerability": "VCID-qywv-vf4r-8bh9" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-rzq4-h1ms-nqef" }, { "vulnerability": "VCID-sa99-8awj-eycd" }, { "vulnerability": "VCID-twuy-wzb7-k7g3" }, { "vulnerability": "VCID-tzjk-x116-ayge" }, { "vulnerability": "VCID-vasz-rnn1-67ev" }, { "vulnerability": "VCID-w9yn-1573-hyau" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6" } ], "aliases": [ "CVE-2023-33197", "GHSA-6qjx-787v-6pxr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5pur-jy1x-gfhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43304?format=api", "vulnerability_id": "VCID-8pjj-w8h7-p7ga", "summary": "Weak Password Recovery Mechanism for Forgotten Password\nCraft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).", "references": [ { "reference_url": "http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29933", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02319", "scoring_system": "epss", "scoring_elements": "0.85111", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.02319", "scoring_system": "epss", "scoring_elements": "0.85087", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29933" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md" }, { "reference_url": "https://sec-consult.com/vulnerability-lab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sec-consult.com/vulnerability-lab" }, { "reference_url": "https://sec-consult.com/vulnerability-lab/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://sec-consult.com/vulnerability-lab/" }, { "reference_url": "https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms" }, { "reference_url": "https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29933", "reference_id": "CVE-2022-29933", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29933" }, { "reference_url": "https://github.com/advisories/GHSA-5cjr-78cq-3wrg", "reference_id": "GHSA-5cjr-78cq-3wrg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5cjr-78cq-3wrg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62010?format=api", "purl": "pkg:composer/craftcms/cms@3.7.36", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.36" }, { "url": "http://public2.vulnerablecode.io/api/packages/62011?format=api", "purl": "pkg:composer/craftcms/cms@3.7.37", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.37" } ], "aliases": [ "CVE-2022-29933", "GHSA-5cjr-78cq-3wrg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8pjj-w8h7-p7ga" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38576?format=api", "vulnerability_id": "VCID-97zb-4cxh-7yah", "summary": "Weak Password Recovery Mechanism for Forgotten Password\nCraft CMS does not prevent modification of the URL in a forgot-password email message.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-8385", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.52046", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.52107", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-8385" }, { "reference_url": "https://craftcms.com/changelog#2-6-2976", "reference_id": "", "reference_type": "", "scores": [], "url": "https://craftcms.com/changelog#2-6-2976" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/2.6.2976/CHANGELOG.md#security", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/blob/2.6.2976/CHANGELOG.md#security" }, { "reference_url": "https://github.com/craftcms/cms/commit/38c594badc8efc468b6162ec921d645011a50d35", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/38c594badc8efc468b6162ec921d645011a50d35" }, { "reference_url": "https://twitter.com/CraftCMS/status/857743080224473088", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://twitter.com/CraftCMS/status/857743080224473088" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8385", "reference_id": "CVE-2017-8385", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8385" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53532?format=api", "purl": "pkg:composer/craftcms/cms@2.6.2975", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-3twn-e7up-2ugq" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-9kjs-xj6x-y3gb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-adak-sn51-23gd" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dgvz-qam7-23c1" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-rx96-8kfy-4ugu" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-xc5n-1vqa-tqaz" }, { "vulnerability": "VCID-xv52-rc7v-yba8" }, { "vulnerability": "VCID-y99n-vz47-qyfh" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@2.6.2975" }, { "url": "http://public2.vulnerablecode.io/api/packages/151100?format=api", "purl": "pkg:composer/craftcms/cms@2.6.2976", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-3twn-e7up-2ugq" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-9kjs-xj6x-y3gb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-adak-sn51-23gd" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dgvz-qam7-23c1" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-rx96-8kfy-4ugu" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-xc5n-1vqa-tqaz" }, { "vulnerability": "VCID-xv52-rc7v-yba8" }, { "vulnerability": "VCID-y99n-vz47-qyfh" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@2.6.2976" } ], "aliases": [ "CVE-2017-8385", "GHSA-j27g-r58q-624w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-97zb-4cxh-7yah" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111130?format=api", "vulnerability_id": "VCID-9kjs-xj6x-y3gb", "summary": "Craft CMS XSS Vulnerability\nCraft CMS before 3.1.31 does not properly filter XML feeds, thus allowing XSS.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-12823", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00328", "scoring_system": "epss", "scoring_elements": "0.56045", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00328", "scoring_system": "epss", "scoring_elements": "0.561", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-12823" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/6432eca59b93bcea2ca2616199e5d419447e613f/CHANGELOG-v3.md", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/blob/6432eca59b93bcea2ca2616199e5d419447e613f/CHANGELOG-v3.md" }, { "reference_url": "https://github.com/craftcms/cms/commit/6432eca59b93bcea2ca2616199e5d419447e613f", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/6432eca59b93bcea2ca2616199e5d419447e613f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12823", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12823" }, { "reference_url": "https://github.com/advisories/GHSA-w5q4-q7wp-qww6", "reference_id": "GHSA-w5q4-q7wp-qww6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w5q4-q7wp-qww6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80119?format=api", "purl": "pkg:composer/craftcms/cms@3.1.