Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/374751?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/374751?format=api", "purl": "pkg:composer/craftcms/cms@5.9.11", "type": "composer", "namespace": "craftcms", "name": "cms", "version": "5.9.11", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.9.18", "latest_non_vulnerable_version": "5.9.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77659?format=api", "vulnerability_id": "VCID-25ym-rhky-wbaq", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33161", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13156", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13059", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33161" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33161", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33161" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27", "reference_id": "d30df3112220db1ffd6726a3ed11857014c7fb27", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27" }, { "reference_url": "https://github.com/advisories/GHSA-vgjg-248p-rfm2", "reference_id": "GHSA-vgjg-248p-rfm2", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vgjg-248p-rfm2" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2", "reference_id": "GHSA-vgjg-248p-rfm2", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33161", "GHSA-vgjg-248p-rfm2" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-25ym-rhky-wbaq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360185?format=api", "vulnerability_id": "VCID-5qkr-aqmx-8qau", "summary": "Craft CMS: Authorized asset \"preview file\" requests bypass allows users without asset access to retrieve private preview metadata\n### Summary\n\nAn authenticated low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data (`previewHtml`) for that private asset.\n\nThe returned preview HTML included a private preview image route containing the target private `assetId`, even though `canView` was `false` for the attacker account.\n\n### Details\n\n1. `assets/preview-file` accepts a maliciously controlled `assetId` and renders preview output.\n2. The action does not enforce per-asset view authorization prior to returning preview content.\n 3. As a result, an authenticated user without asset-view permission can still obtain private preview output.\n\nThis affects Craft installations with authenticated users of mixed privilege levels with private assets.\n\n### Resources\n\n- d30df3112220db1ffd6726a3ed11857014c7fb27\n- b1cddf72c98a", "references": [ { "reference_url": "https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq" }, { "reference_url": "https://github.com/advisories/GHSA-44px-qjjc-xrhq", "reference_id": "GHSA-44px-qjjc-xrhq", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-44px-qjjc-xrhq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "GHSA-44px-qjjc-xrhq" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5qkr-aqmx-8qau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77152?format=api", "vulnerability_id": "VCID-e3k3-fp6t-kycw", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32267", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14683", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14804", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32267" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32267", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32267" }, { "reference_url": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33", "reference_id": "6301e217c5f15617d939c432cb770db50af14b33", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/" } ], "url": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33" }, { "reference_url": "https://github.com/advisories/GHSA-cc7p-2j3x-x7xf", "reference_id": "GHSA-cc7p-2j3x-x7xf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cc7p-2j3x-x7xf" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf", "reference_id": "GHSA-cc7p-2j3x-x7xf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374516?format=api", "purl": "pkg:composer/craftcms/cms@5.9.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.12" } ], "aliases": [ "CVE-2026-32267", "GHSA-cc7p-2j3x-x7xf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e3k3-fp6t-kycw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81009?format=api", "vulnerability_id": "VCID-gp2d-vv3n-euda", "summary": "Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: \"Edit assets in the <VolumeName> volume\" and \"Create assets in the <VolumeName> volume.\" Versions 4.17.9 and 5.9.15 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13041", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13139", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41129" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41129", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41129" }, { "reference_url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f", "reference_id": "d20aecfaa0eae076c4154be3b17e1f9fa05ce46f", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/" } ], "url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f" }, { "reference_url": "https://github.com/advisories/GHSA-3m9m-24vh-39wx", "reference_id": "GHSA-3m9m-24vh-39wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3m9m-24vh-39wx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx", "reference_id": "GHSA-3m9m-24vh-39wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373533?format=api", "purl": "pkg:composer/craftcms/cms@5.9.