Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/68643?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/68643?format=api", "purl": "pkg:composer/craftcms/cms@4.7.0", "type": "composer", "namespace": "craftcms", "name": "cms", "version": "4.7.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.16.6", "latest_non_vulnerable_version": "5.9.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56185?format=api", "vulnerability_id": "VCID-5cxe-tjpb-3qan", "summary": "Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution\nA vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double `file://` scheme (e.g., `file://file:////`). This enables the attacker to specify sensitive folders as the file system, leading to potential file overwriting through malicious uploads, unauthorized access to sensitive files, and, under certain conditions, remote code execution (RCE) via Server-Side Template Injection (SSTI) payloads.\n\nNote that this will only work if you have an authenticated administrator account with allowAdminChanges enabled", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52291", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31722", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52291" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52291", "reference_id": "CVE-2024-52291", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52291" }, { "reference_url": "https://github.com/advisories/GHSA-jrh5-vhr9-qh7q", "reference_id": "GHSA-jrh5-vhr9-qh7q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jrh5-vhr9-qh7q" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q", "reference_id": "GHSA-jrh5-vhr9-qh7q", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:50:50Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83250?format=api", "purl": "pkg:composer/craftcms/cms@4.12.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/83249?format=api", "purl": "pkg:composer/craftcms/cms@5.4.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.6" } ], "aliases": [ "CVE-2024-52291", "GHSA-jrh5-vhr9-qh7q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5cxe-tjpb-3qan" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56181?format=api", "vulnerability_id": "VCID-71sv-62m4-z3er", "summary": "Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI\nMissing `normalizePath` in the function `FileHelper::absolutePath` could lead to Remote Code Execution on the server via twig SSTI.\n\n`(Post-authentication, ALLOW_ADMIN_CHANGES=true)`", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52293", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.21994", "scoring_system": "epss", "scoring_elements": "0.95885", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52293" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:54:41Z/" } ], "url": "https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52293", "reference_id": "CVE-2024-52293", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52293" }, { "reference_url": "https://github.com/advisories/GHSA-f3cw-hg6r-chfv", "reference_id": "GHSA-f3cw-hg6r-chfv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f3cw-hg6r-chfv" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv", "reference_id": "GHSA-f3cw-hg6r-chfv", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:54:41Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83244?format=api", "purl": "pkg:composer/craftcms/cms@4.12.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5cxe-tjpb-3qan" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/83245?format=api", "purl": "pkg:composer/craftcms/cms@5.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5cxe-tjpb-3qan" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.3" } ], "aliases": [ "CVE-2024-52293", "GHSA-f3cw-hg6r-chfv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-71sv-62m4-z3er" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56366?format=api", "vulnerability_id": "VCID-c2nk-y4rx-1qf4", "summary": "Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled\nYou are affected if your php.ini configuration has `register_argc_argv` enabled.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-56145", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.93926", "scoring_system": "epss", "scoring_elements": "0.99888", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-56145" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/" } ], "url": "https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145" }, { "reference_url": "https://github.com/Chocapikk/CVE-2024-56145", "reference_id": "CVE-2024-56145", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Chocapikk/CVE-2024-56145" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56145", "reference_id": "CVE-2024-56145", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56145" }, { "reference_url": "https://github.com/advisories/GHSA-2p6p-9rc9-62j9", "reference_id": "GHSA-2p6p-9rc9-62j9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2p6p-9rc9-62j9" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9", "reference_id": "GHSA-2p6p-9rc9-62j9", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83573?format=api", "purl": "pkg:composer/craftcms/cms@4.13.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.13.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/83572?format=api", "purl": "pkg:composer/craftcms/cms@5.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.2" } ], "aliases": [ "CVE-2024-56145", "GHSA-2p6p-9rc9-62j9" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c2nk-y4rx-1qf4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56174?format=api", "vulnerability_id": "VCID-chep-xthg-zuee", "summary": "Craft CMS Arbitrary System File Read\nBy abusing the mail notification template it is possible to read arbitrary operating system files.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52292", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00428", "scoring_system": "epss", "scoring_elements": "0.62805", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52292" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52292", "reference_id": "CVE-2024-52292", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52292" }, { "reference_url": "https://github.com/advisories/GHSA-cw6g-qmjq-6w2w", "reference_id": "GHSA-cw6g-qmjq-6w2w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cw6g-qmjq-6w2w" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w", "reference_id": "GHSA-cw6g-qmjq-6w2w", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T18:52:42Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83232?format=api", "purl": "pkg:composer/craftcms/cms@4.12.