| 0 |
| url |
VCID-2re8-4twc-eqez |
| vulnerability_id |
VCID-2re8-4twc-eqez |
| summary |
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
For this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.
https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available.
It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
References:
https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.21 |
| purl |
pkg:composer/craftcms/cms@5.8.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-51qg-ehr3-3qeu |
|
| 3 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 4 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 5 |
| vulnerability |
VCID-76vz-cxx8-z7fc |
|
| 6 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 7 |
| vulnerability |
VCID-7b71-dsva-cfan |
|
| 8 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 9 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 10 |
| vulnerability |
VCID-efkn-13cf-97c3 |
|
| 11 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 12 |
| vulnerability |
VCID-g17s-3ghd-5fhm |
|
| 13 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 14 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 15 |
| vulnerability |
VCID-jy6d-5zfh-7ycp |
|
| 16 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 17 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 18 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 19 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 20 |
| vulnerability |
VCID-ntx4-ssgk-jqgh |
|
| 21 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 22 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 23 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 24 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 25 |
| vulnerability |
VCID-s9mh-xu8b-fqgf |
|
| 26 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 27 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 28 |
| vulnerability |
VCID-u3cv-q3ft-qkhj |
|
| 29 |
| vulnerability |
VCID-ukq9-ggdc-byf5 |
|
| 30 |
| vulnerability |
VCID-uzyt-dujv-nqh6 |
|
| 31 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 32 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 33 |
| vulnerability |
VCID-w35e-5gaq-y3aw |
|
| 34 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 35 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 36 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 37 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 38 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 39 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21 |
|
|
| aliases |
CVE-2025-68454, GHSA-742x-x762-7383
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2re8-4twc-eqez |
|
| 1 |
|
| 2 |
| url |
VCID-4zfr-4pgf-zke4 |
| vulnerability_id |
VCID-4zfr-4pgf-zke4 |
| summary |
Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
An authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the `craft.app.fs.write()` method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands.
--- |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/craftcms/cms/pull/18216 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/ |
|
|
| url |
https://github.com/craftcms/cms/pull/18216 |
|
| 4 |
| reference_url |
https://github.com/craftcms/cms/pull/18219 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/ |
|
|
| url |
https://github.com/craftcms/cms/pull/18219 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 2 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 3 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 4 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 5 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 6 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 7 |
| vulnerability |
VCID-p4uy-hbad-k3c2 |
|
| 8 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 9 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 10 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 11 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 12 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 13 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 14 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 15 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 16 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 17 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 18 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 19 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-28697, GHSA-v47q-jxvr-p68x
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4zfr-4pgf-zke4 |
|
| 3 |
| url |
VCID-51qg-ehr3-3qeu |
| vulnerability_id |
VCID-51qg-ehr3-3qeu |
| summary |
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
The `saveAsset` GraphQL mutation uses `filter_var(..., FILTER_VALIDATE_IP)` to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services.