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-adak-sn51-23gd" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-eecq-8t4y-kka3" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-uamr-mmjj-ryhc" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-xc5n-1vqa-tqaz" }, { "vulnerability": "VCID-xv52-rc7v-yba8" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.1.31" } ], "aliases": [ "CVE-2019-12823", "GHSA-w5q4-q7wp-qww6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9kjs-xj6x-y3gb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45444?format=api", "vulnerability_id": "VCID-aajd-9qsf-37cr", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCraft CMS through 4.4.9 is vulnerable to HTML Injection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-33495", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00168", "scoring_system": "epss", "scoring_elements": "0.3779", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-33495" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://medium.com/@mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://medium.com/@mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212" }, { "reference_url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T21:12:01Z/" } ], "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33495", "reference_id": "CVE-2023-33495", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33495" }, { "reference_url": "https://medium.com/%40mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212", "reference_id": "html-injection-in-craft-cms-application-e2b28f746212", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T21:12:01Z/" } ], "url": "https://medium.com/%40mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65617?format=api", "purl": "pkg:composer/craftcms/cms@4.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1468-4fdx-kbfr" }, { "vulnerability": "VCID-1mb5-28xp-ckd2" }, { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-4wkr-jx1w-77hn" }, { "vulnerability": "VCID-5cxe-tjpb-3qan" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-71sv-62m4-z3er" }, { "vulnerability": "VCID-7y4f-ef7t-47eb" }, { "vulnerability": "VCID-83rt-3tyj-qbgx" }, { "vulnerability": "VCID-8u2j-17a4-q7eh" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-9enr-b6zd-mbh8" }, { "vulnerability": "VCID-akrv-yqnf-1kg8" }, { "vulnerability": "VCID-azr5-12f8-hfbm" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-cys8-jnmu-77ec" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-eaxm-rjr7-xudb" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-efwv-r3nc-73h9" }, { "vulnerability": "VCID-f7gc-cgka-tycr" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-fpke-p7sz-nfc9" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hyct-5gap-7kdu" }, { "vulnerability": "VCID-jeyh-3jxd-z3g6" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-jxz8-g6fq-dubw" }, { "vulnerability": "VCID-kbrc-85av-nfcn" }, { "vulnerability": "VCID-m5rf-usae-yfb7" }, { "vulnerability": "VCID-nmzu-mefv-tqeh" }, { "vulnerability": "VCID-ppet-ruae-1kav" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-qwmy-d2e8-5khw" }, { "vulnerability": "VCID-qywv-vf4r-8bh9" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-rzq4-h1ms-nqef" }, { "vulnerability": "VCID-sa99-8awj-eycd" }, { "vulnerability": "VCID-twuy-wzb7-k7g3" }, { "vulnerability": "VCID-tzjk-x116-ayge" }, { "vulnerability": "VCID-vasz-rnn1-67ev" }, { "vulnerability": "VCID-w9yn-1573-hyau" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.10" } ], "aliases": [ "CVE-2023-33495", "GHSA-m3v5-gjj9-rg24" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-aajd-9qsf-37cr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111482?format=api", "vulnerability_id": "VCID-adak-sn51-23gd", "summary": "Craft CMS XSS Vulnerability\nCraft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-17496", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00328", "scoring_system": "epss", "scoring_elements": "0.56045", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00328", "scoring_system": "epss", "scoring_elements": "0.561", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-17496" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#338---2019-10-09", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#338---2019-10-09" }, { "reference_url": "https://github.com/craftcms/cms/commit/0ee66d29281af2b6c4f866e1437842c61983a672", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/0ee66d29281af2b6c4f866e1437842c61983a672" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17496", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17496" }, { "reference_url": "https://github.com/advisories/GHSA-f3xr-q258-h7m9", "reference_id": "GHSA-f3xr-q258-h7m9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f3xr-q258-h7m9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/152899?format=api", "purl": "pkg:composer/craftcms/cms@3.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-eecq-8t4y-kka3" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-xc5n-1vqa-tqaz" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.3.8" } ], "aliases": [ "CVE-2019-17496", "GHSA-f3xr-q258-h7m9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-adak-sn51-23gd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55418?format=api", "vulnerability_id": "VCID-cwm6-qf1f-2keb", "summary": "Craft CMS SQL injection vulnerability via the GraphQL API endpoint\nCraft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37843", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.89433", "scoring_system": "epss", "scoring_elements": "0.99566", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37843" }, { "reference_url": "https://blog.smithsecurity.biz/craft-cms-unauthenticated-sqli-via-graphql", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-12T22:53:54Z/" } ], "url": "https://blog.smithsecurity.biz/craft-cms-unauthenticated-sqli-via-graphql" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37843", "reference_id": "CVE-2024-37843", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37843" }, { "reference_url": "https://github.com/advisories/GHSA-hq4f-mv3q-8wcv", "reference_id": "GHSA-hq4f-mv3q-8wcv", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hq4f-mv3q-8wcv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/504814?format=api", "purl": "pkg:composer/craftcms/cms@3.7.