| 0 |
| url |
VCID-12yx-3kck-s7dp |
| vulnerability_id |
VCID-12yx-3kck-s7dp |
| summary |
Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-29069 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.18045 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.1802 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.18029 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17869 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-29069 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.2 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 1 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 2 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 3 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 4 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 5 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 6 |
| vulnerability |
VCID-ayrf-rfwj-37bf |
|
| 7 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 8 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 9 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 10 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 11 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 12 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 13 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 14 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 15 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 16 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 17 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 18 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 19 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 20 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 21 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.2 |
|
|
| aliases |
CVE-2026-29069, GHSA-234q-vvw3-mrfq
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-12yx-3kck-s7dp |
|
| 1 |
| url |
VCID-16h7-f3pe-8qh8 |
| vulnerability_id |
VCID-16h7-f3pe-8qh8 |
| summary |
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-28697 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00208 |
| scoring_system |
epss |
| scoring_elements |
0.43462 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00208 |
| scoring_system |
epss |
| scoring_elements |
0.43472 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00208 |
| scoring_system |
epss |
| scoring_elements |
0.43452 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00208 |
| scoring_system |
epss |
| scoring_elements |
0.43296 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-28697 |
|
| 1 |
| reference_url |
https://github.com/craftcms/cms/pull/18216 |
| reference_id |
18216 |
| reference_type |
|
| scores |
| 0 |
| value |
9.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/ |
|
|
| url |
https://github.com/craftcms/cms/pull/18216 |
|
| 2 |
| reference_url |
https://github.com/craftcms/cms/pull/18219 |
| reference_id |
18219 |
| reference_type |
|
| scores |
| 0 |
| value |
9.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/ |
|
|
| url |
https://github.com/craftcms/cms/pull/18219 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 5 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 6 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 7 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 8 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 9 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 10 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 11 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 12 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 13 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 14 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 15 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 5 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 6 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 7 |
| vulnerability |
VCID-ayrf-rfwj-37bf |
|
| 8 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 9 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 10 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 11 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 12 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 13 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 14 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 15 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 16 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 17 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 18 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 19 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 20 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 21 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 22 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-28697, GHSA-v47q-jxvr-p68x
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-16h7-f3pe-8qh8 |
|
| 2 |
| url |
VCID-25ym-rhky-wbaq |
| vulnerability_id |
VCID-25ym-rhky-wbaq |
| summary |
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-33161 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.13161 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.13137 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.13156 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.13059 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-33161 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-33161, GHSA-vgjg-248p-rfm2
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-25ym-rhky-wbaq |
|
| 3 |
| url |
VCID-543c-646v-4yfj |
| vulnerability_id |
VCID-543c-646v-4yfj |
| summary |
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-27129 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01558 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01549 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01546 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01543 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-27129 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.19 |
| purl |
pkg:composer/craftcms/cms@4.16.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 3 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 4 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 5 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 6 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 7 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 8 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 9 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 10 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 11 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 12 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 13 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 14 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 15 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 16 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 17 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 18 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 19 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 20 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 21 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 22 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 23 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 24 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.19 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.23 |
| purl |
pkg:composer/craftcms/cms@5.8.23 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 3 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 4 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 5 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 6 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 7 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 8 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 9 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 10 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 11 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 12 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 13 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 14 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 15 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 16 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 17 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 18 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 19 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 20 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 21 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 22 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 23 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 24 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 25 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 26 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 27 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 28 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 29 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 30 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23 |
|
|
| aliases |
CVE-2026-27129, GHSA-v2gc-rm6g-wrw9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-543c-646v-4yfj |
|
| 4 |
| url |
VCID-5qkr-aqmx-8qau |
| vulnerability_id |
VCID-5qkr-aqmx-8qau |
| summary |
Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
### Summary
An authenticated low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data (`previewHtml`) for that private asset.
The returned preview HTML included a private preview image route containing the target private `assetId`, even though `canView` was `false` for the attacker account.
### Details
1. `assets/preview-file` accepts a maliciously controlled `assetId` and renders preview output.
2. The action does not enforce per-asset view authorization prior to returning preview content.
3. As a result, an authenticated user without asset-view permission can still obtain private preview output.
This affects Craft installations with authenticated users of mixed privilege levels with private assets.
### Resources
- d30df3112220db1ffd6726a3ed11857014c7fb27
- b1cddf72c98a |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-44px-qjjc-xrhq
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5qkr-aqmx-8qau |
|
| 5 |
| url |
VCID-5r6n-351z-2ybh |
| vulnerability_id |
VCID-5r6n-351z-2ybh |
| summary |
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-32264 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00048 |
| scoring_system |
epss |
| scoring_elements |
0.15481 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00048 |
| scoring_system |
epss |
| scoring_elements |
0.15489 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00048 |
| scoring_system |
epss |
| scoring_elements |
0.15456 |
| published_at |
2026-06-14T12:55:00Z |
|
| 3 |
| value |
0.00048 |
| scoring_system |
epss |
| scoring_elements |
0.15346 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-32264 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.9.11 |
| purl |
pkg:composer/craftcms/cms@5.9.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 1 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 2 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 3 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 4 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 5 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 6 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 7 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 8 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 9 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 10 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 11 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 12 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 13 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11 |
|
|
| aliases |
CVE-2026-32264, GHSA-4484-8v2f-5748
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5r6n-351z-2ybh |
|
| 6 |
| url |
VCID-726q-jfsa-9qdz |
| vulnerability_id |
VCID-726q-jfsa-9qdz |
| summary |
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25495 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00017 |
| scoring_system |
epss |
| scoring_elements |
0.04577 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00017 |
| scoring_system |
epss |
| scoring_elements |
0.04555 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00017 |
| scoring_system |
epss |
| scoring_elements |
0.04561 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00017 |
| scoring_system |
epss |
| scoring_elements |
0.04576 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25495 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.18 |
| purl |
pkg:composer/craftcms/cms@4.16.18 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 8 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 9 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 10 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 11 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 12 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 13 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 14 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 15 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 16 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 17 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 18 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 19 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 20 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 21 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 22 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 23 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 24 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 25 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 26 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 27 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 28 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 29 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.22 |
| purl |
pkg:composer/craftcms/cms@5.8.22 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 12 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 13 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 14 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 15 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 16 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 17 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 18 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 19 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 20 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 21 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 22 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 23 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 24 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 25 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 26 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 27 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 28 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 29 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 30 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 31 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 32 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 33 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 34 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 35 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22 |
|
|
| aliases |
CVE-2026-25495, GHSA-2453-mppf-46cj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-726q-jfsa-9qdz |
|
| 7 |
| url |
VCID-76k8-sveq-3qbf |
| vulnerability_id |
VCID-76k8-sveq-3qbf |
| summary |
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-28781 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0005 |
| scoring_system |
epss |
| scoring_elements |
0.16275 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.0005 |
| scoring_system |
epss |
| scoring_elements |
0.16243 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.0005 |
| scoring_system |
epss |
| scoring_elements |
0.16124 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.0005 |
| scoring_system |
epss |
| scoring_elements |
0.16266 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-28781 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 5 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 6 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 7 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 8 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 9 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 10 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 11 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 12 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 13 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 14 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 15 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 5 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 6 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 7 |
| vulnerability |
VCID-ayrf-rfwj-37bf |
|
| 8 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 9 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 10 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 11 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 12 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 13 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 14 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 15 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 16 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 17 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 18 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 19 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 20 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 21 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 22 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-28781, GHSA-2xfc-g69j-x2mp
|
| risk_score |
3.2 |
| exploitability |
0.5 |
| weighted_severity |
6.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-76k8-sveq-3qbf |
|
| 8 |
| url |
VCID-8kdh-rvh3-4yfv |
| vulnerability_id |
VCID-8kdh-rvh3-4yfv |
| summary |
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-68456 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00214 |
| scoring_system |
epss |
| scoring_elements |
0.44166 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00214 |
| scoring_system |
epss |
| scoring_elements |
0.44159 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.00214 |
| scoring_system |
epss |
| scoring_elements |
0.44177 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00214 |
| scoring_system |
epss |
| scoring_elements |
0.44006 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-68456 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.17 |
| purl |
pkg:composer/craftcms/cms@4.16.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 12 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 13 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 14 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 15 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 16 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 17 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 18 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 19 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 20 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 21 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 22 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 23 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 24 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 25 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 26 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 27 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 28 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 29 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 30 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 31 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 32 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 33 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 34 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.21 |
| purl |
pkg:composer/craftcms/cms@5.8.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 8 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 9 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 10 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 11 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 12 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 18 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 19 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 20 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 21 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 22 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 23 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 24 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 25 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 26 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 27 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 28 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 29 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 30 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 31 |
