Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/627185?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/627185?format=api", "purl": "pkg:composer/craftcms/cms@4.4.0-beta.5", "type": "composer", "namespace": "craftcms", "name": "cms", "version": "4.4.0-beta.5", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.17.12", "latest_non_vulnerable_version": "5.9.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74057?format=api", "vulnerability_id": "VCID-12yx-3kck-s7dp", "summary": "Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29069", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.18029", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.18045", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17869", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29069" }, { "reference_url": "https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8", "reference_id": "c3d02d4a7246f516933f42106c0a67ce062f68d8", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:30:03Z/" } ], "url": "https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29069", "reference_id": "CVE-2026-29069", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29069" }, { "reference_url": "https://github.com/advisories/GHSA-234q-vvw3-mrfq", "reference_id": "GHSA-234q-vvw3-mrfq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-234q-vvw3-mrfq" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq", "reference_id": "GHSA-234q-vvw3-mrfq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:30:03Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40199?format=api", "purl": "pkg:composer/craftcms/cms@4.17.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/40200?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.2" } ], "aliases": [ "CVE-2026-29069", "GHSA-234q-vvw3-mrfq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-12yx-3kck-s7dp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69186?format=api", "vulnerability_id": "VCID-16h7-f3pe-8qh8", "summary": "Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28697", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00208", "scoring_system": "epss", "scoring_elements": "0.43472", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00208", "scoring_system": "epss", "scoring_elements": "0.43296", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00208", "scoring_system": "epss", "scoring_elements": "0.43452", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28697" }, { "reference_url": "https://github.com/craftcms/cms/pull/18216", "reference_id": "18216", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/" } ], "url": "https://github.com/craftcms/cms/pull/18216" }, { "reference_url": "https://github.com/craftcms/cms/pull/18219", "reference_id": "18219", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/" } ], "url": "https://github.com/craftcms/cms/pull/18219" }, { "reference_url": "https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197", "reference_id": "9dc2a4a3ec8e9cd5e8c0d1129f36371437519197", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/" } ], "url": "https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28697", "reference_id": "CVE-2026-28697", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28697" }, { "reference_url": "https://github.com/advisories/GHSA-v47q-jxvr-p68x", "reference_id": "GHSA-v47q-jxvr-p68x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v47q-jxvr-p68x" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x", "reference_id": "GHSA-v47q-jxvr-p68x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38982?format=api", "purl": "pkg:composer/craftcms/cms@4.17.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28697", "GHSA-v47q-jxvr-p68x" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-16h7-f3pe-8qh8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77659?format=api", "vulnerability_id": "VCID-25ym-rhky-wbaq", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33161", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13156", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13161", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13059", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33161" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33161", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33161" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27", "reference_id": "d30df3112220db1ffd6726a3ed11857014c7fb27", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27" }, { "reference_url": "https://github.com/advisories/GHSA-vgjg-248p-rfm2", "reference_id": "GHSA-vgjg-248p-rfm2", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vgjg-248p-rfm2" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2", "reference_id": "GHSA-vgjg-248p-rfm2", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374878?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33161", "GHSA-vgjg-248p-rfm2" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-25ym-rhky-wbaq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/79824?format=api", "vulnerability_id": "VCID-543c-646v-4yfj", "summary": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01549", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01546", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01543", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27129" }, { "reference_url": "https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3", "reference_id": "2825388b4f32fb1c9bd709027a1a1fd192d709a3", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/" } ], "url": "https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27129", "reference_id": "CVE-2026-27129", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27129" }, { "reference_url": "https://github.com/advisories/GHSA-v2gc-rm6g-wrw9", "reference_id": "GHSA-v2gc-rm6g-wrw9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v2gc-rm6g-wrw9" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9", "reference_id": "GHSA-v2gc-rm6g-wrw9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "reference_id": "GHSA-x27p-wfqw-hfcc", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39528?format=api", "purl": "pkg:composer/craftcms/cms@4.16.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/39526?format=api", "purl": "pkg:composer/craftcms/cms@5.8.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23" } ], "aliases": [ "CVE-2026-27129", "GHSA-v2gc-rm6g-wrw9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-543c-646v-4yfj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360185?format=api", "vulnerability_id": "VCID-5qkr-aqmx-8qau", "summary": "Craft CMS: Authorized asset \"preview file\" requests bypass allows users without asset access to retrieve private preview metadata\n### Summary\n\nAn authenticated low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data (`previewHtml`) for that private asset.\n\nThe returned preview HTML included a private preview image route containing the target private `assetId`, even though `canView` was `false` for the attacker account.\n\n### Details\n\n1. `assets/preview-file` accepts a maliciously controlled `assetId` and renders preview output.\n2. The action does not enforce per-asset view authorization prior to returning preview content.\n 3. As a result, an authenticated user without asset-view permission can still obtain private preview output.\n\nThis affects Craft installations with authenticated users of mixed privilege levels with private assets.\n\n### Resources\n\n- d30df3112220db1ffd6726a3ed11857014c7fb27\n- b1cddf72c98a", "references": [ { "reference_url": "https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq" }, { "reference_url": "https://github.com/advisories/GHSA-44px-qjjc-xrhq", "reference_id": "GHSA-44px-qjjc-xrhq", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-44px-qjjc-xrhq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374878?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "GHSA-44px-qjjc-xrhq" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5qkr-aqmx-8qau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/76900?format=api", "vulnerability_id": "VCID-5r6n-351z-2ybh", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32264", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15346", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15489", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15481", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32264" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32264", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32264" }, { "reference_url": "https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70", "reference_id": "78d181e12e0b15e1300f54ec85f19859d3300f70", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70" }, { "reference_url": "https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620", "reference_id": "dfec46362fcb40b330ce8a4d8136446e65085620", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620" }, { "reference_url": "https://github.com/advisories/GHSA-4484-8v2f-5748", "reference_id": "GHSA-4484-8v2f-5748", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4484-8v2f-5748" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748", "reference_id": "GHSA-4484-8v2f-5748", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374750?format=api", "purl": "pkg:composer/craftcms/cms@4.17.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/374751?format=api", "purl": "pkg:composer/craftcms/cms@5.9.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11" } ], "aliases": [ "CVE-2026-32264", "GHSA-4484-8v2f-5748" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5r6n-351z-2ybh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66241?format=api", "vulnerability_id": "VCID-726q-jfsa-9qdz", "summary": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25495", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04561", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04577", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04576", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25495" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "5.8.22", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2", "reference_id": "96c60d775c644ff0a0276da52fe29e11d4cd38d2", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/" } ], "url": "https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25495", "reference_id": "CVE-2026-25495", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25495" }, { "reference_url": "https://github.com/advisories/GHSA-2453-mppf-46cj", "reference_id": "GHSA-2453-mppf-46cj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2453-mppf-46cj" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj", "reference_id": "GHSA-2453-mppf-46cj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38971?format=api", "purl": "pkg:composer/craftcms/cms@4.16.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/38960?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25495", "GHSA-2453-mppf-46cj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-726q-jfsa-9qdz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69319?format=api", "vulnerability_id": "VCID-76k8-sveq-3qbf", "summary": "Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with \"Create Entries\" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28781", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16275", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16266", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16124", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28781" }, { "reference_url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8", "reference_id": "830b403870cd784b47ae42a3f5a16e7ac2d7f5a8", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/" } ], "url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8" }, { "reference_url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542", "reference_id": "c6dcbdffaf6ab3ffe77d317336684d83699f4542", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/" } ], "url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28781", "reference_id": "CVE-2026-28781", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28781" }, { "reference_url": "https://github.com/advisories/GHSA-2xfc-g69j-x2mp", "reference_id": "GHSA-2xfc-g69j-x2mp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2xfc-g69j-x2mp" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp", "reference_id": "GHSA-2xfc-g69j-x2mp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38982?format=api", "purl": "pkg:composer/craftcms/cms@4.17.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28781", "GHSA-2xfc-g69j-x2mp" ], "risk_score": 3.2, "exploitability": "0.5", "weighted_severity": "6.