--- |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/craftcms/cms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/craftcms/cms |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/craftcms/cms/releases/tag/5.8.22 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/ |
|
|
| url |
https://github.com/craftcms/cms/releases/tag/5.8.22 |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m |
| reference_id |
GHSA-m5r2-8p9x-hp5m |
| reference_type |
|
| scores |
| 0 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/ |
|
|
| url |
https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.22 |
| purl |
pkg:composer/craftcms/cms@5.8.22 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 3 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 4 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 5 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 6 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 7 |
| vulnerability |
VCID-efkn-13cf-97c3 |
|
| 8 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 9 |
| vulnerability |
VCID-g17s-3ghd-5fhm |
|
| 10 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 11 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 12 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 13 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 14 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 15 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 16 |
| vulnerability |
VCID-ntx4-ssgk-jqgh |
|
| 17 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 18 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 19 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 20 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 21 |
| vulnerability |
VCID-s9mh-xu8b-fqgf |
|
| 22 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 23 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 24 |
| vulnerability |
VCID-ukq9-ggdc-byf5 |
|
| 25 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 26 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 27 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 28 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 29 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 30 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 31 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 32 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22 |
|
|
| aliases |
CVE-2026-25494, GHSA-m5r2-8p9x-hp5m
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-51qg-ehr3-3qeu |
|
| 4 |
| url |
VCID-5h4n-14xc-uuf6 |
| vulnerability_id |
VCID-5h4n-14xc-uuf6 |
| summary |
Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
Authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Resources:
https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9
https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9 |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.21 |
| purl |
pkg:composer/craftcms/cms@5.8.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-51qg-ehr3-3qeu |
|
| 3 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 4 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 5 |
| vulnerability |
VCID-76vz-cxx8-z7fc |
|
| 6 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 7 |
| vulnerability |
VCID-7b71-dsva-cfan |
|
| 8 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 9 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 10 |
| vulnerability |
VCID-efkn-13cf-97c3 |
|
| 11 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 12 |
| vulnerability |
VCID-g17s-3ghd-5fhm |
|
| 13 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 14 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 15 |
| vulnerability |
VCID-jy6d-5zfh-7ycp |
|
| 16 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 17 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 18 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 19 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 20 |
| vulnerability |
VCID-ntx4-ssgk-jqgh |
|
| 21 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 22 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 23 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 24 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 25 |
| vulnerability |
VCID-s9mh-xu8b-fqgf |
|
| 26 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 27 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 28 |
| vulnerability |
VCID-u3cv-q3ft-qkhj |
|
| 29 |
| vulnerability |
VCID-ukq9-ggdc-byf5 |
|
| 30 |
| vulnerability |
VCID-uzyt-dujv-nqh6 |
|
| 31 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 32 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 33 |
| vulnerability |
VCID-w35e-5gaq-y3aw |
|
| 34 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 35 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 36 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 37 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 38 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 39 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21 |
|
|
| aliases |
CVE-2025-68436, GHSA-53vf-c43h-j2x9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5h4n-14xc-uuf6 |
|
| 5 |
| url |
VCID-64xk-a8pc-bkey |
| vulnerability_id |
VCID-64xk-a8pc-bkey |
| summary |
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
The fix for CVE-2025-35939 in `craftcms/cms` introduced a `strip_tags()` call in `src/web/User.php` to sanitize return URLs before they are stored in the session. However, `strip_tags()` only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like `javascript:alert(document.cookie)` contain no HTML tags and pass through `strip_tags()` completely unmodified, enabling reflected XSS when the return URL is rendered in an `href` attribute. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.9.7 |
| purl |
pkg:composer/craftcms/cms@5.9.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 2 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 3 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 4 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 5 |
| vulnerability |
VCID-p4uy-hbad-k3c2 |
|
| 6 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 7 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 8 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 9 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 10 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 11 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 12 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 13 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 14 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 15 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 16 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7 |
|
|
| aliases |
CVE-2026-31859, GHSA-fvwq-45qv-xvhv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-64xk-a8pc-bkey |
|
| 6 |
| url |
VCID-68jz-k8d5-u7dk |
| vulnerability_id |
VCID-68jz-k8d5-u7dk |
| summary |
Craft CMS has a potential information disclosure vulnerability in preview tokens
Craft CMS has a CSRF issue in the preview token endpoint at `/actions/preview/create-token`. The endpoint accepts an attacker-supplied `previewToken`.
Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker.
That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope.
--- |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/craftcms/cms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/craftcms/cms |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v |
| reference_id |
GHSA-vg3j-hpm9-8v5v |
| reference_type |
|
| scores |
| 0 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 3 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/ |
|
|
| url |
https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.9.7 |
| purl |
pkg:composer/craftcms/cms@5.9.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 2 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 3 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 4 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 5 |
| vulnerability |
VCID-p4uy-hbad-k3c2 |
|
| 6 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 7 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 8 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 9 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 10 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 11 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 12 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 13 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 14 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 15 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 16 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7 |
|
|
| aliases |
CVE-2026-29113, GHSA-vg3j-hpm9-8v5v
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-68jz-k8d5-u7dk |
|
| 7 |
| url |
VCID-6epu-syvm-d3ed |
| vulnerability_id |
VCID-6epu-syvm-d3ed |
| summary |
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (`5.6.0`) version of Craft CMS.