| vulnerability |
VCID-qr5e-wjjt-zudz |
|
| 32 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 33 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 34 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 35 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 36 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 37 |
| vulnerability |
VCID-uxc7-pe63-2khp |
|
| 38 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 39 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 40 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 41 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 42 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21 |
|
|
| aliases |
CVE-2025-68456, GHSA-v64r-7wg9-23pr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8kdh-rvh3-4yfv |
|
| 9 |
| url |
VCID-8m8v-ymqs-fkh9 |
| vulnerability_id |
VCID-8m8v-ymqs-fkh9 |
| summary |
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.17 |
| purl |
pkg:composer/craftcms/cms@4.16.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 12 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 13 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 14 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 15 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 16 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 17 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 18 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 19 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 20 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 21 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 22 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 23 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 24 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 25 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 26 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 27 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 28 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 29 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 30 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 31 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 32 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 33 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 34 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.21 |
| purl |
pkg:composer/craftcms/cms@5.8.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 8 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 9 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 10 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 11 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 12 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 18 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 19 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 20 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 21 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 22 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 23 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 24 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 25 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 26 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 27 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 28 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 29 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 30 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 31 |
| vulnerability |
VCID-qr5e-wjjt-zudz |
|
| 32 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 33 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 34 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 35 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 36 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 37 |
| vulnerability |
VCID-uxc7-pe63-2khp |
|
| 38 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 39 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 40 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 41 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 42 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21 |
|
|
| aliases |
CVE-2025-68437, GHSA-x27p-wfqw-hfcc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8m8v-ymqs-fkh9 |
|
| 10 |
| url |
VCID-8rkv-wfha-n7hb |
| vulnerability_id |
VCID-8rkv-wfha-n7hb |
| summary |
Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-31857 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00138 |
| scoring_system |
epss |
| scoring_elements |
0.33699 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00138 |
| scoring_system |
epss |
| scoring_elements |
0.33702 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.00138 |
| scoring_system |
epss |
| scoring_elements |
0.33724 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00138 |
| scoring_system |
epss |
| scoring_elements |
0.33522 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-31857 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.9.9 |
| purl |
pkg:composer/craftcms/cms@5.9.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 1 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 2 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 3 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 4 |
| vulnerability |
VCID-ayrf-rfwj-37bf |
|
| 5 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 6 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 7 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 8 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 9 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 10 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 11 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 12 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 13 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 14 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 15 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 16 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 17 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9 |
|
|
| aliases |
CVE-2026-31857, GHSA-fp5j-j7j4-mcxc
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8rkv-wfha-n7hb |
|
| 11 |
| url |
VCID-9krv-seyq-juez |
| vulnerability_id |
VCID-9krv-seyq-juez |
| summary |
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-33196 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.2641 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.26611 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29299 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29287 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-33196 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.4.6.1 |
| purl |
pkg:composer/craftcms/cms@4.4.6.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 3 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 4 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 5 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 6 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 7 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 8 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 9 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9yny-vu36-tyes |
|
| 12 |
| vulnerability |
VCID-a9bc-cgqq-jkfh |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 17 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 18 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 19 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 20 |
| vulnerability |
VCID-eypa-1c6q-tfau |
|
| 21 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 22 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 23 |
| vulnerability |
VCID-gjvb-ht1w-s3hm |
|
| 24 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 25 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 26 |
| vulnerability |
VCID-hh13-6e1x-p7ez |
|
| 27 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 28 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 29 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 30 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 31 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 32 |
| vulnerability |
VCID-mhqg-hey8-6bee |
|
| 33 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 34 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 35 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 36 |
| vulnerability |
VCID-pfwt-hxpb-4ub8 |
|
| 37 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 38 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 39 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 40 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 41 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 42 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 43 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 44 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 45 |
| vulnerability |
VCID-wcsx-j8xk-r7c7 |
|
| 46 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 47 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 48 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 49 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 50 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6.1 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@4.4.7 |
| purl |
pkg:composer/craftcms/cms@4.4.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 3 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 4 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 5 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 6 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 7 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 8 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 9 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9yny-vu36-tyes |
|
| 12 |
| vulnerability |
VCID-a9bc-cgqq-jkfh |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 17 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 18 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 19 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 20 |
| vulnerability |
VCID-eypa-1c6q-tfau |
|
| 21 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 22 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 23 |
| vulnerability |
VCID-gjvb-ht1w-s3hm |
|
| 24 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 25 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 26 |
| vulnerability |
VCID-hh13-6e1x-p7ez |
|
| 27 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 28 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 29 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 30 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 31 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 32 |
| vulnerability |
VCID-mhqg-hey8-6bee |
|
| 33 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 34 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 35 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 36 |
| vulnerability |
VCID-pfwt-hxpb-4ub8 |
|
| 37 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 38 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 39 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 40 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 41 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 42 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 43 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 44 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 45 |
| vulnerability |
VCID-wcsx-j8xk-r7c7 |
|
| 46 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 47 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 48 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 49 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 50 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.7 |
|
|
| aliases |
CVE-2023-33196, GHSA-cjmm-x9x9-m2w5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9krv-seyq-juez |
|
| 12 |
| url |
VCID-9yny-vu36-tyes |
| vulnerability_id |
VCID-9yny-vu36-tyes |
| summary |
Craft CMS through 4.4.9 is vulnerable to HTML Injection. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-33495 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00168 |
| scoring_system |
epss |
| scoring_elements |
0.37785 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00168 |
| scoring_system |
epss |
| scoring_elements |
0.37975 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00168 |
| scoring_system |
epss |
| scoring_elements |
0.37962 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00168 |
| scoring_system |
epss |
| scoring_elements |
0.37987 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-33495 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.4.10 |
| purl |
pkg:composer/craftcms/cms@4.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 3 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 4 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 5 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 6 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 7 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 8 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 9 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-a9bc-cgqq-jkfh |
|
| 12 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 13 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 14 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 15 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 16 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 17 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 18 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 19 |
| vulnerability |
VCID-eypa-1c6q-tfau |
|
| 20 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 21 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 22 |
| vulnerability |
VCID-gjvb-ht1w-s3hm |
|
| 23 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 24 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 25 |
| vulnerability |
VCID-hh13-6e1x-p7ez |
|
| 26 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 27 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 28 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 29 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 30 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 31 |
| vulnerability |
VCID-mhqg-hey8-6bee |
|
| 32 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 33 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 34 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 35 |
| vulnerability |
VCID-pfwt-hxpb-4ub8 |
|
| 36 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 37 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 38 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 39 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 40 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 41 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 42 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 43 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 44 |
| vulnerability |
VCID-wcsx-j8xk-r7c7 |
|
| 45 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 46 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 47 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 48 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 49 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.10 |
|
|
| aliases |
CVE-2023-33495, GHSA-m3v5-gjj9-rg24
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9yny-vu36-tyes |
|
| 13 |
| url |
VCID-a9bc-cgqq-jkfh |
| vulnerability_id |
VCID-a9bc-cgqq-jkfh |
| summary |
Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution). This issue has been patched in version 4.4.15 and version 3.8.15. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-40035 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00308 |
| scoring_system |
epss |
| scoring_elements |
0.54515 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00308 |
| scoring_system |
epss |
| scoring_elements |
0.54531 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00308 |
| scoring_system |
epss |
| scoring_elements |
0.5439 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00308 |
| scoring_system |
epss |
| scoring_elements |
0.54516 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-40035 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.4.15 |
| purl |
pkg:composer/craftcms/cms@4.4.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 3 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 4 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 5 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 6 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 7 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 8 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 9 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 12 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 13 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 14 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 15 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 16 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 17 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 18 |
| vulnerability |
VCID-eypa-1c6q-tfau |
|
| 19 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 20 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 21 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 22 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 23 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 24 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 25 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 26 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 27 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 28 |
| vulnerability |
VCID-mhqg-hey8-6bee |
|
| 29 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 30 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 31 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 32 |
| vulnerability |
VCID-pfwt-hxpb-4ub8 |
|
| 33 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 34 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 35 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 36 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 37 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 38 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 39 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 40 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 41 |
| vulnerability |
VCID-wcsx-j8xk-r7c7 |
|
| 42 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 43 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 44 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 45 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 46 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.15 |
|
|
| aliases |
CVE-2023-40035, GHSA-44wr-rmwq-3phw
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a9bc-cgqq-jkfh |
|
| 14 |
| url |
VCID-ad7v-5hxr-s3a4 |
| vulnerability_id |
VCID-ad7v-5hxr-s3a4 |
| summary |
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-33197 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00848 |
| scoring_system |
epss |
| scoring_elements |
0.75383 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00848 |
| scoring_system |
epss |
| scoring_elements |
0.75377 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00848 |
| scoring_system |
epss |
| scoring_elements |
0.75368 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00848 |
| scoring_system |
epss |
| scoring_elements |
0.75298 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-33197 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.4.6 |
| purl |
pkg:composer/craftcms/cms@4.4.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 3 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 4 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 5 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 6 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 7 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 8 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 9 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9krv-seyq-juez |
|
| 12 |
| vulnerability |
VCID-9yny-vu36-tyes |
|
| 13 |
| vulnerability |
VCID-a9bc-cgqq-jkfh |
|
| 14 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 15 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 16 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 17 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 18 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 19 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 20 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 21 |
| vulnerability |
VCID-eypa-1c6q-tfau |
|
| 22 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 23 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 24 |
| vulnerability |
VCID-gjvb-ht1w-s3hm |
|
| 25 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 26 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 27 |
| vulnerability |
VCID-hh13-6e1x-p7ez |
|
| 28 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 29 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 30 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 31 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 32 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 33 |
| vulnerability |
VCID-mhqg-hey8-6bee |
|