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-76k8-sveq-3qbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93304?format=api", "vulnerability_id": "VCID-8kdh-rvh3-4yfv", "summary": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68456", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00214", "scoring_system": "epss", "scoring_elements": "0.44006", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00214", "scoring_system": "epss", "scoring_elements": "0.44177", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00214", "scoring_system": "epss", "scoring_elements": "0.44159", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68456" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "CHANGELOG.md#5821---2025-12-04", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68456", "reference_id": "CVE-2025-68456", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68456" }, { "reference_url": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39", "reference_id": "f83d4e0c6b906743206b4747db4abf8164b8da39", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/" } ], "url": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39" }, { "reference_url": "https://github.com/advisories/GHSA-v64r-7wg9-23pr", "reference_id": "GHSA-v64r-7wg9-23pr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v64r-7wg9-23pr" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr", "reference_id": "GHSA-v64r-7wg9-23pr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36519?format=api", "purl": "pkg:composer/craftcms/cms@4.16.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/36516?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68456", "GHSA-v64r-7wg9-23pr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8kdh-rvh3-4yfv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93248?format=api", "vulnerability_id": "VCID-8m8v-ymqs-fkh9", "summary": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68437", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03989", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03994", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.04005", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68437" }, { "reference_url": "https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52", "reference_id": "013db636fdb38f3ce5657fd196b6d952f98ebc52", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/" } ], "url": "https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "CHANGELOG.md#5821---2025-12-04", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68437", "reference_id": "CVE-2025-68437", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68437" }, { "reference_url": "https://github.com/advisories/GHSA-x27p-wfqw-hfcc", "reference_id": "GHSA-x27p-wfqw-hfcc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x27p-wfqw-hfcc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "reference_id": "GHSA-x27p-wfqw-hfcc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36519?format=api", "purl": "pkg:composer/craftcms/cms@4.16.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/36516?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68437", "GHSA-x27p-wfqw-hfcc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8m8v-ymqs-fkh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71374?format=api", "vulnerability_id": "VCID-8rkv-wfha-n7hb", "summary": "Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31857", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33724", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33702", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33522", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31857" }, { "reference_url": "https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80", "reference_id": "8d4903647dcfd31b8d40ed027e27082013347a80", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:02:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31857", "reference_id": "CVE-2026-31857", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31857" }, { "reference_url": "https://github.com/advisories/GHSA-fp5j-j7j4-mcxc", "reference_id": "GHSA-fp5j-j7j4-mcxc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fp5j-j7j4-mcxc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc", "reference_id": "GHSA-fp5j-j7j4-mcxc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:02:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40449?format=api", "purl": "pkg:composer/craftcms/cms@4.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/40681?format=api", "purl": "pkg:composer/craftcms/cms@5.9.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9" } ], "aliases": [ "CVE-2026-31857", "GHSA-fp5j-j7j4-mcxc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8rkv-wfha-n7hb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/144143?format=api", "vulnerability_id": "VCID-9fqv-dg3y-wbbf", "summary": "Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-33194", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19585", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19761", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22245", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-33194" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33194", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33194" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.4.6", "reference_id": "4.4.6", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:25:03Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.4.6" }, { "reference_url": "https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888", "reference_id": "9d0cd0bda7c8a830a3373f8c0f06943e519ac888", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:25:03Z/" } ], "url": "https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888" }, { "reference_url": "https://github.com/advisories/GHSA-3wxg-w96j-8hq9", "reference_id": "GHSA-3wxg-w96j-8hq9", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3wxg-w96j-8hq9" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9", "reference_id": "GHSA-3wxg-w96j-8hq9", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:25:03Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381988?format=api", "purl": "pkg:composer/craftcms/cms@4.4.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9krv-seyq-juez" }, { "vulnerability": "VCID-9yny-vu36-tyes" }, { "vulnerability": "VCID-a9bc-cgqq-jkfh" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-eypa-1c6q-tfau" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gjvb-ht1w-s3hm" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-hh13-6e1x-p7ez" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-mhqg-hey8-6bee" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wcsx-j8xk-r7c7" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6" } ], "aliases": [ "CVE-2023-33194", "GHSA-3wxg-w96j-8hq9" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9fqv-dg3y-wbbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/143726?format=api", "vulnerability_id": "VCID-9krv-seyq-juez", "summary": "Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-33196", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00095", "scoring_system": "epss", "scoring_elements": "0.26611", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00095", "scoring_system": "epss", "scoring_elements": "0.2641", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00111", "scoring_system": "epss", "scoring_elements": "0.29299", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-33196" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33196", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33196" }, { "reference_url": "https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7", "reference_id": "053d7119697e480ff81c5723bb9a33eaa49e0fc7", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:29:35Z/" } ], "url": "https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.4.7", "reference_id": "4.4.7", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:29:35Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.4.7" }, { "reference_url": "https://github.com/advisories/GHSA-cjmm-x9x9-m2w5", "reference_id": "GHSA-cjmm-x9x9-m2w5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cjmm-x9x9-m2w5" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5", "reference_id": "GHSA-cjmm-x9x9-m2w5", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:29:35Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/629835?format=api", "purl": "pkg:composer/craftcms/cms@4.4.6.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yny-vu36-tyes" }, { "vulnerability": "VCID-a9bc-cgqq-jkfh" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-eypa-1c6q-tfau" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gjvb-ht1w-s3hm" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-hh13-6e1x-p7ez" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-mhqg-hey8-6bee" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wcsx-j8xk-r7c7" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/382058?format=api", "purl": "pkg:composer/craftcms/cms@4.4.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yny-vu36-tyes" }, { "vulnerability": "VCID-a9bc-cgqq-jkfh" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-eypa-1c6q-tfau" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gjvb-ht1w-s3hm" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-hh13-6e1x-p7ez" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-mhqg-hey8-6bee" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wcsx-j8xk-r7c7" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.7" } ], "aliases": [ "CVE-2023-33196", "GHSA-cjmm-x9x9-m2w5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9krv-seyq-juez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/144141?format=api", "vulnerability_id": "VCID-9yny-vu36-tyes", "summary": "Craft CMS through 4.4.9 is vulnerable to HTML Injection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-33495", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00168", "scoring_system": "epss", "scoring_elements": "0.37962", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00168", "scoring_system": "epss", "scoring_elements": "0.37987", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00168", "scoring_system": "epss", "scoring_elements": "0.37785", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-33495" }, { "reference_url": "https://medium.com/@mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://medium.com/@mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33495", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33495" }, { "reference_url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection", "reference_id": "03-Testing_for_HTML_Injection", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T21:12:01Z/" } ], "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection" }, { "reference_url": "https://github.com/advisories/GHSA-m3v5-gjj9-rg24", "reference_id": "GHSA-m3v5-gjj9-rg24", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m3v5-gjj9-rg24" }, { "reference_url": "https://medium.com/%40mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212", "reference_id": "html-injection-in-craft-cms-application-e2b28f746212", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T21:12:01Z/" } ], "url": "https://medium.com/%40mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/393709?format=api", "purl": "pkg:composer/craftcms/cms@4.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-a9bc-cgqq-jkfh" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-eypa-1c6q-tfau" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gjvb-ht1w-s3hm" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-hh13-6e1x-p7ez" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-mhqg-hey8-6bee" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wcsx-j8xk-r7c7" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.10" } ], "aliases": [ "CVE-2023-33495", "GHSA-m3v5-gjj9-rg24" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9yny-vu36-tyes" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/150450?format=api", "vulnerability_id": "VCID-a9bc-cgqq-jkfh", "summary": "Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution). This issue has been patched in version 4.4.15 and version 3.8.15.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40035", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00308", "scoring_system": "epss", "scoring_elements": "0.5439", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00308", "scoring_system": "epss", "scoring_elements": "0.54531", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00308", "scoring_system": "epss", "scoring_elements": "0.54516", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40035" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40035", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40035" }, { "reference_url": "https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5", "reference_id": "0bd33861abdc60c93209cff03eeee54504d3d3b5", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-02T20:33:49Z/" } ], "url": "https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/3.8.15", "reference_id": "3.8.15", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-02T20:33:49Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/3.8.15" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.4.15", "reference_id": "4.4.15", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-02T20:33:49Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.4.15" }, { "reference_url": "https://github.com/advisories/GHSA-44wr-rmwq-3phw", "reference_id": "GHSA-44wr-rmwq-3phw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-44wr-rmwq-3phw" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw", "reference_id": "GHSA-44wr-rmwq-3phw", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-02T20:33:49Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/379644?format=api", "purl": "pkg:composer/craftcms/cms@4.4.