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/83231?format=api", "purl": "pkg:composer/craftcms/cms@5.4.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.9" } ], "aliases": [ "CVE-2024-52292", "GHSA-cw6g-qmjq-6w2w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-chep-xthg-zuee" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57972?format=api", "vulnerability_id": "VCID-h6t5-pdp5-8qhe", "summary": "Craft CMS Potential Remote Code Execution via Twig SSTI\nNote that users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nNote: This is a follow-up to [GHSA-f3cw-hg6r-chfv](https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv)\n\nUsers should update to the patched versions (4.16.6 and 5.8.7) to mitigate the issue.\n\nResources: https://github.com/craftcms/cms/pull/17612", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57811", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00227", "scoring_system": "epss", "scoring_elements": "0.45595", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57811" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/" } ], "url": "https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc" }, { "reference_url": "https://github.com/craftcms/cms/pull/17612", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/" } ], "url": "https://github.com/craftcms/cms/pull/17612" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57811", "reference_id": "CVE-2025-57811", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57811" }, { "reference_url": "https://github.com/advisories/GHSA-crcq-738g-pqvc", "reference_id": "GHSA-crcq-738g-pqvc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-crcq-738g-pqvc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc", "reference_id": "GHSA-crcq-738g-pqvc", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv", "reference_id": "GHSA-f3cw-hg6r-chfv", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86230?format=api", "purl": "pkg:composer/craftcms/cms@4.16.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/74412?format=api", "purl": "pkg:composer/craftcms/cms@5.8.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-qwmy-d2e8-5khw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.7" } ], "aliases": [ "CVE-2025-57811", "GHSA-crcq-738g-pqvc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h6t5-pdp5-8qhe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57249?format=api", "vulnerability_id": "VCID-jsfs-azcs-mfcm", "summary": "Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI\nCraft CMS contains a potential remote code execution vulnerability via Twig SSTI. You must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nNote: This is a follow-up to https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv\n\nUsers should update to the patched versions (4.14.13 and 5.6.15) to mitigate the issue.", "references": [ { "reference_url": "http://github.com/craftcms/cms/pull/17026", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://github.com/craftcms/cms/pull/17026" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46731", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00909", "scoring_system": "epss", "scoring_elements": "0.76214", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46731" }, { "reference_url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46731", "reference_id": "CVE-2025-46731", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46731" }, { "reference_url": "https://github.com/advisories/GHSA-7c58-g782-9j38", "reference_id": "GHSA-7c58-g782-9j38", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7c58-g782-9j38" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38", "reference_id": "GHSA-7c58-g782-9j38", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv", "reference_id": "GHSA-f3cw-hg6r-chfv", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/85040?format=api", "purl": "pkg:composer/craftcms/cms@4.14.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dbcz-erbe-u7dt" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qq68-3j4y-47am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.14.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/85041?format=api", "purl": "pkg:composer/craftcms/cms@5.6.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dbcz-erbe-u7dt" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qq68-3j4y-47am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.15" } ], "aliases": [ "CVE-2025-46731", "GHSA-7c58-g782-9j38" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jsfs-azcs-mfcm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57273?format=api", "vulnerability_id": "VCID-jxet-d8ux-mkge", "summary": "Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at `/var/lib/php/sessions`. Such session files are named `sess_[session_value]`, where `[session_value]` is provided to the client in a `Set-Cookie` response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.33065", "scoring_system": "epss", "scoring_elements": "0.96993", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-35939" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2" }, { "reference_url": "https://github.com/craftcms/cms/pull/17220", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://github.com/craftcms/cms/pull/17220" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.15.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.15.3" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.7.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.7.5" }, { "reference_url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939" }, { "reference_url": "https://www.cve.org/CVERecord?id=CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" } ], "url": "https://www.cve.org/CVERecord?id=CVE-2025-35939" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35939", "reference_id": "CVE-2025-35939", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35939" }, { "reference_url": "https://github.com/advisories/GHSA-7vrx-9684-xrf2", "reference_id": "GHSA-7vrx-9684-xrf2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7vrx-9684-xrf2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74788?format=api", "purl": "pkg:composer/craftcms/cms@4.15.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dbcz-erbe-u7dt" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-p3n8-1sht-bfbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.15.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/74789?format=api", "purl": "pkg:composer/craftcms/cms@5.7.