| 34 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 35 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 36 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 37 |
| vulnerability |
VCID-pfwt-hxpb-4ub8 |
|
| 38 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 39 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 40 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 41 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 42 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 43 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 44 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 45 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 46 |
| vulnerability |
VCID-wcsx-j8xk-r7c7 |
|
| 47 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 48 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 49 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 50 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 51 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6 |
|
|
| aliases |
CVE-2023-33197, GHSA-6qjx-787v-6pxr
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ad7v-5hxr-s3a4 |
|
| 15 |
| url |
VCID-b25s-j3du-sfg5 |
| vulnerability_id |
VCID-b25s-j3du-sfg5 |
| summary |
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25496 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.08305 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.08302 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.08265 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.08303 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25496 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.18 |
| purl |
pkg:composer/craftcms/cms@4.16.18 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 8 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 9 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 10 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 11 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 12 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 13 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 14 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 15 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 16 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 17 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 18 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 19 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 20 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 21 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 22 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 23 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 24 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 25 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 26 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 27 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 28 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 29 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.22 |
| purl |
pkg:composer/craftcms/cms@5.8.22 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 12 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 13 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 14 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 15 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 16 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 17 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 18 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 19 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 20 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 21 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 22 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 23 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 24 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 25 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 26 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 27 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 28 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 29 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 30 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 31 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 32 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 33 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 34 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 35 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22 |
|
|
| aliases |
CVE-2026-25496, GHSA-9f5h-mmq6-2x78
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b25s-j3du-sfg5 |
|
| 16 |
| url |
VCID-bn85-sts4-5ygq |
| vulnerability_id |
VCID-bn85-sts4-5ygq |
| summary |
Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v |
| reference_id |
GHSA-vg3j-hpm9-8v5v |
| reference_type |
|
| scores |
| 0 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/ |
|
|
| url |
https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.9.7 |
| purl |
pkg:composer/craftcms/cms@5.9.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 1 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 2 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 3 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 4 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 5 |
| vulnerability |
VCID-ayrf-rfwj-37bf |
|
| 6 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 7 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 8 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 9 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 10 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 11 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 12 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 13 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 14 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 15 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 16 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 17 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 18 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 19 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7 |
|
|
| aliases |
CVE-2026-29113, GHSA-vg3j-hpm9-8v5v
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bn85-sts4-5ygq |
|
| 17 |
| url |
VCID-br1f-q8nk-v7b3 |
| vulnerability_id |
VCID-br1f-q8nk-v7b3 |
| summary |
Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-28695 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.08271 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.08265 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.08267 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.08234 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-28695 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 5 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 6 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 7 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 8 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 9 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 10 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 11 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 12 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 13 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 14 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 15 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 5 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 6 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 7 |
| vulnerability |
VCID-ayrf-rfwj-37bf |
|
| 8 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 9 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 10 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 11 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 12 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 13 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 14 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 15 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 16 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 17 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 18 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 19 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 20 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 21 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 22 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-28695, GHSA-94rc-cqvm-m4pw
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-br1f-q8nk-v7b3 |
|
| 18 |
| url |
VCID-c38g-6ttm-yuep |
| vulnerability_id |
VCID-c38g-6ttm-yuep |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-46731 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00231 |
| scoring_system |
epss |
| scoring_elements |
0.46148 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00231 |
| scoring_system |
epss |
| scoring_elements |
0.46162 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00909 |
| scoring_system |
epss |
| scoring_elements |
0.76267 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00909 |
| scoring_system |
epss |
| scoring_elements |
0.76337 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-46731 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.14.13 |
| purl |
pkg:composer/craftcms/cms@4.14.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 18 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 19 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 20 |
| vulnerability |
VCID-f67g-n9d6-pkb5 |
|
| 21 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 22 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 23 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 24 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 25 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 26 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 27 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 28 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 29 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 30 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 31 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 32 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 33 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 34 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 35 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 36 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 37 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 38 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 39 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 40 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 41 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 42 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.14.13 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.6.15 |
| purl |
pkg:composer/craftcms/cms@5.6.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 8 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 9 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 10 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 11 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 12 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 13 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 14 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 15 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 18 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 19 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 20 |
| vulnerability |
VCID-f67g-n9d6-pkb5 |
|
| 21 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 22 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 23 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 24 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 25 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 26 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 27 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 28 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 29 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 30 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 31 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 32 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 33 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 34 |
| vulnerability |
VCID-qr5e-wjjt-zudz |
|
| 35 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 36 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 37 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 38 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 39 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 40 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 41 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 42 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 43 |
| vulnerability |
VCID-uxc7-pe63-2khp |
|
| 44 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 45 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 46 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 47 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 48 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 49 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.15 |
|
|
| aliases |
CVE-2025-46731, GHSA-7c58-g782-9j38
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c38g-6ttm-yuep |
|
| 19 |
| url |
VCID-cneu-aazx-byfq |
| vulnerability_id |
VCID-cneu-aazx-byfq |
| summary |
CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrators are allowed to do that by default. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-30179 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.05499 |
| scoring_system |
epss |
| scoring_elements |
0.90431 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.05499 |
| scoring_system |
epss |
| scoring_elements |
0.9047 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.05499 |
| scoring_system |
epss |
| scoring_elements |
0.90462 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.06196 |
| scoring_system |
epss |
| scoring_elements |
0.91096 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-30179 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.4.2 |
| purl |
pkg:composer/craftcms/cms@4.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 3 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 4 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 5 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 6 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 7 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 8 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 9 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9fqv-dg3y-wbbf |
|
| 12 |
| vulnerability |
VCID-9krv-seyq-juez |
|
| 13 |
| vulnerability |
VCID-9yny-vu36-tyes |
|
| 14 |
| vulnerability |
VCID-a9bc-cgqq-jkfh |
|
| 15 |
| vulnerability |
VCID-ad7v-5hxr-s3a4 |
|
| 16 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 17 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 18 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 19 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 20 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 21 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 22 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 23 |
| vulnerability |
VCID-eypa-1c6q-tfau |
|
| 24 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 25 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 26 |
| vulnerability |
VCID-gjvb-ht1w-s3hm |
|
| 27 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 28 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 29 |
| vulnerability |
VCID-h3za-7cd7-vkav |
|
| 30 |
| vulnerability |
VCID-hh13-6e1x-p7ez |
|
| 31 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 32 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 33 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 34 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 35 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 36 |
| vulnerability |
VCID-mhqg-hey8-6bee |
|
| 37 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 38 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 39 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 40 |
| vulnerability |
VCID-pfwt-hxpb-4ub8 |
|
| 41 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 42 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 43 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 44 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 45 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 46 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 47 |
| vulnerability |
VCID-tf8p-xrne-8qfg |
|
| 48 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 49 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 50 |
| vulnerability |
VCID-vvej-1fex-kqdn |
|
| 51 |
| vulnerability |
VCID-wcsx-j8xk-r7c7 |
|
| 52 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 53 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 54 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 55 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 56 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.2 |
|
|
| aliases |
CVE-2023-30179, GHSA-3x74-v64j-qc3f
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cneu-aazx-byfq |
|
| 20 |
| url |
VCID-czuy-m8wp-fka2 |
| vulnerability_id |
VCID-czuy-m8wp-fka2 |
| summary |
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.14.15 |
| purl |
pkg:composer/craftcms/cms@4.14.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 18 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 19 |
| vulnerability |
VCID-f67g-n9d6-pkb5 |
|
| 20 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 21 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 22 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 23 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 24 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 25 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 26 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 27 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 28 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 29 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 30 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 31 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 32 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 33 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 34 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 35 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 36 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 37 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 38 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 39 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 40 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 41 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.14.15 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.6.17 |
| purl |
pkg:composer/craftcms/cms@5.6.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 8 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 9 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 10 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 11 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 12 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 13 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 14 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 15 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 18 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 19 |
| vulnerability |
VCID-f67g-n9d6-pkb5 |
|
| 20 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 21 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 22 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 23 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 24 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 25 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 26 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 27 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 28 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 29 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 30 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 31 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 32 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 33 |
| vulnerability |
VCID-qr5e-wjjt-zudz |
|
| 34 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 35 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 36 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 37 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 38 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 39 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 40 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 41 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 42 |
| vulnerability |
VCID-uxc7-pe63-2khp |
|
| 43 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 44 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 45 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 46 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 47 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 48 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.17 |
|
|
| aliases |
CVE-2025-32432, GHSA-f3gw-9ww9-jmc3
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-czuy-m8wp-fka2 |
|
| 21 |
| url |
VCID-e3k3-fp6t-kycw |
| vulnerability_id |
VCID-e3k3-fp6t-kycw |
| summary |