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-eecq-8t4y-kka3" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.32" } ], "aliases": [ "CVE-2024-37843", "GHSA-hq4f-mv3q-8wcv" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cwm6-qf1f-2keb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38646?format=api", "vulnerability_id": "VCID-dgvz-qam7-23c1", "summary": "Cross-site Scripting\nCraft CMS allows for a potential XSS attack vector by uploading a malicious SVG file.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-9516", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00791", "scoring_system": "epss", "scoring_elements": "0.74286", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00791", "scoring_system": "epss", "scoring_elements": "0.74253", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-9516" }, { "reference_url": "https://craftcms.com/changelog#2-6-2982", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://craftcms.com/changelog#2-6-2982" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://packetstormsecurity.com/files/142851/Craft-CMS-2.6-Cross-Site-Scripting-File-Upload.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packetstormsecurity.com/files/142851/Craft-CMS-2.6-Cross-Site-Scripting-File-Upload.html" }, { "reference_url": "https://twitter.com/CraftCMS/status/872599894912937984", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://twitter.com/CraftCMS/status/872599894912937984" }, { "reference_url": "https://www.exploit-db.com/exploits/42143", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.exploit-db.com/exploits/42143" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/42143.txt", "reference_id": "CVE-2017-9516", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/42143.txt" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9516", "reference_id": "CVE-2017-9516", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9516" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53681?format=api", "purl": "pkg:composer/craftcms/cms@2.6.2982", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-3twn-e7up-2ugq" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-9kjs-xj6x-y3gb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-adak-sn51-23gd" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-rx96-8kfy-4ugu" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-xc5n-1vqa-tqaz" }, { "vulnerability": "VCID-xv52-rc7v-yba8" }, { "vulnerability": "VCID-y99n-vz47-qyfh" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@2.6.2982" } ], "aliases": [ "CVE-2017-9516", "GHSA-6pvw-hh48-jx7p" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dgvz-qam7-23c1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46914?format=api", "vulnerability_id": "VCID-dz26-b2ts-puep", "summary": "Craft CMS Feed-Me\nAn issue discovered in Craft CMS version 4.6.1. allows remote attackers to cause a denial of service (DoS) via crafted string to Feed-Me Name and Feed-Me URL fields due to saving a feed using an Asset element type with no volume selected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36260", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00366", "scoring_system": "epss", "scoring_elements": "0.58935", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36260" }, { "reference_url": "https://github.com/craftcms/feed-me", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/feed-me" }, { "reference_url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/" } ], "url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28" }, { "reference_url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/" } ], "url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29" }, { "reference_url": "https://github.com/craftcms/feed-me/releases/tag/4.6.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/feed-me/releases/tag/4.6.2" }, { "reference_url": "https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/" } ], "url": "https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36260", "reference_id": "CVE-2023-36260", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36260" }, { "reference_url": "https://github.com/advisories/GHSA-6p78-f7h9-6838", "reference_id": "GHSA-6p78-f7h9-6838", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6p78-f7h9-6838" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/107427?format=api", "purl": "pkg:composer/craftcms/cms@4.6.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.6.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/68643?format=api", "purl": "pkg:composer/craftcms/cms@4.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1468-4fdx-kbfr" }, { "vulnerability": "VCID-1mb5-28xp-ckd2" }, { "vulnerability": "VCID-39ct-cg7w-kyb6" }, { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-4wkr-jx1w-77hn" }, { "vulnerability": "VCID-5cxe-tjpb-3qan" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5q5g-jrxm-eyhe" }, { "vulnerability": "VCID-71sv-62m4-z3er" }, { "vulnerability": "VCID-7y4f-ef7t-47eb" }, { "vulnerability": "VCID-83rt-3tyj-qbgx" }, { "vulnerability": "VCID-8u2j-17a4-q7eh" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-9enr-b6zd-mbh8" }, { "vulnerability": "VCID-a3b5-pwyh-yugv" }, { "vulnerability": "VCID-akrv-yqnf-1kg8" }, { "vulnerability": "VCID-azr5-12f8-hfbm" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-cys8-jnmu-77ec" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-eaxm-rjr7-xudb" }, { "vulnerability": "VCID-efwv-r3nc-73h9" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-fpke-p7sz-nfc9" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hyct-5gap-7kdu" }, { "vulnerability": "VCID-jeyh-3jxd-z3g6" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-jxz8-g6fq-dubw" }, { "vulnerability": "VCID-kbrc-85av-nfcn" }, { "vulnerability": "VCID-m5rf-usae-yfb7" }, { "vulnerability": "VCID-nmzu-mefv-tqeh" }, { "vulnerability": "VCID-ppet-ruae-1kav" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-qwmy-d2e8-5khw" }, { "vulnerability": "VCID-qywv-vf4r-8bh9" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-rzq4-h1ms-nqef" }, { "vulnerability": "VCID-sa99-8awj-eycd" }, { "vulnerability": "VCID-twuy-wzb7-k7g3" }, { "vulnerability": "VCID-tzjk-x116-ayge" }, { "vulnerability": "VCID-vasz-rnn1-67ev" }, { "vulnerability": "VCID-w9yn-1573-hyau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.7.0" } ], "aliases": [ "CVE-2023-36260", "GHSA-6p78-f7h9-6838" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dz26-b2ts-puep" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38563?format=api", "vulnerability_id": "VCID-hz6m-gqvb-6kae", "summary": "Cross-site