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15" } ], "aliases": [ "CVE-2026-41129", "GHSA-3m9m-24vh-39wx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gp2d-vv3n-euda" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78014?format=api", "vulnerability_id": "VCID-h9fr-63qv-bffn", "summary": "Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33162", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02173", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02178", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33162" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33162", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33162" }, { "reference_url": "https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e", "reference_id": "3c1ab1c4445dd9237855a66e6a06ecf3591a718e", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:40:29Z/" } ], "url": "https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:40:29Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/advisories/GHSA-f582-6gf6-gx4g", "reference_id": "GHSA-f582-6gf6-gx4g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f582-6gf6-gx4g" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g", "reference_id": "GHSA-f582-6gf6-gx4g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:40:29Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33162", "GHSA-f582-6gf6-gx4g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h9fr-63qv-bffn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67999?format=api", "vulnerability_id": "VCID-j1d4-j44f-yqh9", "summary": "Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44010", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02827", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02819", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44010" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44010", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44010" }, { "reference_url": "https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128", "reference_id": "834b2cf61ad0dcee9b03add44ed402ebf18db128", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/" } ], "url": "https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128" }, { "reference_url": "https://github.com/advisories/GHSA-gj2p-p9m4-c8gw", "reference_id": "GHSA-gj2p-p9m4-c8gw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gj2p-p9m4-c8gw" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw", "reference_id": "GHSA-gj2p-p9m4-c8gw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376015?format=api", "purl": "pkg:composer/craftcms/cms@5.9.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18" } ], "aliases": [ "CVE-2026-44010", "GHSA-gj2p-p9m4-c8gw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j1d4-j44f-yqh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77888?format=api", "vulnerability_id": "VCID-j6wk-k1jb-jfd5", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33160", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03998", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.04014", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33160" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33160", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33160" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/7290d91639e", "reference_id": "7290d91639e", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/commit/7290d91639e" }, { "reference_url": "https://github.com/advisories/GHSA-5pgf-h923-m958", "reference_id": "GHSA-5pgf-h923-m958", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5pgf-h923-m958" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958", "reference_id": "GHSA-5pgf-h923-m958", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33160", "GHSA-5pgf-h923-m958" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j6wk-k1jb-jfd5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67887?format=api", "vulnerability_id": "VCID-j8qq-yre6-4bfx", "summary": "Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44011", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06356", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06376", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44011" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44011", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44011" }, { "reference_url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3", "reference_id": "ab85ca7f5f926994f723f60584054a1f4c4c5de3", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/" } ], "url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5" }, { "reference_url": "https://github.com/advisories/GHSA-qrgm-p9w5-rrfw", "reference_id": "GHSA-qrgm-p9w5-rrfw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qrgm-p9w5-rrfw" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw", "reference_id": "GHSA-qrgm-p9w5-rrfw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376015?format=api", "purl": "pkg:composer/craftcms/cms@5.9.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18" } ], "aliases": [ "CVE-2026-44011", "GHSA-qrgm-p9w5-rrfw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j8qq-yre6-4bfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77955?format=api", "vulnerability_id": "VCID-nep2-e16y-9yg4", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33159", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06624", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06602", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33159" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33159", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33159" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592", "reference_id": "7f0ead833f7c2b91ae12003caad833479dd08592", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592" }, { "reference_url": "https://github.com/advisories/GHSA-6mrr-q3pj-h53w", "reference_id": "GHSA-6mrr-q3pj-h53w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6mrr-q3pj-h53w" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w", "reference_id": "GHSA-6mrr-q3pj-h53w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33159", "GHSA-6mrr-q3pj-h53w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nep2-e16y-9yg4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77697?format=api", "vulnerability_id": "VCID-py3b-5ps7-7fe3", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33158", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03898", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03916", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33158" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33158", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33158" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860", "reference_id": "7290d91639e5e3a4f7e221dfbef95c9b77331860", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860" }, { "reference_url": "https://github.com/advisories/GHSA-3pvf-vxrv-hh9c", "reference_id": "GHSA-3pvf-vxrv-hh9c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3pvf-vxrv-hh9c" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c", "reference_id": "GHSA-3pvf-vxrv-hh9c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33158", "GHSA-3pvf-vxrv-hh9c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-py3b-5ps7-7fe3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81021?format=api", "vulnerability_id": "VCID-smdx-nfbs-2qbx", "summary": "Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. \nWhen `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41130", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16424", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1628", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41130" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41130", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41130" }, { "reference_url": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783", "reference_id": "ebe7e85f1c89700d64332f72492be2e9a594e783", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/" } ], "url": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783" }, { "reference_url": "https://github.com/advisories/GHSA-95wr-3f2v-v2wh", "reference_id": "GHSA-95wr-3f2v-v2wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-95wr-3f2v-v2wh" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh", "reference_id": "GHSA-95wr-3f2v-v2wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373533?format=api", "purl": "pkg:composer/craftcms/cms@5.9.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15" } ], "aliases": [ "CVE-2026-41130", "GHSA-95wr-3f2v-v2wh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-smdx-nfbs-2qbx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81004?format=api", "vulnerability_id": "VCID-sswc-d2f8-zyc9", "summary": "Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty `groups` value removes all existing group memberships. Version 5.9.15 contains a patch.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41128", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12684", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12774", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41128" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41128", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41128" }, { "reference_url": "https://github.com/craftcms/cms/commit/b135384808ad43fcf8836a9dd9b877fb0087bc27", "reference_id": "b135384808ad43fcf8836a9dd9b877fb0087bc27", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T18:13:25Z/" } ], "url": "https://github.com/craftcms/cms/commit/b135384808ad43fcf8836a9dd9b877fb0087bc27" }, { "reference_url": "https://github.com/advisories/GHSA-jq2f-59pj-p3m3", "reference_id": "GHSA-jq2f-59pj-p3m3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jq2f-59pj-p3m3" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-jq2f-59pj-p3m3", "reference_id": "GHSA-jq2f-59pj-p3m3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T18:13:25Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-jq2f-59pj-p3m3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373533?format=api", "purl": "pkg:composer/craftcms/cms@5.9.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15" } ], "aliases": [ "CVE-2026-41128", "GHSA-jq2f-59pj-p3m3" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sswc-d2f8-zyc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77715?format=api", "vulnerability_id": "VCID-up4q-hz23-vkcn", "summary": "Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (\"as\" and \"on\" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33157", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00101", "scoring_system": "epss", "scoring_elements": "0.27322", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00101", "scoring_system": "epss", "scoring_elements": "0.27524", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33157" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33157", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33157" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.13", "reference_id": "5.9.13", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.13" }, { "reference_url": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e", "reference_id": "97e90b4bdee369c1af3ca77a77531132df240e4e", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/" } ], "url": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e" }, { "reference_url": "https://github.com/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-255j-qw47-wjh5" }, { "reference_url": "https://github.com/advisories/GHSA-2fph-6v5w-89hh", "reference_id": "GHSA-2fph-6v5w-89hh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2fph-6v5w-89hh" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh", "reference_id": "GHSA-2fph-6v5w-89hh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh" }, { "reference_url": "https://github.com/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7jx7-3846-m7w7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374903?format=api", "purl": "pkg:composer/craftcms/cms@5.9.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.13" } ], "aliases": [ "CVE-2026-33157", "GHSA-2fph-6v5w-89hh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-up4q-hz23-vkcn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67762?format=api", "vulnerability_id": "VCID-vj1t-r17b-rufc", "summary": "Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44012", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.0171", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01713", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44012" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44012", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44012" }, { "reference_url": "https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586", "reference_id": "e3f3eaab3d85badd713cfc2c24e5f0792ecdb586", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:49:35Z/" } ], "url": "https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586" }, { "reference_url": "https://github.com/advisories/GHSA-33m5-hqp9-97pw", "reference_id": "GHSA-33m5-hqp9-97pw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-33m5-hqp9-97pw" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw", "reference_id": "GHSA-33m5-hqp9-97pw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:49:35Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376015?format=api", "purl": "pkg:composer/craftcms/cms@5.9.