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-32267 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14803 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14773 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14683 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14804 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-32267 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-32267, GHSA-cc7p-2j3x-x7xf
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e3k3-fp6t-kycw |
|
| 22 |
| url |
VCID-e9qn-ar3q-g3e4 |
| vulnerability_id |
VCID-e9qn-ar3q-g3e4 |
| summary |
Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 5 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 6 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 7 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 8 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 9 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 10 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 11 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 12 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 13 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 14 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 15 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 5 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 6 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 7 |
| vulnerability |
VCID-ayrf-rfwj-37bf |
|
| 8 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 9 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 10 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 11 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 12 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 13 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 14 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 15 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 16 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 17 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 18 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 19 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 20 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 21 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 22 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
GHSA-4mgv-366x-qxvx
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e9qn-ar3q-g3e4 |
|
| 23 |
| url |
VCID-eypa-1c6q-tfau |
| vulnerability_id |
VCID-eypa-1c6q-tfau |
| summary |
Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-52293 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.21994 |
| scoring_system |
epss |
| scoring_elements |
0.95915 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.21994 |
| scoring_system |
epss |
| scoring_elements |
0.9592 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.21994 |
| scoring_system |
epss |
| scoring_elements |
0.95902 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.21994 |
| scoring_system |
epss |
| scoring_elements |
0.95917 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-52293 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.12.2 |
| purl |
pkg:composer/craftcms/cms@4.12.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 18 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 19 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 20 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 21 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 22 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 23 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 24 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 25 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 26 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 27 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 28 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 29 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 30 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 31 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 32 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 33 |
| vulnerability |
VCID-pfwt-hxpb-4ub8 |
|
| 34 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 35 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 36 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 37 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 38 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 39 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 40 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 41 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 42 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 43 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 44 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 45 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 46 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.2 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.4.3 |
| purl |
pkg:composer/craftcms/cms@5.4.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 16 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 17 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 18 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 19 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 20 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 21 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 22 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 23 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 24 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 25 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 26 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 27 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 28 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 29 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 30 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 31 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 32 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 33 |
| vulnerability |
VCID-pfwt-hxpb-4ub8 |
|
| 34 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 35 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 36 |
| vulnerability |
VCID-qr5e-wjjt-zudz |
|
| 37 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 38 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 39 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 40 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 41 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 42 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 43 |
| vulnerability |
VCID-uxc7-pe63-2khp |
|
| 44 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 45 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 46 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 47 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 48 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 49 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 50 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.3 |
|
|
| aliases |
CVE-2024-52293, GHSA-f3cw-hg6r-chfv
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-eypa-1c6q-tfau |
|
| 24 |
| url |
VCID-fs3m-av1v-fuf1 |
| vulnerability_id |
VCID-fs3m-av1v-fuf1 |
| summary |
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/craftcms/cms/pull/17220 |
| reference_id |
17220 |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/ |
|
| 6 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/ |
|
|
| url |
https://github.com/craftcms/cms/pull/17220 |
|
| 5 |
| reference_url |
https://github.com/craftcms/cms/releases/tag/4.15.3 |
| reference_id |
4.15.3 |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/ |
|
| 6 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/ |
|
|
| url |
https://github.com/craftcms/cms/releases/tag/4.15.3 |
|
| 6 |
| reference_url |
https://github.com/craftcms/cms/releases/tag/5.7.5 |
| reference_id |
5.7.5 |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/ |
|
| 6 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/ |
|
|
| url |
https://github.com/craftcms/cms/releases/tag/5.7.5 |
|
| 7 |
| reference_url |
https://www.cve.org/CVERecord?id=CVE-2025-35939 |
| reference_id |
CVERecord?id=CVE-2025-35939 |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/ |
|
| 6 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/ |
|
|
| url |
https://www.cve.org/CVERecord?id=CVE-2025-35939 |
|
| 8 |
|
| 9 |
| reference_url |
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json |
| reference_id |
va-25-147-01.json |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/ |
|
| 6 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/ |
|
|
| url |
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.15.3 |
| purl |
pkg:composer/craftcms/cms@4.15.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 14 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 15 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 16 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 17 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 18 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 19 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 20 |
| vulnerability |
VCID-f67g-n9d6-pkb5 |
|
| 21 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 22 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 23 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 24 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 25 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 26 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 27 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 28 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 29 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 30 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 31 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 32 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 33 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 34 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 35 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 36 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 37 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 38 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 39 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 40 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 41 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.15.3 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.7.5 |
| purl |
pkg:composer/craftcms/cms@5.7.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 8 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 9 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 10 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 11 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 12 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 13 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 14 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 15 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 16 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 17 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 18 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 19 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 20 |
| vulnerability |
VCID-f67g-n9d6-pkb5 |
|
| 21 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 22 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 23 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 24 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 25 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 26 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 27 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 28 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 29 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 30 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 31 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 32 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 33 |
| vulnerability |
VCID-qr5e-wjjt-zudz |
|
| 34 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 35 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 36 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 37 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 38 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 39 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 40 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 41 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 42 |
| vulnerability |
VCID-uxc7-pe63-2khp |
|
| 43 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 44 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 45 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 46 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 47 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 48 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.7.5 |
|
|
| aliases |
CVE-2025-35939, GHSA-7vrx-9684-xrf2
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fs3m-av1v-fuf1 |
|
| 25 |
| url |
VCID-g637-7ns6-kyhj |
| vulnerability_id |
VCID-g637-7ns6-kyhj |
| summary |
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-28783 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.1118 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.11214 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.11222 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.11156 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-28783 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/craftcms/cms/pull/18208 |
| reference_id |
18208 |
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 1 |
| value |
9.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/ |
|
|
| url |
https://github.com/craftcms/cms/pull/18208 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 5 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 6 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 7 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 8 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 9 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 10 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 11 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 12 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 13 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 14 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 15 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 5 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 6 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 7 |
| vulnerability |
VCID-ayrf-rfwj-37bf |
|
| 8 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 9 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 10 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 11 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 12 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 13 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 14 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 15 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 16 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 17 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 18 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 19 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 20 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 21 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 22 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-28783, GHSA-5fvc-7894-ghp4
|
| risk_score |
4.2 |
| exploitability |
0.5 |
| weighted_severity |
8.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g637-7ns6-kyhj |
|
| 26 |
| url |
VCID-gjvb-ht1w-s3hm |
| vulnerability_id |
VCID-gjvb-ht1w-s3hm |
| summary |
|
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.4.15 |
| purl |
pkg:composer/craftcms/cms@4.4.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 3 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 4 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 5 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 6 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 7 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 8 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 9 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 12 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 13 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 14 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 15 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 16 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 17 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 18 |
| vulnerability |
VCID-eypa-1c6q-tfau |
|
| 19 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 20 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 21 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 22 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 23 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 24 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 25 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 26 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 27 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 28 |
| vulnerability |
VCID-mhqg-hey8-6bee |
|
| 29 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 30 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 31 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 32 |
| vulnerability |
VCID-pfwt-hxpb-4ub8 |
|
| 33 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 34 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 35 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 36 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 37 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 38 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 39 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 40 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 41 |
| vulnerability |
VCID-wcsx-j8xk-r7c7 |
|
| 42 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 43 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 44 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 45 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 46 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.15 |
|
|
| aliases |
CVE-2023-41892, GHSA-4w8r-3xrw-v25g
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gjvb-ht1w-s3hm |
|
| 27 |
| url |
VCID-gp2d-vv3n-euda |
| vulnerability_id |
VCID-gp2d-vv3n-euda |
| summary |
Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." Versions 4.17.9 and 5.9.15 patch the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-41129 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.13144 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.1312 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.13041 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.13139 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-41129 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-41129, GHSA-3m9m-24vh-39wx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gp2d-vv3n-euda |
|
| 28 |
| url |
VCID-grmm-88sf-wyd4 |
| vulnerability_id |
VCID-grmm-88sf-wyd4 |
| summary |
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-27127 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8e-05 |
| scoring_system |
epss |
| scoring_elements |
0.00709 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
8e-05 |
| scoring_system |
epss |
| scoring_elements |
0.00715 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
8e-05 |
| scoring_system |
epss |
| scoring_elements |
0.0071 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
8e-05 |
| scoring_system |
epss |
| scoring_elements |
0.00711 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-27127 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.19 |
| purl |
pkg:composer/craftcms/cms@4.16.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 3 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 4 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 5 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 6 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 7 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 8 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 9 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 10 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 11 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 12 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 13 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 14 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 15 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 16 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 17 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 18 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 19 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 20 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 21 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 22 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 23 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 24 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.19 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.23 |
| purl |