Scripting\nCraft CMS allows XSS attacks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-8052", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00353", "scoring_system": "epss", "scoring_elements": "0.57983", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00353", "scoring_system": "epss", "scoring_elements": "0.57931", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-8052" }, { "reference_url": "https://craftcms.com/changelog#2-6-2974", "reference_id": "", "reference_type": "", "scores": [], "url": "https://craftcms.com/changelog#2-6-2974" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/2.6.2974/CHANGELOG.md#security", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/blob/2.6.2974/CHANGELOG.md#security" }, { "reference_url": "https://github.com/craftcms/cms/commit/f7e57018ff487d1ebbe375f6cb1852f4d79767ff", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/f7e57018ff487d1ebbe375f6cb1852f4d79767ff" }, { "reference_url": "https://twitter.com/CraftCMS/status/855535309878112256", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://twitter.com/CraftCMS/status/855535309878112256" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8052", "reference_id": "CVE-2017-8052", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8052" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53514?format=api", "purl": "pkg:composer/craftcms/cms@2.6.2974", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3n7p-999s-r3f3" }, { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-3twn-e7up-2ugq" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-97zb-4cxh-7yah" }, { "vulnerability": "VCID-9kjs-xj6x-y3gb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-adak-sn51-23gd" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dgvz-qam7-23c1" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-mkab-fw34-ekh9" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-rx96-8kfy-4ugu" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-xc5n-1vqa-tqaz" }, { "vulnerability": "VCID-xv52-rc7v-yba8" }, { "vulnerability": "VCID-y99n-vz47-qyfh" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@2.6.2974" } ], "aliases": [ "CVE-2017-8052", "GHSA-xv5f-2997-qhrq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hz6m-gqvb-6kae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57273?format=api", "vulnerability_id": "VCID-jxet-d8ux-mkge", "summary": "Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at `/var/lib/php/sessions`. Such session files are named `sess_[session_value]`, where `[session_value]` is provided to the client in a `Set-Cookie` response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.33065", "scoring_system": "epss", "scoring_elements": "0.96993", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-35939" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2" }, { "reference_url": "https://github.com/craftcms/cms/pull/17220", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://github.com/craftcms/cms/pull/17220" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.15.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.15.3" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.7.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.7.5" }, { "reference_url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939" }, { "reference_url": "https://www.cve.org/CVERecord?id=CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" } ], "url": "https://www.cve.org/CVERecord?id=CVE-2025-35939" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35939", "reference_id": "CVE-2025-35939", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35939" }, { "reference_url": "https://github.com/advisories/GHSA-7vrx-9684-xrf2", "reference_id": "GHSA-7vrx-9684-xrf2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7vrx-9684-xrf2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74788?format=api", "purl": "pkg:composer/craftcms/cms@4.15.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1468-4fdx-kbfr" }, { "vulnerability": "VCID-1mb5-28xp-ckd2" }, { "vulnerability": "VCID-39ct-cg7w-kyb6" }, { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-4wkr-jx1w-77hn" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5q5g-jrxm-eyhe" }, { "vulnerability": "VCID-7y4f-ef7t-47eb" }, { "vulnerability": "VCID-83rt-3tyj-qbgx" }, { "vulnerability": "VCID-8u2j-17a4-q7eh" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-9enr-b6zd-mbh8" }, { "vulnerability": "VCID-a3b5-pwyh-yugv" }, { "vulnerability": "VCID-akrv-yqnf-1kg8" }, { "vulnerability": "VCID-azr5-12f8-hfbm" }, { "vulnerability": "VCID-cys8-jnmu-77ec" }, { "vulnerability": "VCID-dbcz-erbe-u7dt" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-eaxm-rjr7-xudb" }, { "vulnerability": "VCID-efwv-r3nc-73h9" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-fpke-p7sz-nfc9" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hyct-5gap-7kdu" }, { "vulnerability": "VCID-jeyh-3jxd-z3g6" }, { "vulnerability": "VCID-jxz8-g6fq-dubw" }, { "vulnerability": "VCID-kbrc-85av-nfcn" }, { "vulnerability": "VCID-m5rf-usae-yfb7" }, { "vulnerability": "VCID-nmzu-mefv-tqeh" }, { "vulnerability": "VCID-p3n8-1sht-bfbt" }, { "vulnerability": "VCID-ppet-ruae-1kav" }, { "vulnerability": "VCID-qwmy-d2e8-5khw" }, { "vulnerability": "VCID-qywv-vf4r-8bh9" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-rzq4-h1ms-nqef" }, { "vulnerability": "VCID-sa99-8awj-eycd" }, { "vulnerability": "VCID-twuy-wzb7-k7g3" }, { "vulnerability": "VCID-tzjk-x116-ayge" }, { "vulnerability": "VCID-vasz-rnn1-67ev" }, { "vulnerability": "VCID-w9yn-1573-hyau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.15.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/74789?format=api", "purl": "pkg:composer/craftcms/cms@5.7.