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-eypa-1c6q-tfau" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-mhqg-hey8-6bee" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wcsx-j8xk-r7c7" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.15" } ], "aliases": [ "CVE-2023-40035", "GHSA-44wr-rmwq-3phw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a9bc-cgqq-jkfh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/143897?format=api", "vulnerability_id": "VCID-ad7v-5hxr-s3a4", "summary": "Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-33197", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00848", "scoring_system": "epss", "scoring_elements": "0.75368", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00848", "scoring_system": "epss", "scoring_elements": "0.75383", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00848", "scoring_system": "epss", "scoring_elements": "0.75298", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-33197" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33197", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33197" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.4.6", "reference_id": "4.4.6", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:32:08Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.4.6" }, { "reference_url": "https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766", "reference_id": "8c2ad0bd313015b8ee42326af2848ee748f1d766", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:32:08Z/" } ], "url": "https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766" }, { "reference_url": "https://github.com/advisories/GHSA-6qjx-787v-6pxr", "reference_id": "GHSA-6qjx-787v-6pxr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6qjx-787v-6pxr" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr", "reference_id": "GHSA-6qjx-787v-6pxr", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:32:08Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381988?format=api", "purl": "pkg:composer/craftcms/cms@4.4.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9krv-seyq-juez" }, { "vulnerability": "VCID-9yny-vu36-tyes" }, { "vulnerability": "VCID-a9bc-cgqq-jkfh" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-eypa-1c6q-tfau" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gjvb-ht1w-s3hm" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-hh13-6e1x-p7ez" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-mhqg-hey8-6bee" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wcsx-j8xk-r7c7" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6" } ], "aliases": [ "CVE-2023-33197", "GHSA-6qjx-787v-6pxr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ad7v-5hxr-s3a4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65868?format=api", "vulnerability_id": "VCID-b25s-j3du-sfg5", "summary": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25496", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08265", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08303", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08305", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25496" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "5.8.22", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513", "reference_id": "cb5fb0e979e72f315c9178fc031883d49527f513", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/" } ], "url": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25496", "reference_id": "CVE-2026-25496", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25496" }, { "reference_url": "https://github.com/advisories/GHSA-9f5h-mmq6-2x78", "reference_id": "GHSA-9f5h-mmq6-2x78", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9f5h-mmq6-2x78" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78", "reference_id": "GHSA-9f5h-mmq6-2x78", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38971?format=api", "purl": "pkg:composer/craftcms/cms@4.16.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/38960?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25496", "GHSA-9f5h-mmq6-2x78" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b25s-j3du-sfg5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74141?format=api", "vulnerability_id": "VCID-bn85-sts4-5ygq", "summary": "Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29113", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.0069", "published_at": "2026-06-13T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00691", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29113" }, { "reference_url": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc", "reference_id": "6a88468dc35a27cccc8fef254f415a447d4a07cc", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/" } ], "url": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29113", "reference_id": "CVE-2026-29113", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29113" }, { "reference_url": "https://github.com/advisories/GHSA-vg3j-hpm9-8v5v", "reference_id": "GHSA-vg3j-hpm9-8v5v", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vg3j-hpm9-8v5v" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v", "reference_id": "GHSA-vg3j-hpm9-8v5v", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40449?format=api", "purl": "pkg:composer/craftcms/cms@4.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/40451?format=api", "purl": "pkg:composer/craftcms/cms@5.9.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7" } ], "aliases": [ "CVE-2026-29113", "GHSA-vg3j-hpm9-8v5v" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bn85-sts4-5ygq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69393?format=api", "vulnerability_id": "VCID-br1f-q8nk-v7b3", "summary": "Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28695", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08234", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08267", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08271", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28695" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28695", "reference_id": "CVE-2026-28695", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28695" }, { "reference_url": "https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0", "reference_id": "e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:03:23Z/" } ], "url": "https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0" }, { "reference_url": "https://github.com/advisories/GHSA-94rc-cqvm-m4pw", "reference_id": "GHSA-94rc-cqvm-m4pw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-94rc-cqvm-m4pw" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-94rc-cqvm-m4pw", "reference_id": "GHSA-94rc-cqvm-m4pw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:03:23Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-94rc-cqvm-m4pw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38982?format=api", "purl": "pkg:composer/craftcms/cms@4.17.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28695", "GHSA-94rc-cqvm-m4pw" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-br1f-q8nk-v7b3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/358928?format=api", "vulnerability_id": "VCID-c38g-6ttm-yuep", "summary": "", "references": [ { "reference_url": "http://github.com/craftcms/cms/pull/17026", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://github.com/craftcms/cms/pull/17026" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46731", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00231", "scoring_system": "epss", "scoring_elements": "0.46162", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00909", "scoring_system": "epss", "scoring_elements": "0.76267", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00909", "scoring_system": "epss", "scoring_elements": "0.76337", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46731" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46731", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46731" }, { "reference_url": "https://github.com/advisories/GHSA-7c58-g782-9j38", "reference_id": "GHSA-7c58-g782-9j38", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7c58-g782-9j38" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv", "reference_id": "GHSA-f3cw-hg6r-chfv", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378958?format=api", "purl": "pkg:composer/craftcms/cms@4.14.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-f67g-n9d6-pkb5" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.14.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/378959?format=api", "purl": "pkg:composer/craftcms/cms@5.6.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-f67g-n9d6-pkb5" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.15" } ], "aliases": [ "CVE-2025-46731", "GHSA-7c58-g782-9j38" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c38g-6ttm-yuep" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/129860?format=api", "vulnerability_id": "VCID-cneu-aazx-byfq", "summary": "CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrators are allowed to do that by default.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30179", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05499", "scoring_system": "epss", "scoring_elements": "0.90431", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.05499", "scoring_system": "epss", "scoring_elements": "0.9047", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.05499", "scoring_system": "epss", "scoring_elements": "0.90462", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30179" }, { "reference_url": "https://github.com/github/advisory-database/pull/2443", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/github/advisory-database/pull/2443" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30179", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30179" }, { "reference_url": "https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714", "reference_id": "2443#issuecomment-1610040714", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-03T20:04:19Z/" } ], "url": "https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714" }, { "reference_url": "https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200", "reference_id": "2443#issuecomment-1610634200", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-03T20:04:19Z/" } ], "url": "https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200" }, { "reference_url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14", "reference_id": "CHANGELOG.md#442---2023-03-14", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-03T20:04:19Z/" } ], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14" }, { "reference_url": "https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection", "reference_id": "cve-2023-30179-server-side-template-injection", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-03T20:04:19Z/" } ], "url": "https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection" }, { "reference_url": "https://github.com/advisories/GHSA-3x74-v64j-qc3f", "reference_id": "GHSA-3x74-v64j-qc3f", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3x74-v64j-qc3f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381899?format=api", "purl": "pkg:composer/craftcms/cms@4.