pkg:composer/craftcms/cms@5.8.23 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 3 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 4 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 5 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 6 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 7 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 8 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 9 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 10 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 11 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 12 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 13 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 14 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 15 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 16 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 17 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 18 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 19 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 20 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 21 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 22 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 23 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 24 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 25 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 26 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 27 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 28 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 29 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 30 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23 |
|
|
| aliases |
CVE-2026-27127, GHSA-gp2f-7wcm-5fhx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-grmm-88sf-wyd4 |
|
| 29 |
| url |
VCID-hh13-6e1x-p7ez |
| vulnerability_id |
VCID-hh13-6e1x-p7ez |
| summary |
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-2817 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.56903 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.5703 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.57024 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.57038 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-2817 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.4.12 |
| purl |
pkg:composer/craftcms/cms@4.4.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 3 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 4 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 5 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 6 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 7 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 8 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 9 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-a9bc-cgqq-jkfh |
|
| 12 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 13 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 14 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 15 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 16 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 17 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 18 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 19 |
| vulnerability |
VCID-eypa-1c6q-tfau |
|
| 20 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 21 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 22 |
| vulnerability |
VCID-gjvb-ht1w-s3hm |
|
| 23 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 24 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 25 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 26 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 27 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 28 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 29 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 30 |
| vulnerability |
VCID-mhqg-hey8-6bee |
|
| 31 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 32 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 33 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 34 |
| vulnerability |
VCID-pfwt-hxpb-4ub8 |
|
| 35 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 36 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 37 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 38 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 39 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 40 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 41 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 42 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 43 |
| vulnerability |
VCID-wcsx-j8xk-r7c7 |
|
| 44 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 45 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 46 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 47 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 48 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.12 |
|
|
| aliases |
CVE-2023-2817, GHSA-7x94-jx75-3gh6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hh13-6e1x-p7ez |
|
| 30 |
| url |
VCID-htqk-ckr5-jbcu |
| vulnerability_id |
VCID-htqk-ckr5-jbcu |
| summary |
Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By embedding this function within a system notification template, the attacker can exfiltrate the Base64-encoded file content through a triggered system email notification. Once the email is received, the Base64 payload can be decoded, allowing the attacker to read arbitrary files on the server. This is fixed in 5.4.9 and 4.12.8. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-52292 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00428 |
| scoring_system |
epss |
| scoring_elements |
0.6297 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00428 |
| scoring_system |
epss |
| scoring_elements |
0.62978 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00428 |
| scoring_system |
epss |
| scoring_elements |
0.62869 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00428 |
| scoring_system |
epss |
| scoring_elements |
0.62982 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-52292 |
|
| 1 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.12.8 |
| purl |
pkg:composer/craftcms/cms@4.12.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 18 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 19 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 20 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 21 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 22 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 23 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 24 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 25 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 26 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 27 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 28 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 29 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 30 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 31 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 32 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 33 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 34 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 35 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 36 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 37 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 38 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 39 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 40 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 41 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 42 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 43 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 44 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.8 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.4.9 |
| purl |
pkg:composer/craftcms/cms@5.4.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 16 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 17 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 18 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 19 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 20 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 21 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 22 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 23 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 24 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 25 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 26 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 27 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 28 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 29 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 30 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 31 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 32 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 33 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 34 |
| vulnerability |
VCID-qr5e-wjjt-zudz |
|
| 35 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 36 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 37 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 38 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 39 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 40 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 41 |
| vulnerability |
VCID-uxc7-pe63-2khp |
|
| 42 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 43 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 44 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 45 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 46 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 47 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 48 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.9 |
|
|
| aliases |
CVE-2024-52292, GHSA-cw6g-qmjq-6w2w
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-htqk-ckr5-jbcu |
|
| 31 |
| url |
VCID-j6wk-k1jb-jfd5 |
| vulnerability_id |
VCID-j6wk-k1jb-jfd5 |
| summary |
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-33160 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.04013 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.04003 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.03998 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.04014 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-33160 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-33160, GHSA-5pgf-h923-m958
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j6wk-k1jb-jfd5 |
|
| 32 |
| url |
VCID-kb3b-8hqt-nqfj |
| vulnerability_id |
VCID-kb3b-8hqt-nqfj |
| summary |
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.13.8 |
| purl |
pkg:composer/craftcms/cms@4.13.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 18 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 19 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 20 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 21 |
| vulnerability |
VCID-f67g-n9d6-pkb5 |
|
| 22 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 23 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 24 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 25 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 26 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 27 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 28 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 29 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 30 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 31 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 32 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 33 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 34 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 35 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 36 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 37 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 38 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 39 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 40 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 41 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 42 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 43 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.13.8 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.5.8 |
| purl |
pkg:composer/craftcms/cms@5.5.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 16 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 17 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 18 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 19 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 20 |
| vulnerability |
VCID-f67g-n9d6-pkb5 |
|
| 21 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 22 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 23 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 24 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 25 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 26 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 27 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 28 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 29 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 30 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 31 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 32 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 33 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 34 |
| vulnerability |
VCID-qr5e-wjjt-zudz |
|
| 35 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 36 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 37 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 38 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 39 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 40 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 41 |
| vulnerability |
VCID-uxc7-pe63-2khp |
|
| 42 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 43 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 44 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 45 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 46 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 47 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.8 |
|
|
| aliases |
CVE-2025-23209, GHSA-x684-96hh-833x
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kb3b-8hqt-nqfj |
|
| 33 |
| url |
VCID-mhqg-hey8-6bee |
| vulnerability_id |
VCID-mhqg-hey8-6bee |
| summary |
An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about code provided by the Craft CMS product; it is only a report about the Feed Me plugin. NOTE: a third-party report states that commit b5d6ede51848349bd91bc95fec288b6793f15e28 has "nothing to do with security." |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-36260 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00366 |
| scoring_system |
epss |
| scoring_elements |
0.59123 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00366 |
| scoring_system |
epss |
| scoring_elements |
0.59114 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00366 |
| scoring_system |
epss |
| scoring_elements |
0.59112 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00366 |
| scoring_system |
epss |
| scoring_elements |
0.59001 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-36260 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@4.7.0 |
| purl |
pkg:composer/craftcms/cms@4.7.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 18 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 19 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 20 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 21 |
| vulnerability |
VCID-eypa-1c6q-tfau |
|
| 22 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 23 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 24 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 25 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 26 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 27 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 28 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 29 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 30 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 31 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 32 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 33 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 34 |
| vulnerability |
VCID-pfwt-hxpb-4ub8 |
|
| 35 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 36 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 37 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 38 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 39 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 40 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 41 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 42 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 43 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 44 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 45 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 46 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 47 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.7.0 |
|
|
| aliases |
CVE-2023-36260, GHSA-6p78-f7h9-6838
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mhqg-hey8-6bee |
|
| 34 |
| url |
VCID-nep2-e16y-9yg4 |
| vulnerability_id |
VCID-nep2-e16y-9yg4 |
| summary |
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-33159 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00023 |
| scoring_system |
epss |
| scoring_elements |
0.06602 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00023 |
| scoring_system |
epss |
| scoring_elements |
0.06595 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00023 |
| scoring_system |
epss |
| scoring_elements |
0.06613 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00023 |
| scoring_system |
epss |
| scoring_elements |
0.06624 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-33159 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-33159, GHSA-6mrr-q3pj-h53w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nep2-e16y-9yg4 |
|
| 35 |
| url |
VCID-nhab-uyen-ayhq |
| vulnerability_id |
VCID-nhab-uyen-ayhq |
| summary |
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-28696 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.07115 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.07126 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.07121 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.07094 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-28696 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 5 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 6 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 7 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 8 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 9 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 10 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 11 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 12 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 13 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 14 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 15 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 5 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 6 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 7 |
| vulnerability |
VCID-ayrf-rfwj-37bf |
|
| 8 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 9 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 10 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 11 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 12 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 13 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 14 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 15 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 16 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 17 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 18 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 19 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 20 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 21 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 22 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-28696, GHSA-7x43-mpfg-r9wj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nhab-uyen-ayhq |
|
| 36 |
| url |
VCID-p8kk-e27s-n7cs |
| vulnerability_id |
VCID-p8kk-e27s-n7cs |
| summary |
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25493 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05818 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05826 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05835 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05844 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25493 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/craftcms/cms/releases/tag/5.8.22 |
| reference_id |
5.8.22 |
| reference_type |
|
| scores |
| 0 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/ |
|
|
| url |
https://github.com/craftcms/cms/releases/tag/5.8.22 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx |
| reference_id |
GHSA-8jr8-7hr4-vhfx |
| reference_type |
|
| scores |
| 0 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/ |
|
|
| url |
https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.18 |
| purl |