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18" } ], "aliases": [ "CVE-2026-44012", "GHSA-33m5-hqp9-97pw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vj1t-r17b-rufc" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/76900?format=api", "vulnerability_id": "VCID-5r6n-351z-2ybh", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32264", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15346", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15481", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32264" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32264", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32264" }, { "reference_url": "https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70", "reference_id": "78d181e12e0b15e1300f54ec85f19859d3300f70", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70" }, { "reference_url": "https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620", "reference_id": "dfec46362fcb40b330ce8a4d8136446e65085620", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620" }, { "reference_url": "https://github.com/advisories/GHSA-4484-8v2f-5748", "reference_id": "GHSA-4484-8v2f-5748", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4484-8v2f-5748" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748", "reference_id": "GHSA-4484-8v2f-5748", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374750?format=api", "purl": "pkg:composer/craftcms/cms@4.17.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/374751?format=api", "purl": "pkg:composer/craftcms/cms@5.9.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11" } ], "aliases": [ "CVE-2026-32264", "GHSA-4484-8v2f-5748" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5r6n-351z-2ybh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77048?format=api", "vulnerability_id": "VCID-6bwp-2ksu-xucy", "summary": "Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via \"as\" or \"on\" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32263", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.1531", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15443", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32263" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32263", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32263" }, { "reference_url": "https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7", "reference_id": "d37389dbffafa565143be40a2ab1e1db22a863f7", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:21:06Z/" } ], "url": "https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:21:06Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7" }, { "reference_url": "https://github.com/advisories/GHSA-qx2q-q59v-wf3j", "reference_id": "GHSA-qx2q-q59v-wf3j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qx2q-q59v-wf3j" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j", "reference_id": "GHSA-qx2q-q59v-wf3j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:21:06Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374751?format=api", "purl": "pkg:composer/craftcms/cms@5.9.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11" } ], "aliases": [ "CVE-2026-32263", "GHSA-qx2q-q59v-wf3j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6bwp-2ksu-xucy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77735?format=api", "vulnerability_id": "VCID-ayrf-rfwj-37bf", "summary": "Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an administrator is logged in and executes a specifically crafted payload while an elevated session is active, the attacker’s account can be elevated to administrator. This issue has been fixed in version 5.9.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33051", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04745", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33051" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33051", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33051" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.11", "reference_id": "5.9.11", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T01:53:08Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.11" }, { "reference_url": "https://github.com/craftcms/cms/commit/f634a9d21edcafd83a6716047d275f985aba6be1", "reference_id": "f634a9d21edcafd83a6716047d275f985aba6be1", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T01:53:08Z/" } ], "url": "https://github.com/craftcms/cms/commit/f634a9d21edcafd83a6716047d275f985aba6be1" }, { "reference_url": "https://github.com/advisories/GHSA-3x4w-mxpf-fhqq", "reference_id": "GHSA-3x4w-mxpf-fhqq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3x4w-mxpf-fhqq" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqq", "reference_id": "GHSA-3x4w-mxpf-fhqq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T01:53:08Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374751?format=api", "purl": "pkg:composer/craftcms/cms@5.9.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11" } ], "aliases": [ "CVE-2026-33051", "GHSA-3x4w-mxpf-fhqq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ayrf-rfwj-37bf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77578?format=api", "vulnerability_id": "VCID-yc89-41eq-b3eh", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32262", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12406", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12316", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32262" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32262", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32262" }, { "reference_url": "https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11", "reference_id": "c997efbe4c66c14092714233aeebff15cdbfcf11", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/" } ], "url": "https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11" }, { "reference_url": "https://github.com/advisories/GHSA-472v-j2g4-g9h2", "reference_id": "GHSA-472v-j2g4-g9h2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-472v-j2g4-g9h2" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2", "reference_id": "GHSA-472v-j2g4-g9h2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374750?format=api", "purl": "pkg:composer/craftcms/cms@4.17.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/374751?format=api", "purl": "pkg:composer/craftcms/cms@5.9.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11" } ], "aliases": [ "CVE-2026-32262", "GHSA-472v-j2g4-g9h2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yc89-41eq-b3eh" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11" }