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9fqv-dg3y-wbbf" }, { "vulnerability": "VCID-9krv-seyq-juez" }, { "vulnerability": "VCID-9yny-vu36-tyes" }, { "vulnerability": "VCID-a9bc-cgqq-jkfh" }, { "vulnerability": "VCID-ad7v-5hxr-s3a4" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-eypa-1c6q-tfau" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gjvb-ht1w-s3hm" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h3za-7cd7-vkav" }, { "vulnerability": "VCID-hh13-6e1x-p7ez" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-mhqg-hey8-6bee" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tf8p-xrne-8qfg" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-vvej-1fex-kqdn" }, { "vulnerability": "VCID-wcsx-j8xk-r7c7" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.2" } ], "aliases": [ "CVE-2023-30179", "GHSA-3x74-v64j-qc3f" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cneu-aazx-byfq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/114672?format=api", "vulnerability_id": "VCID-czuy-m8wp-fka2", "summary": "Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.93094", "scoring_system": "epss", "scoring_elements": "0.99799", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32432" }, { "reference_url": "https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32432" }, { "reference_url": "https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432" }, { "reference_url": "https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical", "reference_id": "CHANGELOG.md#3915---2025-04-10-critical", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical" }, { "reference_url": "https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical", "reference_id": "CHANGELOG.md#41415---2025-04-10-critical", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical", "reference_id": "CHANGELOG.md#5617---2025-04-10-critical", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py", "reference_id": "CVE-2025-32432", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py" }, { "reference_url": "https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47", "reference_id": "e1c85441fa47eeb7c688c2053f25419bc0547b47", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47" }, { "reference_url": "https://github.com/advisories/GHSA-f3gw-9ww9-jmc3", "reference_id": "GHSA-f3gw-9ww9-jmc3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f3gw-9ww9-jmc3" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3", "reference_id": "GHSA-f3gw-9ww9-jmc3", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376456?format=api", "purl": "pkg:composer/craftcms/cms@4.14.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-f67g-n9d6-pkb5" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.14.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/376457?format=api", "purl": "pkg:composer/craftcms/cms@5.6.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-f67g-n9d6-pkb5" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.17" } ], "aliases": [ "CVE-2025-32432", "GHSA-f3gw-9ww9-jmc3" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-czuy-m8wp-fka2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77152?format=api", "vulnerability_id": "VCID-e3k3-fp6t-kycw", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32267", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14803", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14804", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14683", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32267" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32267", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32267" }, { "reference_url": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33", "reference_id": "6301e217c5f15617d939c432cb770db50af14b33", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/" } ], "url": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33" }, { "reference_url": "https://github.com/advisories/GHSA-cc7p-2j3x-x7xf", "reference_id": "GHSA-cc7p-2j3x-x7xf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cc7p-2j3x-x7xf" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf", "reference_id": "GHSA-cc7p-2j3x-x7xf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374515?format=api", "purl": "pkg:composer/craftcms/cms@4.17.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/374516?format=api", "purl": "pkg:composer/craftcms/cms@5.9.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.12" } ], "aliases": [ "CVE-2026-32267", "GHSA-cc7p-2j3x-x7xf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e3k3-fp6t-kycw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212713?format=api", "vulnerability_id": "VCID-e9qn-ar3q-g3e4", "summary": "Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options", "references": [ { "reference_url": "https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2" }, { "reference_url": "https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276" }, { "reference_url": "https://github.com/advisories/GHSA-4mgv-366x-qxvx", "reference_id": "GHSA-4mgv-366x-qxvx", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4mgv-366x-qxvx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx", "reference_id": "GHSA-4mgv-366x-qxvx", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38982?format=api", "purl": "pkg:composer/craftcms/cms@4.17.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "GHSA-4mgv-366x-qxvx" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e9qn-ar3q-g3e4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43464?format=api", "vulnerability_id": "VCID-eypa-1c6q-tfau", "summary": "Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52293", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.21994", "scoring_system": "epss", "scoring_elements": "0.95902", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.21994", "scoring_system": "epss", "scoring_elements": "0.95917", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.21994", "scoring_system": "epss", "scoring_elements": "0.95915", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52293" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52293", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52293" }, { "reference_url": "https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58", "reference_id": "123e48a696de1e2f63ab519d4730eb3b87beaa58", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:54:41Z/" } ], "url": "https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58" }, { "reference_url": "https://github.com/advisories/GHSA-f3cw-hg6r-chfv", "reference_id": "GHSA-f3cw-hg6r-chfv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f3cw-hg6r-chfv" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv", "reference_id": "GHSA-f3cw-hg6r-chfv", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:54:41Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372815?format=api", "purl": "pkg:composer/craftcms/cms@4.12.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/372816?format=api", "purl": "pkg:composer/craftcms/cms@5.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.3" } ], "aliases": [ "CVE-2024-52293", "GHSA-f3cw-hg6r-chfv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eypa-1c6q-tfau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/105090?format=api", "vulnerability_id": "VCID-fs3m-av1v-fuf1", "summary": "Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.39398", "scoring_system": "epss", "scoring_elements": "0.974", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.39398", "scoring_system": "epss", "scoring_elements": "0.9739", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.39398", "scoring_system": "epss", "scoring_elements": "0.97398", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-35939" }, { "reference_url": "https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35939" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939" }, { "reference_url": "https://github.com/craftcms/cms/pull/17220", "reference_id": "17220", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://github.com/craftcms/cms/pull/17220" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.15.3", "reference_id": "4.15.3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.15.3" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.7.5", "reference_id": "5.7.5", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.7.5" }, { "reference_url": "https://www.cve.org/CVERecord?id=CVE-2025-35939", "reference_id": "CVERecord?id=CVE-2025-35939", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://www.cve.org/CVERecord?id=CVE-2025-35939" }, { "reference_url": "https://github.com/advisories/GHSA-7vrx-9684-xrf2", "reference_id": "GHSA-7vrx-9684-xrf2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7vrx-9684-xrf2" }, { "reference_url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json", "reference_id": "va-25-147-01.json", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40673?format=api", "purl": "pkg:composer/craftcms/cms@4.15.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-f67g-n9d6-pkb5" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.15.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/40676?format=api", "purl": "pkg:composer/craftcms/cms@5.7.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-f67g-n9d6-pkb5" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.7.5" } ], "aliases": [ "CVE-2025-35939", "GHSA-7vrx-9684-xrf2" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fs3m-av1v-fuf1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69357?format=api", "vulnerability_id": "VCID-g637-7ns6-kyhj", "summary": "Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28783", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11214", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11156", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11222", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28783" }, { "reference_url": "https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096" }, { "reference_url": "https://github.com/craftcms/cms/pull/18208", "reference_id": "18208", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/" } ], "url": "https://github.com/craftcms/cms/pull/18208" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28783", "reference_id": "CVE-2026-28783", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28783" }, { "reference_url": "https://github.com/advisories/GHSA-5fvc-7894-ghp4", "reference_id": "GHSA-5fvc-7894-ghp4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5fvc-7894-ghp4" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4", "reference_id": "GHSA-5fvc-7894-ghp4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38982?format=api", "purl": "pkg:composer/craftcms/cms@4.17.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28783", "GHSA-5fvc-7894-ghp4" ], "risk_score": 4.2, "exploitability": "0.5", "weighted_severity": "8.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g637-7ns6-kyhj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/356642?format=api", "vulnerability_id": "VCID-gjvb-ht1w-s3hm", "summary": "", "references": [ { "reference_url": "http://packetstormsecurity.com/files/176303/Craft-CMS-4.4.14-Remote-Code-Execution.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://packetstormsecurity.com/files/176303/Craft-CMS-4.4.14-Remote-Code-Execution.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-41892", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.93824", "scoring_system": "epss", "scoring_elements": "0.99872", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-41892" }, { "reference_url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical" }, { "reference_url": "https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857" }, { "reference_url": "https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e" }, { "reference_url": "https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1" }, { "reference_url": "https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41892", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41892" }, { "reference_url": "https://github.com/advisories/GHSA-4w8r-3xrw-v25g", "reference_id": "GHSA-4w8r-3xrw-v25g", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4w8r-3xrw-v25g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/379644?format=api", "purl": "pkg:composer/craftcms/cms@4.4.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-eypa-1c6q-tfau" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-mhqg-hey8-6bee" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wcsx-j8xk-r7c7" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.15" } ], "aliases": [ "CVE-2023-41892", "GHSA-4w8r-3xrw-v25g" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gjvb-ht1w-s3hm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81009?format=api", "vulnerability_id": "VCID-gp2d-vv3n-euda", "summary": "Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: \"Edit assets in the <VolumeName> volume\" and \"Create assets in the <VolumeName> volume.\" Versions 4.17.9 and 5.9.15 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13144", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13139", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13041", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41129" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41129", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41129" }, { "reference_url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f", "reference_id": "d20aecfaa0eae076c4154be3b17e1f9fa05ce46f", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/" } ], "url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f" }, { "reference_url": "https://github.com/advisories/GHSA-3m9m-24vh-39wx", "reference_id": "GHSA-3m9m-24vh-39wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3m9m-24vh-39wx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx", "reference_id": "GHSA-3m9m-24vh-39wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373534?format=api", "purl": "pkg:composer/craftcms/cms@4.17.