pkg:composer/craftcms/cms@4.16.18 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 8 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 9 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 10 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 11 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 12 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 13 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 14 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 15 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 16 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 17 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 18 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 19 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 20 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 21 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 22 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 23 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 24 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 25 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 26 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 27 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 28 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 29 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.22 |
| purl |
pkg:composer/craftcms/cms@5.8.22 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 12 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 13 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 14 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 15 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 16 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 17 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 18 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 19 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 20 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 21 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 22 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 23 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 24 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 25 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 26 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 27 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 28 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 29 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 30 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 31 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 32 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 33 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 34 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 35 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22 |
|
|
| aliases |
CVE-2026-25493, GHSA-8jr8-7hr4-vhfx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p8kk-e27s-n7cs |
|
| 37 |
| url |
VCID-pfwt-hxpb-4ub8 |
| vulnerability_id |
VCID-pfwt-hxpb-4ub8 |
| summary |
Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to potential file overwriting through malicious uploads, unauthorized access to sensitive files, and, under certain conditions, remote code execution (RCE) via Server-Side Template Injection (SSTI) payloads. Note that this will only work if you have an authenticated administrator account with allowAdminChanges enabled. This is fixed in 5.4.6 and 4.12.5. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-52291 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00128 |
| scoring_system |
epss |
| scoring_elements |
0.31889 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00128 |
| scoring_system |
epss |
| scoring_elements |
0.31872 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00128 |
| scoring_system |
epss |
| scoring_elements |
0.31684 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00128 |
| scoring_system |
epss |
| scoring_elements |
0.31873 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-52291 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q |
| reference_id |
GHSA-jrh5-vhr9-qh7q |
| reference_type |
|
| scores |
| 0 |
| value |
8.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
|
| 1 |
| value |
8.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
7.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:50:50Z/ |
|
|
| url |
https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.12.5 |
| purl |
pkg:composer/craftcms/cms@4.12.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 18 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 19 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 20 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 21 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 22 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 23 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 24 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 25 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 26 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 27 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 28 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 29 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 30 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 31 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 32 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 33 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 34 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 35 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 36 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 37 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 38 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 39 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 40 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 41 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 42 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 43 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 44 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 45 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.5 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.4.6 |
| purl |
pkg:composer/craftcms/cms@5.4.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 16 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 17 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 18 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 19 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 20 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 21 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 22 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 23 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 24 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 25 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 26 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 27 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 28 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 29 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 30 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 31 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 32 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 33 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 34 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 35 |
| vulnerability |
VCID-qr5e-wjjt-zudz |
|
| 36 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 37 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 38 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 39 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 40 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 41 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 42 |
| vulnerability |
VCID-uxc7-pe63-2khp |
|
| 43 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 44 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 45 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 46 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 47 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 48 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 49 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.6 |
|
|
| aliases |
CVE-2024-52291, GHSA-jrh5-vhr9-qh7q
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pfwt-hxpb-4ub8 |
|
| 38 |
| url |
VCID-py3b-5ps7-7fe3 |
| vulnerability_id |
VCID-py3b-5ps7-7fe3 |
| summary |
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-33158 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.03906 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.03918 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.03898 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.03916 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-33158 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-33158, GHSA-3pvf-vxrv-hh9c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-py3b-5ps7-7fe3 |
|
| 39 |
| url |
VCID-qmcc-3ued-m7gk |
| vulnerability_id |
VCID-qmcc-3ued-m7gk |
| summary |
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-28782 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.13077 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12995 |
| published_at |
2026-06-11T12:55:00Z |
|
| 2 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.13092 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.131 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-28782 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 5 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 6 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 7 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 8 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 9 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 10 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 11 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 12 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 13 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 14 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 15 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 5 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 6 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 7 |
| vulnerability |
VCID-ayrf-rfwj-37bf |
|
| 8 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 9 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 10 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 11 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 12 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 13 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 14 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 15 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 16 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 17 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 18 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 19 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 20 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 21 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 22 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-28782, GHSA-jxm3-pmm2-9gf6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qmcc-3ued-m7gk |
|
| 40 |
| url |
VCID-qrmg-jky7-87cb |
| vulnerability_id |
VCID-qrmg-jky7-87cb |
| summary |
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-68454 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00499 |
| scoring_system |
epss |
| scoring_elements |
0.66457 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00499 |
| scoring_system |
epss |
| scoring_elements |
0.66459 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00499 |
| scoring_system |
epss |
| scoring_elements |
0.66446 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00499 |
| scoring_system |
epss |
| scoring_elements |
0.66351 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-68454 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.17 |
| purl |
pkg:composer/craftcms/cms@4.16.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 12 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 13 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 14 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 15 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 16 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 17 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 18 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 19 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 20 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 21 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 22 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 23 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 24 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 25 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 26 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 27 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 28 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 29 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 30 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 31 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 32 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 33 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 34 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.21 |
| purl |
pkg:composer/craftcms/cms@5.8.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 8 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 9 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 10 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 11 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 12 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 18 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 19 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 20 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 21 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 22 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 23 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 24 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 25 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 26 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 27 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 28 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 29 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 30 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 31 |
| vulnerability |
VCID-qr5e-wjjt-zudz |
|
| 32 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 33 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 34 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 35 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 36 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 37 |
| vulnerability |
VCID-uxc7-pe63-2khp |
|
| 38 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 39 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 40 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 41 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 42 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21 |
|
|
| aliases |
CVE-2025-68454, GHSA-742x-x762-7383
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qrmg-jky7-87cb |
|
| 41 |
| url |
VCID-r47n-36pn-cbe4 |
| vulnerability_id |
VCID-r47n-36pn-cbe4 |
| summary |
Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25497 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.07456 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.07447 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.07428 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.07463 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25497 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 5 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 6 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 7 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 8 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 9 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 10 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 11 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 12 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 13 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 14 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 15 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 5 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 6 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 7 |
| vulnerability |
VCID-ayrf-rfwj-37bf |
|
| 8 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 9 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 10 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 11 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 12 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 13 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 14 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 15 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 16 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 17 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 18 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 19 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 20 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 21 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 22 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-25497, GHSA-fxp3-g6gw-4r4v
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r47n-36pn-cbe4 |
|
| 42 |
| url |
VCID-rezz-ka5s-hyg2 |
| vulnerability_id |
VCID-rezz-ka5s-hyg2 |
| summary |
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-68455 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0114 |
| scoring_system |
epss |
| scoring_elements |
0.78906 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.0114 |
| scoring_system |
epss |
| scoring_elements |
0.78828 |
| published_at |
2026-06-11T12:55:00Z |
|
| 2 |
| value |
0.0114 |
| scoring_system |
epss |
| scoring_elements |
0.78893 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.0114 |
| scoring_system |
epss |
| scoring_elements |
0.7891 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-68455 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.17 |
| purl |
pkg:composer/craftcms/cms@4.16.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 12 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 13 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 14 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 15 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 16 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 17 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 18 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 19 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 20 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 21 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 22 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 23 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 24 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 25 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 26 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 27 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 28 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 29 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 30 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 31 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 32 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 33 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 34 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.21 |
| purl |
pkg:composer/craftcms/cms@5.8.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 8 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 9 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 10 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 11 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 12 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 18 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 19 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 20 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 21 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 22 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 23 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 24 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 25 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 26 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 27 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 28 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 29 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 30 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 31 |
| vulnerability |
VCID-qr5e-wjjt-zudz |
|
| 32 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 33 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 34 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 35 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 36 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 37 |
| vulnerability |
VCID-uxc7-pe63-2khp |
|
| 38 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 39 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 40 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 41 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 42 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21 |
|
|
| aliases |
CVE-2025-68455, GHSA-255j-qw47-wjh5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rezz-ka5s-hyg2 |
|
| 43 |
| url |
VCID-smdx-nfbs-2qbx |
| vulnerability_id |
VCID-smdx-nfbs-2qbx |
| summary |
Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources.