Leveraging a legitimate but maliciously crafted Yii `Behavior` class, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted `Behavior` is attached to a Yii `Component`, and an event is also fired on the tainted `Component`. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.21 |
| purl |
pkg:composer/craftcms/cms@5.8.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-51qg-ehr3-3qeu |
|
| 3 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 4 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 5 |
| vulnerability |
VCID-76vz-cxx8-z7fc |
|
| 6 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 7 |
| vulnerability |
VCID-7b71-dsva-cfan |
|
| 8 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 9 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 10 |
| vulnerability |
VCID-efkn-13cf-97c3 |
|
| 11 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 12 |
| vulnerability |
VCID-g17s-3ghd-5fhm |
|
| 13 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 14 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 15 |
| vulnerability |
VCID-jy6d-5zfh-7ycp |
|
| 16 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 17 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 18 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 19 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 20 |
| vulnerability |
VCID-ntx4-ssgk-jqgh |
|
| 21 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 22 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 23 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 24 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 25 |
| vulnerability |
VCID-s9mh-xu8b-fqgf |
|
| 26 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 27 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 28 |
| vulnerability |
VCID-u3cv-q3ft-qkhj |
|
| 29 |
| vulnerability |
VCID-ukq9-ggdc-byf5 |
|
| 30 |
| vulnerability |
VCID-uzyt-dujv-nqh6 |
|
| 31 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 32 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 33 |
| vulnerability |
VCID-w35e-5gaq-y3aw |
|
| 34 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 35 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 36 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 37 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 38 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 39 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21 |
|
|
| aliases |
CVE-2025-68455, GHSA-255j-qw47-wjh5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6epu-syvm-d3ed |
|
| 8 |
| url |
VCID-76vz-cxx8-z7fc |
| vulnerability_id |
VCID-76vz-cxx8-z7fc |
| summary |
Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page
A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions.
> [!NOTE]
> This is a separate vulnerability from the previously reported "[Stored XSS via User Group Name in User Settings Page](https://github.com/craftcms/cms/security/advisories/GHSA-2423-8xxj-wc3g)" and "[Multiple Stored XSS in User Group Edit Page](https://github.com/craftcms/cms/security/advisories/GHSA-vx7g-xw92-g4xj)". This affects a different sink: the individual user's permissions page. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.22 |
| purl |
pkg:composer/craftcms/cms@5.8.22 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 3 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 4 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 5 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 6 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 7 |
| vulnerability |
VCID-efkn-13cf-97c3 |
|
| 8 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 9 |
| vulnerability |
VCID-g17s-3ghd-5fhm |
|
| 10 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 11 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 12 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 13 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 14 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 15 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 16 |
| vulnerability |
VCID-ntx4-ssgk-jqgh |
|
| 17 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 18 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 19 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 20 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 21 |
| vulnerability |
VCID-s9mh-xu8b-fqgf |
|
| 22 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 23 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 24 |
| vulnerability |
VCID-ukq9-ggdc-byf5 |
|
| 25 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 26 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 27 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 28 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 29 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 30 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 31 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 32 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22 |
|
|
| aliases |
GHSA-g3hp-vvqf-8vw6
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-76vz-cxx8-z7fc |
|
| 9 |
|
| 10 |
| url |
VCID-7b71-dsva-cfan |
| vulnerability_id |
VCID-7b71-dsva-cfan |
| summary |
Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the `|md|raw` Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.22 |
| purl |
pkg:composer/craftcms/cms@5.8.22 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 3 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 4 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 5 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 6 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 7 |
| vulnerability |
VCID-efkn-13cf-97c3 |
|
| 8 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 9 |
| vulnerability |
VCID-g17s-3ghd-5fhm |
|
| 10 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 11 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 12 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 13 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 14 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 15 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 16 |
| vulnerability |
VCID-ntx4-ssgk-jqgh |
|
| 17 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 18 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 19 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 20 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 21 |
| vulnerability |
VCID-s9mh-xu8b-fqgf |
|
| 22 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 23 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 24 |
| vulnerability |
VCID-ukq9-ggdc-byf5 |
|
| 25 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 26 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 27 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 28 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 29 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 30 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 31 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 32 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22 |
|
|
| aliases |
CVE-2026-25496, GHSA-9f5h-mmq6-2x78
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7b71-dsva-cfan |
|
| 11 |
| url |
VCID-ccwe-z8nr-3qhq |
| vulnerability_id |
VCID-ccwe-z8nr-3qhq |
| summary |
Craft CMS: GraphQL Asset Mutation Privilege Escalation
Type: Privilege Escalation (CWE-269)
Affected: Craft CMS 5.x (likely affects 4.x and 3.x as well)
Location: `src/gql/resolvers/mutations/Asset.php lines 57-107` |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 2 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 3 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 4 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 5 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 6 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 7 |
| vulnerability |
VCID-p4uy-hbad-k3c2 |
|
| 8 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 9 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 10 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 11 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 12 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 13 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 14 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 15 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 16 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 17 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 18 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 19 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-25497, GHSA-fxp3-g6gw-4r4v
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ccwe-z8nr-3qhq |
|
| 12 |
| url |
VCID-ch5h-xzgt-6kgs |
| vulnerability_id |
VCID-ch5h-xzgt-6kgs |
| summary |
Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
The "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements.
Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request.
Furthermore, this vulnerability allows duplicating **other users' entries** by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 2 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 3 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 4 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 5 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 6 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 7 |
| vulnerability |
VCID-p4uy-hbad-k3c2 |
|
| 8 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 9 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 10 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 11 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 12 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 13 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 14 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 15 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 16 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 17 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 18 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 19 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-28782, GHSA-jxm3-pmm2-9gf6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ch5h-xzgt-6kgs |
|
| 13 |
| url |
VCID-efkn-13cf-97c3 |
| vulnerability_id |
VCID-efkn-13cf-97c3 |
| summary |
Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
The SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection.
This is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)). |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.23 |
| purl |
pkg:composer/craftcms/cms@5.8.23 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 3 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 4 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 5 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 6 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 7 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 8 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 9 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 10 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 11 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 12 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 13 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 14 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 15 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 16 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 17 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 18 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 19 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 20 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 21 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 22 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 23 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 24 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 25 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 26 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 27 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23 |
|
|
| aliases |
CVE-2026-27129, GHSA-v2gc-rm6g-wrw9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-efkn-13cf-97c3 |
|
| 14 |
| url |
VCID-ejv9-c3hf-jfax |
| vulnerability_id |
VCID-ejv9-c3hf-jfax |
| summary |
Craft CMS has Twig Function Blocklist Bypass
Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions.
In order to be able to successfully execute this attack, you need to either have `allowAdminChanges` enabled on production, or a compromised admin account, or an account with access to the System Messages utility.
Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs.
Twig has already deprecated this behavior, and it will eventually be removed from Twig altogether.
https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096
This has been resolved in Craft 4.17.0 and 5.9.0, which removes the blocklist and disables all non-Clousure arrow functions in Twig globally via the `enableTwigSandbox` config setting. That setting is enabled by default on all new Craft projects. Existing Craft projects will need to enable the config setting to take advantage of it.
Existing projects should update to the patched versions of 5.9.0 and 4.17.0 to mitigate the issue and enable the config setting. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/craftcms/cms/pull/18208 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 1 |
| value |
9.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/ |
|
|
| url |
https://github.com/craftcms/cms/pull/18208 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 2 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 3 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 4 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 5 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 6 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 7 |
| vulnerability |
VCID-p4uy-hbad-k3c2 |
|
| 8 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 9 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 10 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 11 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 12 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 13 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 14 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 15 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 16 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 17 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 18 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 19 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-28783, GHSA-5fvc-7894-ghp4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ejv9-c3hf-jfax |
|
| 15 |
| url |
VCID-g17s-3ghd-5fhm |
| vulnerability_id |
VCID-g17s-3ghd-5fhm |
| summary |
Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type
A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `Row Heading` column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.23 |
| purl |
pkg:composer/craftcms/cms@5.8.23 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 3 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 4 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 5 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 6 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 7 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 8 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 9 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 10 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 11 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 12 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 13 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 14 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 15 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 16 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 17 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 18 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 19 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 20 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 21 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 22 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 23 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 24 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 25 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 26 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 27 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23 |
|
|
| aliases |
GHSA-6j87-m5qx-9fqp
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g17s-3ghd-5fhm |
|
| 16 |
|
| 17 |
| url |
VCID-j9n2-1u2k-ckc5 |
| vulnerability_id |
VCID-j9n2-1u2k-ckc5 |
| summary |
Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
For this to work, the attacker must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled, which is against Craft CMS' recommendations for any non-dev environment.
https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
Alternatively, they can have a non-administrator account with `allowAdminChanges` disabled, but they must have access to the System Messages utility.