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/373533?format=api", "purl": "pkg:composer/craftcms/cms@5.9.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15" } ], "aliases": [ "CVE-2026-41129", "GHSA-3m9m-24vh-39wx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gp2d-vv3n-euda" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80104?format=api", "vulnerability_id": "VCID-grmm-88sf-wyd4", "summary": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27127", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.0071", "published_at": "2026-06-13T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00709", "published_at": "2026-06-12T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00711", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27127" }, { "reference_url": "https://curl.se/libcurl/c/CURLOPT_RESOLVE.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://curl.se/libcurl/c/CURLOPT_RESOLVE.html" }, { "reference_url": "https://github.com/mogwailabs/DNSrebinder", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mogwailabs/DNSrebinder" }, { "reference_url": "https://github.com/nccgroup/singularity", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nccgroup/singularity" }, { "reference_url": "https://github.com/taviso/rbndr", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/taviso/rbndr" }, { "reference_url": "https://unit42.paloaltonetworks.com/dns-rebinding", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://unit42.paloaltonetworks.com/dns-rebinding" }, { "reference_url": "https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575", "reference_id": "a4cf3fb63bba3249cf1e2882b18a2d29e77a8575", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/" } ], "url": "https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27127", "reference_id": "CVE-2026-27127", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27127" }, { "reference_url": "https://github.com/advisories/GHSA-gp2f-7wcm-5fhx", "reference_id": "GHSA-gp2f-7wcm-5fhx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gp2f-7wcm-5fhx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx", "reference_id": "GHSA-gp2f-7wcm-5fhx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "reference_id": "GHSA-x27p-wfqw-hfcc", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39528?format=api", "purl": "pkg:composer/craftcms/cms@4.16.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/39526?format=api", "purl": "pkg:composer/craftcms/cms@5.8.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23" } ], "aliases": [ "CVE-2026-27127", "GHSA-gp2f-7wcm-5fhx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-grmm-88sf-wyd4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/143927?format=api", "vulnerability_id": "VCID-h3za-7cd7-vkav", "summary": "Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-33195", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00848", "scoring_system": "epss", "scoring_elements": "0.75368", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00848", "scoring_system": "epss", "scoring_elements": "0.75383", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00848", "scoring_system": "epss", "scoring_elements": "0.75298", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-33195" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33195", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33195" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.4.6", "reference_id": "4.4.6", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T18:21:14Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.4.6" }, { "reference_url": "https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f", "reference_id": "b77cb3023bed4f4a37c11294c4d319ff9f598e1f", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T18:21:14Z/" } ], "url": "https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f" }, { "reference_url": "https://github.com/advisories/GHSA-qpgm-gjgf-8c2x", "reference_id": "GHSA-qpgm-gjgf-8c2x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qpgm-gjgf-8c2x" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-qpgm-gjgf-8c2x", "reference_id": "GHSA-qpgm-gjgf-8c2x", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T18:21:14Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qpgm-gjgf-8c2x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381988?format=api", "purl": "pkg:composer/craftcms/cms@4.4.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9krv-seyq-juez" }, { "vulnerability": "VCID-9yny-vu36-tyes" }, { "vulnerability": "VCID-a9bc-cgqq-jkfh" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-eypa-1c6q-tfau" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gjvb-ht1w-s3hm" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-hh13-6e1x-p7ez" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-mhqg-hey8-6bee" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wcsx-j8xk-r7c7" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6" } ], "aliases": [ "CVE-2023-33195", "GHSA-qpgm-gjgf-8c2x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h3za-7cd7-vkav" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/151232?format=api", "vulnerability_id": "VCID-hh13-6e1x-p7ez", "summary": "A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2817", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00337", "scoring_system": "epss", "scoring_elements": "0.56903", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00337", "scoring_system": "epss", "scoring_elements": "0.57038", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00337", "scoring_system": "epss", "scoring_elements": "0.57024", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2817" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2817", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2817" }, { "reference_url": "https://www.tenable.com/security/research/tra-2023-20", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.tenable.com/security/research/tra-2023-20" }, { "reference_url": "https://www.tenable.com/security/research/tra-2023-20,", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.tenable.com/security/research/tra-2023-20," }, { "reference_url": "https://github.com/craftcms/cms/commit/7655e1009ba6cdbfb230e6bb138b775b69fc7bcb", "reference_id": "7655e1009ba6cdbfb230e6bb138b775b69fc7bcb", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T15:47:46Z/" } ], "url": "https://github.com/craftcms/cms/commit/7655e1009ba6cdbfb230e6bb138b775b69fc7bcb" }, { "reference_url": "https://github.com/advisories/GHSA-7x94-jx75-3gh6", "reference_id": "GHSA-7x94-jx75-3gh6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7x94-jx75-3gh6" }, { "reference_url": "https://www.tenable.com/security/research/tra-2023-20%2C", "reference_id": "tra-2023-20%2C", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T15:47:46Z/" } ], "url": "https://www.tenable.com/security/research/tra-2023-20%2C" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381957?format=api", "purl": "pkg:composer/craftcms/cms@4.4.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-a9bc-cgqq-jkfh" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-eypa-1c6q-tfau" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gjvb-ht1w-s3hm" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-mhqg-hey8-6bee" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wcsx-j8xk-r7c7" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.12" } ], "aliases": [ "CVE-2023-2817", "GHSA-7x94-jx75-3gh6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hh13-6e1x-p7ez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43699?format=api", "vulnerability_id": "VCID-htqk-ckr5-jbcu", "summary": "Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By embedding this function within a system notification template, the attacker can exfiltrate the Base64-encoded file content through a triggered system email notification. Once the email is received, the Base64 payload can be decoded, allowing the attacker to read arbitrary files on the server. This is fixed in 5.4.9 and 4.12.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52292", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00428", "scoring_system": "epss", "scoring_elements": "0.62982", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00428", "scoring_system": "epss", "scoring_elements": "0.62869", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00428", "scoring_system": "epss", "scoring_elements": "0.6297", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52292" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52292", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52292" }, { "reference_url": "https://github.com/advisories/GHSA-cw6g-qmjq-6w2w", "reference_id": "GHSA-cw6g-qmjq-6w2w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cw6g-qmjq-6w2w" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w", "reference_id": "GHSA-cw6g-qmjq-6w2w", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T18:52:42Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372805?format=api", "purl": "pkg:composer/craftcms/cms@4.12.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/372804?format=api", "purl": "pkg:composer/craftcms/cms@5.4.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.9" } ], "aliases": [ "CVE-2024-52292", "GHSA-cw6g-qmjq-6w2w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-htqk-ckr5-jbcu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67999?format=api", "vulnerability_id": "VCID-j1d4-j44f-yqh9", "summary": "Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44010", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02827", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02819", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.0409", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44010" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44010", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44010" }, { "reference_url": "https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128", "reference_id": "834b2cf61ad0dcee9b03add44ed402ebf18db128", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/" } ], "url": "https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128" }, { "reference_url": "https://github.com/advisories/GHSA-gj2p-p9m4-c8gw", "reference_id": "GHSA-gj2p-p9m4-c8gw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gj2p-p9m4-c8gw" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw", "reference_id": "GHSA-gj2p-p9m4-c8gw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376014?format=api", "purl": "pkg:composer/craftcms/cms@4.17.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/376015?format=api", "purl": "pkg:composer/craftcms/cms@5.9.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18" } ], "aliases": [ "CVE-2026-44010", "GHSA-gj2p-p9m4-c8gw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j1d4-j44f-yqh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77888?format=api", "vulnerability_id": "VCID-j6wk-k1jb-jfd5", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33160", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03998", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.04003", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.04014", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33160" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33160", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33160" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/7290d91639e", "reference_id": "7290d91639e", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/commit/7290d91639e" }, { "reference_url": "https://github.com/advisories/GHSA-5pgf-h923-m958", "reference_id": "GHSA-5pgf-h923-m958", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5pgf-h923-m958" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958", "reference_id": "GHSA-5pgf-h923-m958", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374878?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33160", "GHSA-5pgf-h923-m958" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j6wk-k1jb-jfd5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67887?format=api", "vulnerability_id": "VCID-j8qq-yre6-4bfx", "summary": "Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44011", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06356", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06376", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06955", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44011" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44011", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44011" }, { "reference_url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3", "reference_id": "ab85ca7f5f926994f723f60584054a1f4c4c5de3", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/" } ], "url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5" }, { "reference_url": "https://github.com/advisories/GHSA-qrgm-p9w5-rrfw", "reference_id": "GHSA-qrgm-p9w5-rrfw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qrgm-p9w5-rrfw" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw", "reference_id": "GHSA-qrgm-p9w5-rrfw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376014?format=api", "purl": "pkg:composer/craftcms/cms@4.17.