When `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-41130 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.16435 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.16405 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.1628 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.16424 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-41130 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-41130, GHSA-95wr-3f2v-v2wh
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-smdx-nfbs-2qbx |
|
| 44 |
| url |
VCID-t37k-f7k1-gyhz |
| vulnerability_id |
VCID-t37k-f7k1-gyhz |
| summary |
Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-23927 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02749 |
| scoring_system |
epss |
| scoring_elements |
0.86381 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.02749 |
| scoring_system |
epss |
| scoring_elements |
0.86379 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.02749 |
| scoring_system |
epss |
| scoring_elements |
0.8632 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.02749 |
| scoring_system |
epss |
| scoring_elements |
0.86371 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-23927 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.3.7 |
| purl |
pkg:composer/craftcms/cms@4.3.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 3 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 4 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 5 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 6 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 7 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 8 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 9 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9fqv-dg3y-wbbf |
|
| 12 |
| vulnerability |
VCID-9krv-seyq-juez |
|
| 13 |
| vulnerability |
VCID-9yny-vu36-tyes |
|
| 14 |
| vulnerability |
VCID-a9bc-cgqq-jkfh |
|
| 15 |
| vulnerability |
VCID-ad7v-5hxr-s3a4 |
|
| 16 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 17 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 18 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 19 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 20 |
| vulnerability |
VCID-cneu-aazx-byfq |
|
| 21 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 22 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 23 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 24 |
| vulnerability |
VCID-eypa-1c6q-tfau |
|
| 25 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 26 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 27 |
| vulnerability |
VCID-gjvb-ht1w-s3hm |
|
| 28 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 29 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 30 |
| vulnerability |
VCID-h3za-7cd7-vkav |
|
| 31 |
| vulnerability |
VCID-hh13-6e1x-p7ez |
|
| 32 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 33 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 34 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 35 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 36 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 37 |
| vulnerability |
VCID-mhqg-hey8-6bee |
|
| 38 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 39 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 40 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 41 |
| vulnerability |
VCID-pfwt-hxpb-4ub8 |
|
| 42 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 43 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 44 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 45 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 46 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 47 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 48 |
| vulnerability |
VCID-tf8p-xrne-8qfg |
|
| 49 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 50 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 51 |
| vulnerability |
VCID-vvej-1fex-kqdn |
|
| 52 |
| vulnerability |
VCID-wcsx-j8xk-r7c7 |
|
| 53 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 54 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 55 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 56 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 57 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.3.7 |
|
|
| aliases |
CVE-2023-23927, GHSA-qcrj-6ffc-v7hq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t37k-f7k1-gyhz |
|
| 45 |
| url |
VCID-tfc8-rkdd-53f7 |
| vulnerability_id |
VCID-tfc8-rkdd-53f7 |
| summary |
Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-57811 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.45778 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.45764 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.45622 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.45769 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-57811 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/craftcms/cms/pull/17612 |
| reference_id |
17612 |
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 1 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/ |
|
|
| url |
https://github.com/craftcms/cms/pull/17612 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.6 |
| purl |
pkg:composer/craftcms/cms@4.16.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 14 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 15 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 16 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 17 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 18 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 19 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 20 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 21 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 22 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 23 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 24 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 25 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 26 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 27 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 28 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 29 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 30 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 31 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 32 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 33 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 34 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 35 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 36 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 37 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 38 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 39 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.6 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.7 |
| purl |
pkg:composer/craftcms/cms@5.8.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 8 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 9 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 10 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 11 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 12 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 13 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 14 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 15 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 16 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 17 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 18 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 19 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 20 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 21 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 22 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 23 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 24 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 25 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 26 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 27 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 28 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 29 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 30 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 31 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 32 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 33 |
| vulnerability |
VCID-qr5e-wjjt-zudz |
|
| 34 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 35 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 36 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 37 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 38 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 39 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 40 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 41 |
| vulnerability |
VCID-uxc7-pe63-2khp |
|
| 42 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 43 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 44 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 45 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 46 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 47 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.7 |
|
|
| aliases |
CVE-2025-57811, GHSA-crcq-738g-pqvc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tfc8-rkdd-53f7 |
|
| 46 |
| url |
VCID-vrpf-parp-7kgr |
| vulnerability_id |
VCID-vrpf-parp-7kgr |
| summary |
Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25498 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00368 |
| scoring_system |
epss |
| scoring_elements |
0.59286 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00368 |
| scoring_system |
epss |
| scoring_elements |
0.59295 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00368 |
| scoring_system |
epss |
| scoring_elements |
0.59283 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00368 |
| scoring_system |
epss |
| scoring_elements |
0.59171 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25498 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.18 |
| purl |
pkg:composer/craftcms/cms@4.16.18 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 8 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 9 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 10 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 11 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 12 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 13 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 14 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 15 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 16 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 17 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 18 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 19 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 20 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 21 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 22 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 23 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 24 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 25 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 26 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 27 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 28 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 29 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.22 |
| purl |
pkg:composer/craftcms/cms@5.8.22 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 12 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 13 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 14 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 15 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 16 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 17 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 18 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 19 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 20 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 21 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 22 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 23 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 24 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 25 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 26 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 27 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 28 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 29 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 30 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 31 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 32 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 33 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 34 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 35 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22 |
|
|
| aliases |
CVE-2026-25498, GHSA-7jx7-3846-m7w7
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vrpf-parp-7kgr |
|
| 47 |
| url |
VCID-wcsx-j8xk-r7c7 |
| vulnerability_id |
VCID-wcsx-j8xk-r7c7 |
| summary |
Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-21622 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00103 |
| scoring_system |
epss |
| scoring_elements |
0.2763 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00103 |
| scoring_system |
epss |
| scoring_elements |
0.27846 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00103 |
| scoring_system |
epss |
| scoring_elements |
0.27856 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00103 |
| scoring_system |
epss |
| scoring_elements |
0.27832 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-21622 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.5.11 |
| purl |
pkg:composer/craftcms/cms@4.5.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 18 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 19 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 20 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 21 |
| vulnerability |
VCID-eypa-1c6q-tfau |
|
| 22 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 23 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 24 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 25 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 26 |
| vulnerability |
VCID-htqk-ckr5-jbcu |
|
| 27 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 28 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 29 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 30 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 31 |
| vulnerability |
VCID-mhqg-hey8-6bee |
|
| 32 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 33 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 34 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 35 |
| vulnerability |
VCID-pfwt-hxpb-4ub8 |
|
| 36 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 37 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 38 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 39 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 40 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 41 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 42 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 43 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 44 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 45 |
| vulnerability |
VCID-x12b-mjr9-sba2 |
|
| 46 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 47 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 48 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.5.11 |
|
|
| aliases |
CVE-2024-21622, GHSA-j5g9-j7r4-6qvx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wcsx-j8xk-r7c7 |
|
| 48 |
| url |
VCID-wnr9-2wyr-wug4 |
| vulnerability_id |
VCID-wnr9-2wyr-wug4 |
| summary |
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-68436 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11747 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11776 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.1177 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11692 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-68436 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.17 |
| purl |