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1468-4fdx-kbfr" }, { "vulnerability": "VCID-1mb5-28xp-ckd2" }, { "vulnerability": "VCID-39ct-cg7w-kyb6" }, { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-4wkr-jx1w-77hn" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5q5g-jrxm-eyhe" }, { "vulnerability": "VCID-5tzm-738x-xka9" }, { "vulnerability": "VCID-7y4f-ef7t-47eb" }, { "vulnerability": "VCID-83rt-3tyj-qbgx" }, { "vulnerability": "VCID-8u2j-17a4-q7eh" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-9enr-b6zd-mbh8" }, { "vulnerability": "VCID-a3b5-pwyh-yugv" }, { "vulnerability": "VCID-a8p2-5cmc-n7g2" }, { "vulnerability": "VCID-akrv-yqnf-1kg8" }, { "vulnerability": "VCID-asek-4gme-gug8" }, { "vulnerability": "VCID-azr5-12f8-hfbm" }, { "vulnerability": "VCID-bqep-3c6u-mqhu" }, { "vulnerability": "VCID-cys8-jnmu-77ec" }, { "vulnerability": "VCID-dbcz-erbe-u7dt" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-eaxm-rjr7-xudb" }, { "vulnerability": "VCID-efwv-r3nc-73h9" }, { "vulnerability": "VCID-esma-wxje-eqh3" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-fpke-p7sz-nfc9" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hyct-5gap-7kdu" }, { "vulnerability": "VCID-jeyh-3jxd-z3g6" }, { "vulnerability": "VCID-jnrx-e9b5-wqew" }, { "vulnerability": "VCID-jxz8-g6fq-dubw" }, { "vulnerability": "VCID-kbrc-85av-nfcn" }, { "vulnerability": "VCID-m5rf-usae-yfb7" }, { "vulnerability": "VCID-nmzu-mefv-tqeh" }, { "vulnerability": "VCID-p3n8-1sht-bfbt" }, { "vulnerability": "VCID-pgm4-svq8-tfc5" }, { "vulnerability": "VCID-ppet-ruae-1kav" }, { "vulnerability": "VCID-qywv-vf4r-8bh9" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-rzq4-h1ms-nqef" }, { "vulnerability": "VCID-sa99-8awj-eycd" }, { "vulnerability": "VCID-twuy-wzb7-k7g3" }, { "vulnerability": "VCID-tzjk-x116-ayge" }, { "vulnerability": "VCID-vasz-rnn1-67ev" }, { "vulnerability": "VCID-vvhc-rnpr-ubey" }, { "vulnerability": "VCID-w9yn-1573-hyau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.7.5" } ], "aliases": [ "CVE-2025-35939", "GHSA-7vrx-9684-xrf2" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jxet-d8ux-mkge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38577?format=api", "vulnerability_id": "VCID-mkab-fw34-ekh9", "summary": "Cross-site Scripting\nCraft CMS allows XSS attacks because an array returned by `HttpRequestService::getSegments()` and `getActionSegments()` need not be zero-based.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-8384", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.54252", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.54195", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-8384" }, { "reference_url": "https://craftcms.com/changelog#2-6-2976", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://craftcms.com/changelog#2-6-2976" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://twitter.com/CraftCMS/status/857743080224473088", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://twitter.com/CraftCMS/status/857743080224473088" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8384", "reference_id": "CVE-2017-8384", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8384" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53532?format=api", "purl": "pkg:composer/craftcms/cms@2.6.2975", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-3twn-e7up-2ugq" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-9kjs-xj6x-y3gb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-adak-sn51-23gd" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dgvz-qam7-23c1" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-rx96-8kfy-4ugu" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-xc5n-1vqa-tqaz" }, { "vulnerability": "VCID-xv52-rc7v-yba8" }, { "vulnerability": "VCID-y99n-vz47-qyfh" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@2.6.2975" }, { "url": "http://public2.vulnerablecode.io/api/packages/151100?format=api", "purl": "pkg:composer/craftcms/cms@2.6.2976", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-3twn-e7up-2ugq" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-9kjs-xj6x-y3gb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-adak-sn51-23gd" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dgvz-qam7-23c1" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-rx96-8kfy-4ugu" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-xc5n-1vqa-tqaz" }, { "vulnerability": "VCID-xv52-rc7v-yba8" }, { "vulnerability": "VCID-y99n-vz47-qyfh" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@2.6.2976" } ], "aliases": [ "CVE-2017-8384", "GHSA-9mcw-mwxv-grwj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mkab-fw34-ekh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/108321?format=api", "vulnerability_id": "VCID-n1z8-7a8m-rfcc", "summary": "Craft CMS Remote Code Injection\nAn issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-27903", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03824", "scoring_system": "epss", "scoring_elements": "0.8836", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.03824", "scoring_system": "epss", "scoring_elements": "0.88342", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-27903" }, { "reference_url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#367---2021-02-23", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#367---2021-02-23" }, { "reference_url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#security", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#security" }, { "reference_url": "https://github.com/craftcms/cms/commit/c17728fa0bec11d3b82c34defe0930ed409aec38", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/c17728fa0bec11d3b82c34defe0930ed409aec38" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27903", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27903" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/142121?format=api", "purl": "pkg:composer/craftcms/cms@3.6.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-c9mw-1at1-ebaz" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-eecq-8t4y-kka3" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.6.7" } ], "aliases": [ "CVE-2021-27903", "GHSA-x2j7-6hxm-87p3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n1z8-7a8m-rfcc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54460?format=api", "vulnerability_id": "VCID-nz6e-26rc-f3fa", "summary": "Cross-site Scripting\nCraft CMS has an XSS vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32470", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00328", "scoring_system": "epss", "scoring_elements": "0.56045", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00328", "scoring_system": "epss", "scoring_elements": "0.561", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32470" }, { "reference_url": "https://github.com/craftcms/cms/blob/3.6.13/CHANGELOG.md#security", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/blob/3.6.13/CHANGELOG.md#security" }, { "reference_url": "https://github.com/craftcms/cms/commit/f9378aa154b5f9b64bed3d59cce0c4a8184bf5e6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/f9378aa154b5f9b64bed3d59cce0c4a8184bf5e6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32470", "reference_id": "CVE-2021-32470", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32470" }, { "reference_url": "https://github.com/advisories/GHSA-h2rj-8wgg-mm43", "reference_id": "GHSA-h2rj-8wgg-mm43", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h2rj-8wgg-mm43" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80685?format=api", "purl": "pkg:composer/craftcms/cms@3.6.