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/376015?format=api", "purl": "pkg:composer/craftcms/cms@5.9.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18" } ], "aliases": [ "CVE-2026-44011", "GHSA-qrgm-p9w5-rrfw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j8qq-yre6-4bfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91564?format=api", "vulnerability_id": "VCID-kb3b-8hqt-nqfj", "summary": "Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-23209", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.1639", "scoring_system": "epss", "scoring_elements": "0.9502", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.1639", "scoring_system": "epss", "scoring_elements": "0.95037", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-23209" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23209", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23209" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209" }, { "reference_url": "https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603", "reference_id": "e59e22b30c9dd39e5e2c7fe02c147bcbd004e603", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/" } ], "url": "https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603" }, { "reference_url": "https://github.com/advisories/GHSA-x684-96hh-833x", "reference_id": "GHSA-x684-96hh-833x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x684-96hh-833x" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x", "reference_id": "GHSA-x684-96hh-833x", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x" }, { "reference_url": "https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret", "reference_id": "securing-craft#keep-your-secrets-secret", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/" } ], "url": "https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377040?format=api", "purl": "pkg:composer/craftcms/cms@4.13.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-f67g-n9d6-pkb5" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.13.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/377039?format=api", "purl": "pkg:composer/craftcms/cms@5.5.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-f67g-n9d6-pkb5" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.8" } ], "aliases": [ "CVE-2025-23209", "GHSA-x684-96hh-833x" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kb3b-8hqt-nqfj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/136517?format=api", "vulnerability_id": "VCID-mhqg-hey8-6bee", "summary": "An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about code provided by the Craft CMS product; it is only a report about the Feed Me plugin. NOTE: a third-party report states that commit b5d6ede51848349bd91bc95fec288b6793f15e28 has \"nothing to do with security.\"", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36260", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00366", "scoring_system": "epss", "scoring_elements": "0.59001", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00366", "scoring_system": "epss", "scoring_elements": "0.59123", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00366", "scoring_system": "epss", "scoring_elements": "0.59112", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36260" }, { "reference_url": "https://github.com/craftcms/feed-me", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/feed-me" }, { "reference_url": "https://github.com/craftcms/feed-me/releases/tag/4.6.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/feed-me/releases/tag/4.6.2" }, { "reference_url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28", "reference_id": "b5d6ede51848349bd91bc95fec288b6793f15e28", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/" } ], "url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28" }, { "reference_url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29", "reference_id": "b5d6ede51848349bd91bc95fec288b6793f15e28%29", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/" } ], "url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36260", "reference_id": "CVE-2023-36260", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36260" }, { "reference_url": "https://github.com/advisories/GHSA-6p78-f7h9-6838", "reference_id": "GHSA-6p78-f7h9-6838", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6p78-f7h9-6838" }, { "reference_url": "https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D", "reference_id": "?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/" } ], "url": "https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28616?format=api", "purl": "pkg:composer/craftcms/cms@4.6.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.6.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/394995?format=api", "purl": "pkg:composer/craftcms/cms@4.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-eypa-1c6q-tfau" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.7.0" } ], "aliases": [ "CVE-2023-36260", "GHSA-6p78-f7h9-6838" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mhqg-hey8-6bee" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77955?format=api", "vulnerability_id": "VCID-nep2-e16y-9yg4", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33159", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06624", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06613", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06602", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33159" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33159", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33159" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592", "reference_id": "7f0ead833f7c2b91ae12003caad833479dd08592", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592" }, { "reference_url": "https://github.com/advisories/GHSA-6mrr-q3pj-h53w", "reference_id": "GHSA-6mrr-q3pj-h53w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6mrr-q3pj-h53w" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w", "reference_id": "GHSA-6mrr-q3pj-h53w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374878?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33159", "GHSA-6mrr-q3pj-h53w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nep2-e16y-9yg4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69160?format=api", "vulnerability_id": "VCID-nhab-uyen-ayhq", "summary": "Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28696", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07121", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07126", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07094", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28696" }, { "reference_url": "https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9", "reference_id": "4d98a07e47580f1712095825d3e3c4d67bc9f8b9", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:00:48Z/" } ], "url": "https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28696", "reference_id": "CVE-2026-28696", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28696" }, { "reference_url": "https://github.com/advisories/GHSA-7x43-mpfg-r9wj", "reference_id": "GHSA-7x43-mpfg-r9wj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7x43-mpfg-r9wj" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj", "reference_id": "GHSA-7x43-mpfg-r9wj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:00:48Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38982?format=api", "purl": "pkg:composer/craftcms/cms@4.17.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28696", "GHSA-7x43-mpfg-r9wj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nhab-uyen-ayhq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65884?format=api", "vulnerability_id": "VCID-p8kk-e27s-n7cs", "summary": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25493", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05835", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05818", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05844", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25493" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98", "reference_id": "0974055634af68998f67850ab2045d8aaa19fa98", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/" } ], "url": "https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "5.8.22", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25493", "reference_id": "CVE-2026-25493", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25493" }, { "reference_url": "https://github.com/advisories/GHSA-8jr8-7hr4-vhfx", "reference_id": "GHSA-8jr8-7hr4-vhfx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8jr8-7hr4-vhfx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx", "reference_id": "GHSA-8jr8-7hr4-vhfx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38971?format=api", "purl": "pkg:composer/craftcms/cms@4.16.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/38960?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25493", "GHSA-8jr8-7hr4-vhfx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p8kk-e27s-n7cs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43495?format=api", "vulnerability_id": "VCID-pfwt-hxpb-4ub8", "summary": "Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to potential file overwriting through malicious uploads, unauthorized access to sensitive files, and, under certain conditions, remote code execution (RCE) via Server-Side Template Injection (SSTI) payloads. Note that this will only work if you have an authenticated administrator account with allowAdminChanges enabled. This is fixed in 5.4.6 and 4.12.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52291", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31873", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31889", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31684", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52291" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52291", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52291" }, { "reference_url": "https://github.com/advisories/GHSA-jrh5-vhr9-qh7q", "reference_id": "GHSA-jrh5-vhr9-qh7q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jrh5-vhr9-qh7q" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q", "reference_id": "GHSA-jrh5-vhr9-qh7q", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:50:50Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372858?format=api", "purl": "pkg:composer/craftcms/cms@4.12.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/372857?format=api", "purl": "pkg:composer/craftcms/cms@5.4.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.6" } ], "aliases": [ "CVE-2024-52291", "GHSA-jrh5-vhr9-qh7q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pfwt-hxpb-4ub8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77697?format=api", "vulnerability_id": "VCID-py3b-5ps7-7fe3", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33158", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03898", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03906", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03916", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33158" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33158", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33158" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860", "reference_id": "7290d91639e5e3a4f7e221dfbef95c9b77331860", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860" }, { "reference_url": "https://github.com/advisories/GHSA-3pvf-vxrv-hh9c", "reference_id": "GHSA-3pvf-vxrv-hh9c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3pvf-vxrv-hh9c" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c", "reference_id": "GHSA-3pvf-vxrv-hh9c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374878?