It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.
Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.
References:
https://github.com/craftcms/cms/pull/18208 |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/craftcms/cms/pull/18208 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/ |
|
|
| url |
https://github.com/craftcms/cms/pull/18208 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 2 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 3 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 4 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 5 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 6 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 7 |
| vulnerability |
VCID-p4uy-hbad-k3c2 |
|
| 8 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 9 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 10 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 11 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 12 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 13 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 14 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 15 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 16 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 17 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 18 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 19 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-28784, GHSA-qc86-q28f-ggww
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j9n2-1u2k-ckc5 |
|
| 18 |
| url |
VCID-jy6d-5zfh-7ycp |
| vulnerability_id |
VCID-jy6d-5zfh-7ycp |
| summary |
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
A Remote Code Execution (RCE) vulnerability exists in Craft CMS where the `assembleLayoutFromPost()` function in `src/services/Fields.php` fails to sanitize user-supplied configuration data before passing it to `Craft::createObject()`. This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an **unpatched variant** of the behavior injection vulnerability addressed in GHSA-255j-qw47-wjh5, affecting different endpoints through a separate code path.
--- |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.22 |
| purl |
pkg:composer/craftcms/cms@5.8.22 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 3 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 4 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 5 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 6 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 7 |
| vulnerability |
VCID-efkn-13cf-97c3 |
|
| 8 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 9 |
| vulnerability |
VCID-g17s-3ghd-5fhm |
|
| 10 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 11 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 12 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 13 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 14 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 15 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 16 |
| vulnerability |
VCID-ntx4-ssgk-jqgh |
|
| 17 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 18 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 19 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 20 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 21 |
| vulnerability |
VCID-s9mh-xu8b-fqgf |
|
| 22 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 23 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 24 |
| vulnerability |
VCID-ukq9-ggdc-byf5 |
|
| 25 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 26 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 27 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 28 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 29 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 30 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 31 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 32 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22 |
|
|
| aliases |
CVE-2026-25498, GHSA-7jx7-3846-m7w7
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jy6d-5zfh-7ycp |
|
| 19 |
|
| 20 |
| url |
VCID-m28c-yq43-a7cq |
| vulnerability_id |
VCID-m28c-yq43-a7cq |
| summary |
Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options
Stored XSS in multiple settings. Names/labels are rendered without sanitization via `checkbox.twig` template which uses `{{ label|raw }}`.
--- |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 2 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 3 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 4 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 5 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 6 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 7 |
| vulnerability |
VCID-p4uy-hbad-k3c2 |
|
| 8 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 9 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 10 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 11 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 12 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 13 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 14 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 15 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 16 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 17 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 18 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 19 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
GHSA-4mgv-366x-qxvx
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m28c-yq43-a7cq |
|
| 21 |
|
| 22 |
| url |
VCID-mytj-88ea-73d9 |
| vulnerability_id |
VCID-mytj-88ea-73d9 |
| summary |
Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the `create()` Twig function combined with a Symfony Process gadget chain.