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-c9mw-1at1-ebaz" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-eecq-8t4y-kka3" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.6.13" } ], "aliases": [ "CVE-2021-32470", "GHSA-h2rj-8wgg-mm43" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nz6e-26rc-f3fa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45361?format=api", "vulnerability_id": "VCID-qcwp-su57-9fa1", "summary": "Improper Control of Generation of Code ('Code Injection')\nCraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30179", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05499", "scoring_system": "epss", "scoring_elements": "0.90401", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30179" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-03T20:04:19Z/" } ], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14" }, { "reference_url": "https://github.com/github/advisory-database/pull/2443", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/github/advisory-database/pull/2443" }, { "reference_url": "https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-03T20:04:19Z/" } ], "url": "https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714" }, { "reference_url": "https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-03T20:04:19Z/" } ], "url": "https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30179", "reference_id": "CVE-2023-30179", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30179" }, { "reference_url": "https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection", "reference_id": "CVE-2023-30179-SERVER-SIDE-TEMPLATE-INJECTION", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-03T20:04:19Z/" } ], "url": "https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65381?format=api", "purl": "pkg:composer/craftcms/cms@4.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1468-4fdx-kbfr" }, { "vulnerability": "VCID-1mb5-28xp-ckd2" }, { "vulnerability": "VCID-2vn9-2cs3-vbg3" }, { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-4wkr-jx1w-77hn" }, { "vulnerability": "VCID-5cxe-tjpb-3qan" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-71sv-62m4-z3er" }, { "vulnerability": "VCID-7y4f-ef7t-47eb" }, { "vulnerability": "VCID-83rt-3tyj-qbgx" }, { "vulnerability": "VCID-8u2j-17a4-q7eh" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-9enr-b6zd-mbh8" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-akrv-yqnf-1kg8" }, { "vulnerability": "VCID-azr5-12f8-hfbm" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-cys8-jnmu-77ec" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-eaxm-rjr7-xudb" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-efwv-r3nc-73h9" }, { "vulnerability": "VCID-f7gc-cgka-tycr" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-fpke-p7sz-nfc9" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-hyct-5gap-7kdu" }, { "vulnerability": "VCID-jeyh-3jxd-z3g6" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-jxz8-g6fq-dubw" }, { "vulnerability": "VCID-kbrc-85av-nfcn" }, { "vulnerability": "VCID-m5rf-usae-yfb7" }, { "vulnerability": "VCID-nmzu-mefv-tqeh" }, { "vulnerability": "VCID-ppet-ruae-1kav" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-qwmy-d2e8-5khw" }, { "vulnerability": "VCID-qywv-vf4r-8bh9" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-rvrz-498f-2uet" }, { "vulnerability": "VCID-rzq4-h1ms-nqef" }, { "vulnerability": "VCID-sa99-8awj-eycd" }, { "vulnerability": "VCID-twuy-wzb7-k7g3" }, { "vulnerability": "VCID-tzjk-x116-ayge" }, { "vulnerability": "VCID-vasz-rnn1-67ev" }, { "vulnerability": "VCID-w9yn-1573-hyau" }, { "vulnerability": "VCID-wcx6-wed9-gub2" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.2" } ], "aliases": [ "CVE-2023-30179", "GHSA-3x74-v64j-qc3f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qcwp-su57-9fa1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111429?format=api", "vulnerability_id": "VCID-rx96-8kfy-4ugu", "summary": "Craft CMS possibility of brute force attempts\nIn Craft CMS before 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-15929", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00358", "scoring_system": "epss", "scoring_elements": "0.58308", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00358", "scoring_system": "epss", "scoring_elements": "0.58355", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-15929" }, { "reference_url": "https://github.com/craftcms/cms/blob/3.1.7/CHANGELOG-v3.md", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/blob/3.1.7/CHANGELOG-v3.md" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15929", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15929" }, { "reference_url": "https://github.com/advisories/GHSA-wvr4-w6cw-4px8", "reference_id": "GHSA-wvr4-w6cw-4px8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wvr4-w6cw-4px8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/152502?format=api", "purl": "pkg:composer/craftcms/cms@3.1.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-9kjs-xj6x-y3gb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-adak-sn51-23gd" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-eecq-8t4y-kka3" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-xc5n-1vqa-tqaz" }, { "vulnerability": "VCID-xv52-rc7v-yba8" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.1.7" } ], "aliases": [ "CVE-2019-15929", "GHSA-wvr4-w6cw-4px8" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rx96-8kfy-4ugu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45169?format=api", "vulnerability_id": "VCID-s5v6-e631-17f5", "summary": "CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter\nAn issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30130", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.07135", "scoring_system": "epss", "scoring_elements": "0.9171", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30130" }, { "reference_url": "https://craftcms.com", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://craftcms.com" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://tf1t.gitbook.io/mycve/craftcms/server-site-template-injection-on-craftcms-3.8.