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dbcz-erbe-u7dt" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-p3n8-1sht-bfbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.7.5" } ], "aliases": [ "CVE-2025-35939", "GHSA-7vrx-9684-xrf2" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jxet-d8ux-mkge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57189?format=api", "vulnerability_id": "VCID-qq68-3j4y-47am", "summary": "Craft CMS Allows Remote Code Execution\nThis is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g\n\nThis is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.93094", "scoring_system": "epss", "scoring_elements": "0.99798", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32432" }, { "reference_url": "https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical" }, { "reference_url": "https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical" }, { "reference_url": "https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47" }, { "reference_url": "https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py", "reference_id": "CVE-2025-32432", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32432", "reference_id": "CVE-2025-32432", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32432" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g", "reference_id": "GHSA-4w8r-3xrw-v25g", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g" }, { "reference_url": "https://github.com/advisories/GHSA-f3gw-9ww9-jmc3", "reference_id": "GHSA-f3gw-9ww9-jmc3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f3gw-9ww9-jmc3" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3", "reference_id": "GHSA-f3gw-9ww9-jmc3", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84934?format=api", "purl": "pkg:composer/craftcms/cms@4.14.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dbcz-erbe-u7dt" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jxet-d8ux-mkge" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.14.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/84935?format=api", "purl": "pkg:composer/craftcms/cms@5.6.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dbcz-erbe-u7dt" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jxet-d8ux-mkge" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.17" } ], "aliases": [ "CVE-2025-32432", "GHSA-f3gw-9ww9-jmc3" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qq68-3j4y-47am" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56504?format=api", "vulnerability_id": "VCID-r5hp-5nju-9ubz", "summary": "Craft CMS has a potential RCE with a compromised security key\nThis is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised.\n\nhttps://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret\n\nAnyone running an unpatched version of Craft with a compromised security key is affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-23209", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.1639", "scoring_system": "epss", "scoring_elements": "0.94998", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-23209" }, { "reference_url": "https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/" } ], "url": "https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/" } ], "url": "https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23209", "reference_id": "CVE-2025-23209", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23209" }, { "reference_url": "https://github.com/advisories/GHSA-x684-96hh-833x", "reference_id": "GHSA-x684-96hh-833x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x684-96hh-833x" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x", "reference_id": "GHSA-x684-96hh-833x", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83868?format=api", "purl": "pkg:composer/craftcms/cms@4.13.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dbcz-erbe-u7dt" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qq68-3j4y-47am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.13.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/83867?format=api", "purl": "pkg:composer/craftcms/cms@5.5.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dbcz-erbe-u7dt" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qq68-3j4y-47am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.8" } ], "aliases": [ "CVE-2025-23209", "GHSA-x684-96hh-833x" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r5hp-5nju-9ubz" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46914?format=api", "vulnerability_id": "VCID-dz26-b2ts-puep", "summary": "Craft CMS Feed-Me\nAn issue discovered in Craft CMS version 4.6.1. allows remote attackers to cause a denial of service (DoS) via crafted string to Feed-Me Name and Feed-Me URL fields due to saving a feed using an Asset element type with no volume selected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36260", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00366", "scoring_system": "epss", "scoring_elements": "0.58935", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36260" }, { "reference_url": "https://github.com/craftcms/feed-me", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/feed-me" }, { "reference_url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/" } ], "url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28" }, { "reference_url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/" } ], "url": "https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29" }, { "reference_url": "https://github.com/craftcms/feed-me/releases/tag/4.6.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/feed-me/releases/tag/4.6.2" }, { "reference_url": "https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/" } ], "url": "https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36260", "reference_id": "CVE-2023-36260", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36260" }, { "reference_url": "https://github.com/advisories/GHSA-6p78-f7h9-6838", "reference_id": "GHSA-6p78-f7h9-6838", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6p78-f7h9-6838" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/107427?format=api", "purl": "pkg:composer/craftcms/cms@4.6.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.6.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/68643?format=api", "purl": "pkg:composer/craftcms/cms@4.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5cxe-tjpb-3qan" }, { "vulnerability": "VCID-71sv-62m4-z3er" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-chep-xthg-zuee" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxet-d8ux-mkge" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.7.0" } ], "aliases": [ "CVE-2023-36260", "GHSA-6p78-f7h9-6838" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dz26-b2ts-puep" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.7.0" }