pkg:composer/craftcms/cms@4.16.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 12 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 13 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 14 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 15 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 16 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 17 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 18 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 19 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 20 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 21 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 22 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 23 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 24 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 25 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 26 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 27 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 28 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 29 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 30 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 31 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 32 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 33 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 34 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.21 |
| purl |
pkg:composer/craftcms/cms@5.8.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 8 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 9 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 10 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 11 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 12 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 18 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 19 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 20 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 21 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 22 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 23 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 24 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 25 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 26 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 27 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 28 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 29 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 30 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 31 |
| vulnerability |
VCID-qr5e-wjjt-zudz |
|
| 32 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 33 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 34 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 35 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 36 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 37 |
| vulnerability |
VCID-uxc7-pe63-2khp |
|
| 38 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 39 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 40 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 41 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 42 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21 |
|
|
| aliases |
CVE-2025-68436, GHSA-53vf-c43h-j2x9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wnr9-2wyr-wug4 |
|
| 49 |
| url |
VCID-x12b-mjr9-sba2 |
| vulnerability_id |
VCID-x12b-mjr9-sba2 |
| summary |
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9 |
| reference_id |
GHSA-2p6p-9rc9-62j9 |
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A |
|
| 4 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/ |
|
|
| url |
https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.13.2 |
| purl |
pkg:composer/craftcms/cms@4.13.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 16 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 17 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 18 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 19 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 20 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 21 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 22 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 23 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 24 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 25 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 26 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 27 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 28 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 29 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 30 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 31 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 32 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 33 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 34 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 35 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 36 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 37 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 38 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 39 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 40 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 41 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 42 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 43 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.13.2 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.5.2 |
| purl |
pkg:composer/craftcms/cms@5.5.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-726q-jfsa-9qdz |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8kdh-rvh3-4yfv |
|
| 11 |
| vulnerability |
VCID-8m8v-ymqs-fkh9 |
|
| 12 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 13 |
| vulnerability |
VCID-b25s-j3du-sfg5 |
|
| 14 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 15 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 16 |
| vulnerability |
VCID-c38g-6ttm-yuep |
|
| 17 |
| vulnerability |
VCID-czuy-m8wp-fka2 |
|
| 18 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 19 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 20 |
| vulnerability |
VCID-fs3m-av1v-fuf1 |
|
| 21 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 22 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 23 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 24 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 25 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 26 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 27 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 28 |
| vulnerability |
VCID-kb3b-8hqt-nqfj |
|
| 29 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 30 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 31 |
| vulnerability |
VCID-p8kk-e27s-n7cs |
|
| 32 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 33 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 34 |
| vulnerability |
VCID-qr5e-wjjt-zudz |
|
| 35 |
| vulnerability |
VCID-qrmg-jky7-87cb |
|
| 36 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 37 |
| vulnerability |
VCID-rezz-ka5s-hyg2 |
|
| 38 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 39 |
| vulnerability |
VCID-tfc8-rkdd-53f7 |
|
| 40 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 41 |
| vulnerability |
VCID-uxc7-pe63-2khp |
|
| 42 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 43 |
| vulnerability |
VCID-vrpf-parp-7kgr |
|
| 44 |
| vulnerability |
VCID-wnr9-2wyr-wug4 |
|
| 45 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 46 |
| vulnerability |
VCID-y2ya-ys74-vqbv |
|
| 47 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.2 |
|
|
| aliases |
CVE-2024-56145, GHSA-2p6p-9rc9-62j9
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x12b-mjr9-sba2 |
|
| 50 |
| url |
VCID-x1w2-ytck-17bn |
| vulnerability_id |
VCID-x1w2-ytck-17bn |
| summary |
Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-28784 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.06182 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.06173 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.06203 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.06191 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-28784 |
|
| 1 |
| reference_url |
https://github.com/craftcms/cms/pull/18208 |
| reference_id |
18208 |
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/ |
|
|
| url |
https://github.com/craftcms/cms/pull/18208 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@4.17.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 5 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 6 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 7 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 8 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 9 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 10 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 11 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 12 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 13 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 14 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 15 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 2 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 3 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 4 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 5 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 6 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 7 |
| vulnerability |
VCID-ayrf-rfwj-37bf |
|
| 8 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 9 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 10 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 11 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 12 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 13 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 14 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 15 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 16 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 17 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 18 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 19 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 20 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 21 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 22 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-28784, GHSA-qc86-q28f-ggww
|
| risk_score |
3.9 |
| exploitability |
0.5 |
| weighted_severity |
7.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x1w2-ytck-17bn |
|
| 51 |
| url |
VCID-y2ya-ys74-vqbv |
| vulnerability_id |
VCID-y2ya-ys74-vqbv |
| summary |
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25494 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05826 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05835 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05818 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05844 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25494 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/craftcms/cms/releases/tag/5.8.22 |
| reference_id |
5.8.22 |
| reference_type |
|
| scores |
| 0 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/ |
|
|
| url |
https://github.com/craftcms/cms/releases/tag/5.8.22 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m |
| reference_id |
GHSA-m5r2-8p9x-hp5m |
| reference_type |
|
| scores |
| 0 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/ |
|
|
| url |
https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@4.16.18 |
| purl |
pkg:composer/craftcms/cms@4.16.18 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 8 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 9 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 10 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 11 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 12 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 13 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 14 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 15 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 16 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 17 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 18 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 19 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 20 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 21 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 22 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 23 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 24 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 25 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 26 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 27 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 28 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 29 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.8.22 |
| purl |
pkg:composer/craftcms/cms@5.8.22 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yx-3kck-s7dp |
|
| 1 |
| vulnerability |
VCID-16h7-f3pe-8qh8 |
|
| 2 |
| vulnerability |
VCID-1c7e-bv58-33ax |
|
| 3 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 4 |
| vulnerability |
VCID-543c-646v-4yfj |
|
| 5 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 6 |
| vulnerability |
VCID-5r6n-351z-2ybh |
|
| 7 |
| vulnerability |
VCID-6bwp-2ksu-xucy |
|
| 8 |
| vulnerability |
VCID-76k8-sveq-3qbf |
|
| 9 |
| vulnerability |
VCID-7mph-yq7h-5yb8 |
|
| 10 |
| vulnerability |
VCID-8rkv-wfha-n7hb |
|
| 11 |
| vulnerability |
VCID-9yzy-78sh-xydu |
|
| 12 |
| vulnerability |
VCID-bn85-sts4-5ygq |
|
| 13 |
| vulnerability |
VCID-br1f-q8nk-v7b3 |
|
| 14 |
| vulnerability |
VCID-bsh8-7q16-t7e4 |
|
| 15 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 16 |
| vulnerability |
VCID-e9qn-ar3q-g3e4 |
|
| 17 |
| vulnerability |
VCID-g637-7ns6-kyhj |
|
| 18 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 19 |
| vulnerability |
VCID-grmm-88sf-wyd4 |
|
| 20 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 21 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 22 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 23 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 24 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 25 |
| vulnerability |
VCID-nhab-uyen-ayhq |
|
| 26 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 27 |
| vulnerability |
VCID-qmcc-3ued-m7gk |
|
| 28 |
| vulnerability |
VCID-r47n-36pn-cbe4 |
|
| 29 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 30 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 31 |
| vulnerability |
VCID-tte6-fheg-g7hg |
|
| 32 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 33 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
| 34 |
| vulnerability |
VCID-x1w2-ytck-17bn |
|
| 35 |
| vulnerability |
VCID-yc89-41eq-b3eh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22 |
|
|
| aliases |
CVE-2026-25494, GHSA-m5r2-8p9x-hp5m
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y2ya-ys74-vqbv |
|
| 52 |
| url |
VCID-yc89-41eq-b3eh |
| vulnerability_id |
VCID-yc89-41eq-b3eh |
| summary |
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-32262 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.12414 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.12394 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.12316 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.12406 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-32262 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/craftcms/cms@5.9.11 |
| purl |
pkg:composer/craftcms/cms@5.9.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-25ym-rhky-wbaq |
|
| 1 |
| vulnerability |
VCID-5qkr-aqmx-8qau |
|
| 2 |
| vulnerability |
VCID-e3k3-fp6t-kycw |
|
| 3 |
| vulnerability |
VCID-gp2d-vv3n-euda |
|
| 4 |
| vulnerability |
VCID-h9fr-63qv-bffn |
|
| 5 |
| vulnerability |
VCID-j1d4-j44f-yqh9 |
|
| 6 |
| vulnerability |
VCID-j6wk-k1jb-jfd5 |
|
| 7 |
| vulnerability |
VCID-j8qq-yre6-4bfx |
|
| 8 |
| vulnerability |
VCID-nep2-e16y-9yg4 |
|
| 9 |
| vulnerability |
VCID-py3b-5ps7-7fe3 |
|
| 10 |
| vulnerability |
VCID-smdx-nfbs-2qbx |
|
| 11 |
| vulnerability |
VCID-sswc-d2f8-zyc9 |
|
| 12 |
| vulnerability |
VCID-up4q-hz23-vkcn |
|
| 13 |
| vulnerability |
VCID-vj1t-r17b-rufc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11 |
|
|
| aliases |
CVE-2026-32262, GHSA-472v-j2g4-g9h2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yc89-41eq-b3eh |
|