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-24T16:00:57Z/" } ], "url": "https://tf1t.gitbook.io/mycve/craftcms/server-site-template-injection-on-craftcms-3.8.1" }, { "reference_url": "https://craftcms.com/", "reference_id": "craftcms.com", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-24T16:00:57Z/" } ], "url": "https://craftcms.com/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30130", "reference_id": "CVE-2023-30130", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30130" }, { "reference_url": "https://github.com/advisories/GHSA-fjx5-xm7q-whvj", "reference_id": "GHSA-fjx5-xm7q-whvj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fjx5-xm7q-whvj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/650962?format=api", "purl": "pkg:composer/craftcms/cms@3.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.8.2" } ], "aliases": [ "CVE-2023-30130", "GHSA-fjx5-xm7q-whvj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s5v6-e631-17f5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42840?format=api", "vulnerability_id": "VCID-u4t8-gkkb-73bv", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms/cms.", "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/advisories/GHSA-wf98-vxv9-jqfv", "reference_id": "GHSA-wf98-vxv9-jqfv", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wf98-vxv9-jqfv" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-wf98-vxv9-jqfv", "reference_id": "GHSA-wf98-vxv9-jqfv", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-wf98-vxv9-jqfv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61257?format=api", "purl": "pkg:composer/craftcms/cms@3.7.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-eecq-8t4y-kka3" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.29" } ], "aliases": [ "GHSA-wf98-vxv9-jqfv", "GMS-2022-790" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u4t8-gkkb-73bv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45043?format=api", "vulnerability_id": "VCID-vbz3-3rqd-3fh6", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30177", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00338", "scoring_system": "epss", "scoring_elements": "0.56884", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30177" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/00fb253d5318e10204433e5d93934108e574005e", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T17:24:49Z/" } ], "url": "https://github.com/craftcms/cms/commit/00fb253d5318e10204433e5d93934108e574005e" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30177", "reference_id": "CVE-2023-30177", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30177" }, { "reference_url": "https://github.com/advisories/GHSA-wv7j-rc2q-9j67", "reference_id": "GHSA-wv7j-rc2q-9j67", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wv7j-rc2q-9j67" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64966?format=api", "purl": "pkg:composer/craftcms/cms@3.7.68", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.68" } ], "aliases": [ "CVE-2023-30177", "GHSA-wv7j-rc2q-9j67" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vbz3-3rqd-3fh6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/108329?format=api", "vulnerability_id": "VCID-xc5n-1vqa-tqaz", "summary": "Craft CMS Cross-site Scripting Vulnerability\nAn issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-27902", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.62273", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.62224", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-27902" }, { "reference_url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#360---2021-01-26", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#360---2021-01-26" }, { "reference_url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#security-1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#security-1" }, { "reference_url": "https://github.com/craftcms/cms/commit/8ee85a8f03c143fa2420e7d6f311d95cae3b19ce", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/8ee85a8f03c143fa2420e7d6f311d95cae3b19ce" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27902", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27902" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/142146?format=api", "purl": "pkg:composer/craftcms/cms@3.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-c9mw-1at1-ebaz" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-eecq-8t4y-kka3" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.6.0" } ], "aliases": [ "CVE-2021-27902", "GHSA-3jxh-789f-p7m6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xc5n-1vqa-tqaz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52307?format=api", "vulnerability_id": "VCID-xv52-rc7v-yba8", "summary": "Injection Vulnerability\nThe `SEOmatic` component for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the `metacontainers` controller.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9757", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.94276", "scoring_system": "epss", "scoring_elements": "0.99941", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9757" }, { "reference_url": "https://github.com/giany/CVE/blob/master/CVE-2020-9757.txt", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/giany/CVE/blob/master/CVE-2020-9757.txt" }, { "reference_url": "https://github.com/nystudio107/craft-seomatic", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nystudio107/craft-seomatic" }, { "reference_url": "https://github.com/nystudio107/craft-seomatic/blob/v3/CHANGELOG.md", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nystudio107/craft-seomatic/blob/v3/CHANGELOG.md" }, { "reference_url": "https://github.com/nystudio107/craft-seomatic/commit/65ab659cb6c914c7ad671af1e417c0da2431f79b", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nystudio107/craft-seomatic/commit/65ab659cb6c914c7ad671af1e417c0da2431f79b" }, { "reference_url": "https://github.com/nystudio107/craft-seomatic/commit/a1c2cad7e126132d2442ec8ec8e9ab43df02cc0f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nystudio107/craft-seomatic/commit/a1c2cad7e126132d2442ec8ec8e9ab43df02cc0f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9757", "reference_id": "CVE-2020-9757", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9757" }, { "reference_url": "https://github.com/advisories/GHSA-6q4j-8pjm-5mgc", "reference_id": "GHSA-6q4j-8pjm-5mgc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6q4j-8pjm-5mgc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76817?format=api", "purl": "pkg:composer/craftcms/cms@3.