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33158", "GHSA-3pvf-vxrv-hh9c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-py3b-5ps7-7fe3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69679?format=api", "vulnerability_id": "VCID-qmcc-3ued-m7gk", "summary": "Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the \"Duplicate\" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only \"View Entries\" permission (where the \"Duplicate\" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28782", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.131", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13092", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.12995", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28782" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28782", "reference_id": "CVE-2026-28782", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28782" }, { "reference_url": "https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d", "reference_id": "fb61a91357f5761c852400185ba931f51d82783d", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:34:53Z/" } ], "url": "https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d" }, { "reference_url": "https://github.com/advisories/GHSA-jxm3-pmm2-9gf6", "reference_id": "GHSA-jxm3-pmm2-9gf6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jxm3-pmm2-9gf6" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6", "reference_id": "GHSA-jxm3-pmm2-9gf6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:34:53Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38982?format=api", "purl": "pkg:composer/craftcms/cms@4.17.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28782", "GHSA-jxm3-pmm2-9gf6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qmcc-3ued-m7gk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93099?format=api", "vulnerability_id": "VCID-qrmg-jky7-87cb", "summary": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68454", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.66459", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.66446", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.66351", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68454" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "CHANGELOG.md#5821---2025-12-04", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68454", "reference_id": "CVE-2025-68454", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68454" }, { "reference_url": "https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe", "reference_id": "d82680f4a05f9576883bb83c3f6243d33ca73ebe", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/" } ], "url": "https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe" }, { "reference_url": "https://github.com/advisories/GHSA-742x-x762-7383", "reference_id": "GHSA-742x-x762-7383", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-742x-x762-7383" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383", "reference_id": "GHSA-742x-x762-7383", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36519?format=api", "purl": "pkg:composer/craftcms/cms@4.16.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/36516?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68454", "GHSA-742x-x762-7383" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qrmg-jky7-87cb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65934?format=api", "vulnerability_id": "VCID-r47n-36pn-cbe4", "summary": "Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25497", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07463", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07456", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07428", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25497" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "5.8.22", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409", "reference_id": "ac7edf868c1a81fd9c4dc49d3b3edf1cce113409", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25497", "reference_id": "CVE-2026-25497", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25497" }, { "reference_url": "https://github.com/advisories/GHSA-fxp3-g6gw-4r4v", "reference_id": "GHSA-fxp3-g6gw-4r4v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fxp3-g6gw-4r4v" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v", "reference_id": "GHSA-fxp3-g6gw-4r4v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38982?format=api", "purl": "pkg:composer/craftcms/cms@4.17.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-25497", "GHSA-fxp3-g6gw-4r4v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r47n-36pn-cbe4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93536?format=api", "vulnerability_id": "VCID-rezz-ka5s-hyg2", "summary": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68455", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0114", "scoring_system": "epss", "scoring_elements": "0.7891", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0114", "scoring_system": "epss", "scoring_elements": "0.78828", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0114", "scoring_system": "epss", "scoring_elements": "0.78893", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68455" }, { "reference_url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7", "reference_id": "27f55886098b56c00ddc53b69239c9c9192252c7", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7" }, { "reference_url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef", "reference_id": "6e608a1a5bfb36943f94f584b7548ca542a86fef", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "CHANGELOG.md#5821---2025-12-04", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68455", "reference_id": "CVE-2025-68455", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68455" }, { "reference_url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593", "reference_id": "ec43c497edde0b2bf2e39a119cded2e55f9fe593", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593" }, { "reference_url": "https://github.com/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-255j-qw47-wjh5" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36519?format=api", "purl": "pkg:composer/craftcms/cms@4.16.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/36516?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68455", "GHSA-255j-qw47-wjh5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rezz-ka5s-hyg2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81021?format=api", "vulnerability_id": "VCID-smdx-nfbs-2qbx", "summary": "Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. \nWhen `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41130", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16424", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16435", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1628", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41130" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41130", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41130" }, { "reference_url": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783", "reference_id": "ebe7e85f1c89700d64332f72492be2e9a594e783", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/" } ], "url": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783" }, { "reference_url": "https://github.com/advisories/GHSA-95wr-3f2v-v2wh", "reference_id": "GHSA-95wr-3f2v-v2wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-95wr-3f2v-v2wh" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh", "reference_id": "GHSA-95wr-3f2v-v2wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373534?format=api", "purl": "pkg:composer/craftcms/cms@4.17.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/373533?format=api", "purl": "pkg:composer/craftcms/cms@5.9.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15" } ], "aliases": [ "CVE-2026-41130", "GHSA-95wr-3f2v-v2wh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-smdx-nfbs-2qbx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/143213?format=api", "vulnerability_id": "VCID-tf8p-xrne-8qfg", "summary": "Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32679", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.06429", "scoring_system": "epss", "scoring_elements": "0.91298", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.06429", "scoring_system": "epss", "scoring_elements": "0.9126", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.06429", "scoring_system": "epss", "scoring_elements": "0.9129", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32679" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32679", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32679" }, { "reference_url": "https://github.com/advisories/GHSA-vqxf-r9ph-cc9c", "reference_id": "GHSA-vqxf-r9ph-cc9c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vqxf-r9ph-cc9c" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c", "reference_id": "GHSA-vqxf-r9ph-cc9c", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T17:06:00Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381988?format=api", "purl": "pkg:composer/craftcms/cms@4.4.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9krv-seyq-juez" }, { "vulnerability": "VCID-9yny-vu36-tyes" }, { "vulnerability": "VCID-a9bc-cgqq-jkfh" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-eypa-1c6q-tfau" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gjvb-ht1w-s3hm" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-hh13-6e1x-p7ez" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-mhqg-hey8-6bee" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wcsx-j8xk-r7c7" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6" } ], "aliases": [ "CVE-2023-32679", "GHSA-vqxf-r9ph-cc9c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tf8p-xrne-8qfg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/121029?format=api", "vulnerability_id": "VCID-tfc8-rkdd-53f7", "summary": "Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57811", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00227", "scoring_system": "epss", "scoring_elements": "0.45622", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00227", "scoring_system": "epss", "scoring_elements": "0.45778", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00227", "scoring_system": "epss", "scoring_elements": "0.45769", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57811" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57811", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57811" }, { "reference_url": "https://github.com/craftcms/cms/pull/17612", "reference_id": "17612", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/" } ], "url": "https://github.com/craftcms/cms/pull/17612" }, { "reference_url": "https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc", "reference_id": "e77f8a287dcdda41f1724f525d03542f18566cbc", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/" } ], "url": "https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc" }, { "reference_url": "https://github.com/advisories/GHSA-crcq-738g-pqvc", "reference_id": "GHSA-crcq-738g-pqvc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-crcq-738g-pqvc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc", "reference_id": "GHSA-crcq-738g-pqvc", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv", "reference_id": "GHSA-f3cw-hg6r-chfv", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377731?format=api", "purl": "pkg:composer/craftcms/cms@4.16.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/40131?format=api", "purl": "pkg:composer/craftcms/cms@5.8.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.7" } ], "aliases": [ "CVE-2025-57811", "GHSA-crcq-738g-pqvc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tfc8-rkdd-53f7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65908?format=api", "vulnerability_id": "VCID-vrpf-parp-7kgr", "summary": "Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25498", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.59295", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.59283", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.59171", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25498" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748", "reference_id": "395c64f0b80b507be1c862a2ec942eaacb353748", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/" } ], "url": "https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "5.8.22", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25498", "reference_id": "CVE-2026-25498", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25498" }, { "reference_url": "https://github.com/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7jx7-3846-m7w7" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38971?format=api", "purl": "pkg:composer/craftcms/cms@4.16.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/38960?