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-adak-sn51-23gd" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-eecq-8t4y-kka3" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-xc5n-1vqa-tqaz" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.3.0" } ], "aliases": [ "CVE-2020-9757", "GHSA-6q4j-8pjm-5mgc" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xv52-rc7v-yba8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46916?format=api", "vulnerability_id": "VCID-y99n-vz47-qyfh", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36259", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.25129", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36259" }, { "reference_url": "https://github.com/sjelfull/craft-audit", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sjelfull/craft-audit" }, { "reference_url": "https://github.com/sjelfull/craft-audit/commit/c2888aa48457f24696ac0a2ba4f54f39e5c672ed", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sjelfull/craft-audit/commit/c2888aa48457f24696ac0a2ba4f54f39e5c672ed" }, { "reference_url": "https://github.com/sjelfull/craft-audit/pull/73", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:35:02Z/" } ], "url": "https://github.com/sjelfull/craft-audit/pull/73" }, { "reference_url": "https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:35:02Z/" } ], "url": "https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36259", "reference_id": "CVE-2023-36259", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36259" }, { "reference_url": "https://github.com/advisories/GHSA-v89q-c273-3p42", "reference_id": "GHSA-v89q-c273-3p42", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v89q-c273-3p42" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68645?format=api", "purl": "pkg:composer/craftcms/cms@3.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3r9x-ax4j-3yha" }, { "vulnerability": "VCID-3twn-e7up-2ugq" }, { "vulnerability": "VCID-41y2-tucq-ykaj" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5pur-jy1x-gfhv" }, { "vulnerability": "VCID-6hcd-ayyh-3fdb" }, { "vulnerability": "VCID-8pjj-w8h7-p7ga" }, { "vulnerability": "VCID-9kjs-xj6x-y3gb" }, { "vulnerability": "VCID-aajd-9qsf-37cr" }, { "vulnerability": "VCID-adak-sn51-23gd" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-cwm6-qf1f-2keb" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-eecq-8t4y-kka3" }, { "vulnerability": "VCID-hm7h-7cu3-8be1" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-n1z8-7a8m-rfcc" }, { "vulnerability": "VCID-nz6e-26rc-f3fa" }, { "vulnerability": "VCID-qcwp-su57-9fa1" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-rx96-8kfy-4ugu" }, { "vulnerability": "VCID-s5v6-e631-17f5" }, { "vulnerability": "VCID-u4t8-gkkb-73bv" }, { "vulnerability": "VCID-vbz3-3rqd-3fh6" }, { "vulnerability": "VCID-xc5n-1vqa-tqaz" }, { "vulnerability": "VCID-xv52-rc7v-yba8" }, { "vulnerability": "VCID-ymw8-mvrz-e7bc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.0.2" } ], "aliases": [ "CVE-2023-36259", "GHSA-v89q-c273-3p42" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y99n-vz47-qyfh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45279?format=api", "vulnerability_id": "VCID-ymw8-mvrz-e7bc", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nA post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2817", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00337", "scoring_system": "epss", "scoring_elements": "0.56831", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2817" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/7655e1009ba6cdbfb230e6bb138b775b69fc7bcb", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T15:47:46Z/" } ], "url": "https://github.com/craftcms/cms/commit/7655e1009ba6cdbfb230e6bb138b775b69fc7bcb" }, { "reference_url": "https://www.tenable.com/security/research/tra-2023-20", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.tenable.com/security/research/tra-2023-20" }, { "reference_url": "https://www.tenable.com/security/research/tra-2023-20,", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.tenable.com/security/research/tra-2023-20," }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2817", "reference_id": "CVE-2023-2817", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2817" }, { "reference_url": "https://www.tenable.com/security/research/tra-2023-20%2C", "reference_id": "tra-2023-20%2C", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T15:47:46Z/" } ], "url": "https://www.tenable.com/security/research/tra-2023-20%2C" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65248?format=api", "purl": "pkg:composer/craftcms/cms@4.4.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1468-4fdx-kbfr" }, { "vulnerability": "VCID-1mb5-28xp-ckd2" }, { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-4wkr-jx1w-77hn" }, { "vulnerability": "VCID-5cxe-tjpb-3qan" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-71sv-62m4-z3er" }, { "vulnerability": "VCID-7y4f-ef7t-47eb" }, { "vulnerability": "VCID-83rt-3tyj-qbgx" }, { "vulnerability": "VCID-8u2j-17a4-q7eh" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-9enr-b6zd-mbh8" }, { "vulnerability": "VCID-akrv-yqnf-1kg8" }, { "vulnerability": "VCID-azr5-12f8-hfbm" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-cys8-jnmu-77ec" }, { "vulnerability": "VCID-dz26-b2ts-puep" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-eaxm-rjr7-xudb" }, { "vulnerability": "VCID-ec34-nvn3-qbcb" }, { "vulnerability": "VCID-efwv-r3nc-73h9" }, { "vulnerability": "VCID-f7gc-cgka-tycr" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-fpke-p7sz-nfc9" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hyct-5gap-7kdu" }, { "vulnerability": "VCID-jeyh-3jxd-z3g6" }, { "vulnerability": "VCID-jhen-vhqx-n7dr" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-jxz8-g6fq-dubw" }, { "vulnerability": "VCID-kbrc-85av-nfcn" }, { "vulnerability": "VCID-m5rf-usae-yfb7" }, { "vulnerability": "VCID-nmzu-mefv-tqeh" }, { "vulnerability": "VCID-ppet-ruae-1kav" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-qwmy-d2e8-5khw" }, { "vulnerability": "VCID-qywv-vf4r-8bh9" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-rzq4-h1ms-nqef" }, { "vulnerability": "VCID-sa99-8awj-eycd" }, { "vulnerability": "VCID-twuy-wzb7-k7g3" }, { "vulnerability": "VCID-tzjk-x116-ayge" }, { "vulnerability": "VCID-vasz-rnn1-67ev" }, { "vulnerability": "VCID-w9yn-1573-hyau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.12" } ], "aliases": [ "CVE-2023-2817", "GHSA-7x94-jx75-3gh6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ymw8-mvrz-e7bc" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@2.3.0-alpha.2610" }