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25498", "GHSA-7jx7-3846-m7w7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vrpf-parp-7kgr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/137261?format=api", "vulnerability_id": "VCID-vvej-1fex-kqdn", "summary": "Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-31144", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00669", "scoring_system": "epss", "scoring_elements": "0.71872", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00669", "scoring_system": "epss", "scoring_elements": "0.71886", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00669", "scoring_system": "epss", "scoring_elements": "0.71787", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-31144" }, { "reference_url": "https://github.com/craftcms/cms/commit/e2f7e7b7d86a0afa54ce855375d13c7760670764", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/e2f7e7b7d86a0afa54ce855375d13c7760670764" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31144", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31144" }, { "reference_url": "https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442", "reference_id": "52bd161614620edbab2d24d078ca9ebca2528442", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-28T16:40:35Z/" } ], "url": "https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442" }, { "reference_url": "https://github.com/advisories/GHSA-j4mx-98hw-6rv6", "reference_id": "GHSA-j4mx-98hw-6rv6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j4mx-98hw-6rv6" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-j4mx-98hw-6rv6", "reference_id": "GHSA-j4mx-98hw-6rv6", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-28T16:40:35Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-j4mx-98hw-6rv6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/382053?format=api", "purl": "pkg:composer/craftcms/cms@4.4.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9fqv-dg3y-wbbf" }, { "vulnerability": "VCID-9krv-seyq-juez" }, { "vulnerability": "VCID-9yny-vu36-tyes" }, { "vulnerability": "VCID-a9bc-cgqq-jkfh" }, { "vulnerability": "VCID-ad7v-5hxr-s3a4" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-eypa-1c6q-tfau" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gjvb-ht1w-s3hm" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h3za-7cd7-vkav" }, { "vulnerability": "VCID-hh13-6e1x-p7ez" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-mhqg-hey8-6bee" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tf8p-xrne-8qfg" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wcsx-j8xk-r7c7" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.4" } ], "aliases": [ "CVE-2023-31144", "GHSA-j4mx-98hw-6rv6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vvej-1fex-kqdn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49227?format=api", "vulnerability_id": "VCID-wcsx-j8xk-r7c7", "summary": "Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21622", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.2763", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.27856", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.27832", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21622" }, { "reference_url": "https://github.com/craftcms/cms/pull/13931", "reference_id": "13931", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/" } ], "url": "https://github.com/craftcms/cms/pull/13931" }, { "reference_url": "https://github.com/craftcms/cms/pull/13932", "reference_id": "13932", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/" } ], "url": "https://github.com/craftcms/cms/pull/13932" }, { "reference_url": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa", "reference_id": "76caf9af07d9964be0fd362772223be6a5f5b6aa", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/" } ], "url": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa" }, { "reference_url": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843", "reference_id": "be81eb653d633833f2ab22510794abb6bb9c0843", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/" } ], "url": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843" }, { "reference_url": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16", "reference_id": "CHANGELOG.md#396---2023-11-16", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/" } ], "url": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16" }, { "reference_url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16", "reference_id": "CHANGELOG.md#4511---2023-11-16", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/" } ], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21622", "reference_id": "CVE-2024-21622", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21622" }, { "reference_url": "https://github.com/advisories/GHSA-j5g9-j7r4-6qvx", "reference_id": "GHSA-j5g9-j7r4-6qvx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j5g9-j7r4-6qvx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx", "reference_id": "GHSA-j5g9-j7r4-6qvx", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28261?format=api", "purl": "pkg:composer/craftcms/cms@4.5.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-eypa-1c6q-tfau" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-htqk-ckr5-jbcu" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-mhqg-hey8-6bee" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-pfwt-hxpb-4ub8" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x12b-mjr9-sba2" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.5.11" } ], "aliases": [ "CVE-2024-21622", "GHSA-j5g9-j7r4-6qvx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wcsx-j8xk-r7c7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93221?format=api", "vulnerability_id": "VCID-wnr9-2wyr-wug4", "summary": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68436", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.1177", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11776", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11692", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68436" }, { "reference_url": "https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9", "reference_id": "4bcb0db554e273b66ce3b75263a13414c2368fc9", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:10Z/" } ], "url": "https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68436", "reference_id": "CVE-2025-68436", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68436" }, { "reference_url": "https://github.com/advisories/GHSA-53vf-c43h-j2x9", "reference_id": "GHSA-53vf-c43h-j2x9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-53vf-c43h-j2x9" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9", "reference_id": "GHSA-53vf-c43h-j2x9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:10Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36519?format=api", "purl": "pkg:composer/craftcms/cms@4.16.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/36516?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68436", "GHSA-53vf-c43h-j2x9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wnr9-2wyr-wug4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42210?format=api", "vulnerability_id": "VCID-x12b-mjr9-sba2", "summary": "Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-56145", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.93926", "scoring_system": "epss", "scoring_elements": "0.99889", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.93926", "scoring_system": "epss", "scoring_elements": "0.99888", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-56145" }, { "reference_url": "https://github.com/Chocapikk/CVE-2024-56145", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Chocapikk/CVE-2024-56145" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56145", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56145" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145" }, { "reference_url": "https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3", "reference_id": "82e893fb794d30563da296bca31379c0df0079b3", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/" } ], "url": "https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3" }, { "reference_url": "https://github.com/advisories/GHSA-2p6p-9rc9-62j9", "reference_id": "GHSA-2p6p-9rc9-62j9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2p6p-9rc9-62j9" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9", "reference_id": "GHSA-2p6p-9rc9-62j9", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372511?format=api", "purl": "pkg:composer/craftcms/cms@4.13.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.13.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/372510?format=api", "purl": "pkg:composer/craftcms/cms@5.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-c38g-6ttm-yuep" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-kb3b-8hqt-nqfj" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.2" } ], "aliases": [ "CVE-2024-56145", "GHSA-2p6p-9rc9-62j9" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x12b-mjr9-sba2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69404?format=api", "vulnerability_id": "VCID-x1w2-ytck-17bn", "summary": "Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28784", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06182", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06191", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06203", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28784" }, { "reference_url": "https://github.com/craftcms/cms/pull/18208", "reference_id": "18208", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/" } ], "url": "https://github.com/craftcms/cms/pull/18208" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28784", "reference_id": "CVE-2026-28784", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28784" }, { "reference_url": "https://github.com/advisories/GHSA-qc86-q28f-ggww", "reference_id": "GHSA-qc86-q28f-ggww", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qc86-q28f-ggww" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww", "reference_id": "GHSA-qc86-q28f-ggww", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww" }, { "reference_url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production", "reference_id": "securing-craft#set-allowAdminChanges-to-false-in-production", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/" } ], "url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38982?format=api", "purl": "pkg:composer/craftcms/cms@4.17.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28784", "GHSA-qc86-q28f-ggww" ], "risk_score": 3.9, "exploitability": "0.5", "weighted_severity": "7.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x1w2-ytck-17bn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65892?format=api", "vulnerability_id": "VCID-y2ya-ys74-vqbv", "summary": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25494", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05818", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05835", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05844", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25494" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "5.8.22", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25494", "reference_id": "CVE-2026-25494", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25494" }, { "reference_url": "https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2", "reference_id": "d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/" } ], "url": "https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2" }, { "reference_url": "https://github.com/advisories/GHSA-m5r2-8p9x-hp5m", "reference_id": "GHSA-m5r2-8p9x-hp5m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m5r2-8p9x-hp5m" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m", "reference_id": "GHSA-m5r2-8p9x-hp5m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38971?format=api", "purl": "pkg:composer/craftcms/cms@4.16.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/38960?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25494", "GHSA-m5r2-8p9x-hp5m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y2ya-ys74-vqbv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77578?format=api", "vulnerability_id": "VCID-yc89-41eq-b3eh", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32262", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12406", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12414", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12316", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32262" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32262", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32262" }, { "reference_url": "https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11", "reference_id": "c997efbe4c66c14092714233aeebff15cdbfcf11", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/" } ], "url": "https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11" }, { "reference_url": "https://github.com/advisories/GHSA-472v-j2g4-g9h2", "reference_id": "GHSA-472v-j2g4-g9h2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-472v-j2g4-g9h2" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2", "reference_id": "GHSA-472v-j2g4-g9h2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374750?format=api", "purl": "pkg:composer/craftcms/cms@4.17.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/374751?format=api", "purl": "pkg:composer/craftcms/cms@5.9.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11" } ], "aliases": [ "CVE-2026-32262", "GHSA-472v-j2g4-g9h2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yc89-41eq-b3eh" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.0-beta.5" }