This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 2 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 3 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 4 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 5 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 6 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 7 |
| vulnerability |
VCID-p4uy-hbad-k3c2 |
|
| 8 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 9 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 10 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 11 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 12 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 13 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 14 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 15 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 16 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 17 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 18 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 19 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-28695, GHSA-94rc-cqvm-m4pw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mytj-88ea-73d9 |
|
| 23 |
| url |
VCID-ntx4-ssgk-jqgh |
| vulnerability_id |
VCID-ntx4-ssgk-jqgh |
| summary |
Craft CMS has Stored XSS in Table Field via "HTML" Column Type
A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.23 |
| purl |
pkg:composer/craftcms/cms@5.8.23 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 3 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 4 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 5 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 6 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 7 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 8 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 9 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 10 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 11 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 12 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 13 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 14 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 15 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 16 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 17 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 18 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 19 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 20 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 21 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 22 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 23 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 24 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 25 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 26 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 27 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23 |
|
|
| aliases |
CVE-2026-27126, GHSA-3jh3-prx3-w6wc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ntx4-ssgk-jqgh |
|
| 24 |
| url |
VCID-pggs-g9c8-w7d1 |
| vulnerability_id |
VCID-pggs-g9c8-w7d1 |
| summary |
Unauthenticated Craft CMS users can trigger a database backup
Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.Resources:
https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.21 |
| purl |
pkg:composer/craftcms/cms@5.8.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-51qg-ehr3-3qeu |
|
| 3 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 4 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 5 |
| vulnerability |
VCID-76vz-cxx8-z7fc |
|
| 6 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 7 |
| vulnerability |
VCID-7b71-dsva-cfan |
|
| 8 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 9 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 10 |
| vulnerability |
VCID-efkn-13cf-97c3 |
|
| 11 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 12 |
| vulnerability |
VCID-g17s-3ghd-5fhm |
|
| 13 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 14 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 15 |
| vulnerability |
VCID-jy6d-5zfh-7ycp |
|
| 16 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 17 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 18 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 19 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 20 |
| vulnerability |
VCID-ntx4-ssgk-jqgh |
|
| 21 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 22 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 23 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 24 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 25 |
| vulnerability |
VCID-s9mh-xu8b-fqgf |
|
| 26 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 27 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 28 |
| vulnerability |
VCID-u3cv-q3ft-qkhj |
|
| 29 |
| vulnerability |
VCID-ukq9-ggdc-byf5 |
|
| 30 |
| vulnerability |
VCID-uzyt-dujv-nqh6 |
|
| 31 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 32 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 33 |
| vulnerability |
VCID-w35e-5gaq-y3aw |
|
| 34 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 35 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 36 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 37 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 38 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 39 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21 |
|
|
| aliases |
CVE-2025-68456, GHSA-v64r-7wg9-23pr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pggs-g9c8-w7d1 |
|
| 25 |
|
| 26 |
| url |
VCID-rhm7-ju23-yuby |
| vulnerability_id |
VCID-rhm7-ju23-yuby |
| summary |
CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
The `ElementSearchController::actionSearch()` endpoint is missing the `unset()` protection that
was added to ElementIndexesController in [GHSA-2453-mppf-46cj](https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj).
The exact same SQL injection vulnerability (including `criteria[orderBy]`, the original advisory vector) works on this controller because the fix was never applied to it.
Any authenticated control panel user (no admin required) can inject arbitrary SQL via `criteria[where]`,
`criteria[orderBy]`, or other query properties, and extract the full database contents via boolean-based blind injection.
Users should update to the patched 5.9.9 release to mitigate the issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.9.9 |
| purl |
pkg:composer/craftcms/cms@5.9.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 2 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 3 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 4 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 5 |
| vulnerability |
VCID-p4uy-hbad-k3c2 |
|
| 6 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 7 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 8 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 9 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 10 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 11 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 12 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 13 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 14 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9 |
|
|
| aliases |
CVE-2026-31858, GHSA-g7j6-fmwx-7vp8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rhm7-ju23-yuby |
|
| 27 |
|
| 28 |
|
| 29 |
| url |
VCID-s9mh-xu8b-fqgf |
| vulnerability_id |
VCID-s9mh-xu8b-fqgf |
| summary |
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution **separately** from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request.
This is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)) that allows access to all blocked IPs, not just IPv6 endpoints. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.23 |
| purl |
pkg:composer/craftcms/cms@5.8.23 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 3 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 4 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 5 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 6 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 7 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 8 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 9 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 10 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 11 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 12 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 13 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 14 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 15 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 16 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 17 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 18 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 19 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 20 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 21 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 22 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 23 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 24 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 25 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 26 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 27 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23 |
|
|
| aliases |
CVE-2026-27127, GHSA-gp2f-7wcm-5fhx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s9mh-xu8b-fqgf |
|
| 30 |
|
| 31 |
| url |
VCID-t5h6-xvev-f3g7 |
| vulnerability_id |
VCID-t5h6-xvev-f3g7 |
| summary |
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
The Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume.
Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.References:
https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.21 |
| purl |
pkg:composer/craftcms/cms@5.8.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-51qg-ehr3-3qeu |
|
| 3 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 4 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 5 |
| vulnerability |
VCID-76vz-cxx8-z7fc |
|
| 6 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 7 |
| vulnerability |
VCID-7b71-dsva-cfan |
|
| 8 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 9 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 10 |
| vulnerability |
VCID-efkn-13cf-97c3 |
|
| 11 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 12 |
| vulnerability |
VCID-g17s-3ghd-5fhm |
|
| 13 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 14 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 15 |
| vulnerability |
VCID-jy6d-5zfh-7ycp |
|
| 16 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 17 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 18 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 19 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 20 |
| vulnerability |
VCID-ntx4-ssgk-jqgh |
|
| 21 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 22 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 23 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 24 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 25 |
| vulnerability |
VCID-s9mh-xu8b-fqgf |
|
| 26 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 27 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 28 |
| vulnerability |
VCID-u3cv-q3ft-qkhj |
|
| 29 |
| vulnerability |
VCID-ukq9-ggdc-byf5 |
|
| 30 |
| vulnerability |
VCID-uzyt-dujv-nqh6 |
|
| 31 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 32 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 33 |
| vulnerability |
VCID-w35e-5gaq-y3aw |
|
| 34 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 35 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 36 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 37 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 38 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 39 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21 |
|
|
| aliases |
CVE-2025-68437, GHSA-x27p-wfqw-hfcc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t5h6-xvev-f3g7 |
|
| 32 |
|
| 33 |
| url |
VCID-u3cv-q3ft-qkhj |
| vulnerability_id |
VCID-u3cv-q3ft-qkhj |
| summary |
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
The `saveAsset` GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses.
--- |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/craftcms/cms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/craftcms/cms |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/craftcms/cms/releases/tag/5.8.22 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/ |
|
|
| url |
https://github.com/craftcms/cms/releases/tag/5.8.22 |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx |
| reference_id |
GHSA-8jr8-7hr4-vhfx |
| reference_type |
|
| scores |
| 0 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/ |
|
|
| url |
https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.22 |
| purl |
pkg:composer/craftcms/cms@5.8.22 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 3 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 4 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 5 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 6 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 7 |
| vulnerability |
VCID-efkn-13cf-97c3 |
|
| 8 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 9 |
| vulnerability |
VCID-g17s-3ghd-5fhm |
|
| 10 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 11 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 12 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 13 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 14 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 15 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 16 |
| vulnerability |
VCID-ntx4-ssgk-jqgh |
|
| 17 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 18 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 19 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 20 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 21 |
| vulnerability |
VCID-s9mh-xu8b-fqgf |
|
| 22 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 23 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 24 |
| vulnerability |
VCID-ukq9-ggdc-byf5 |
|
| 25 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 26 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 27 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 28 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 29 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 30 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 31 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 32 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22 |
|
|
| aliases |
CVE-2026-25493, GHSA-8jr8-7hr4-vhfx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u3cv-q3ft-qkhj |
|
| 34 |
| url |
VCID-ukq9-ggdc-byf5 |
| vulnerability_id |
VCID-ukq9-ggdc-byf5 |
| summary |
Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
A Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes.
To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place.
For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.23 |
| purl |
pkg:composer/craftcms/cms@5.8.23 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 3 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 4 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 5 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 6 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 7 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 8 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 9 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 10 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 11 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 12 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 13 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 14 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 15 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 16 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 17 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 18 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 19 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 20 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 21 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 22 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 23 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 24 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 25 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 26 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 27 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23 |
|
|
| aliases |
CVE-2026-27128, GHSA-6fx5-5cw5-4897
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ukq9-ggdc-byf5 |
|
| 35 |
| url |
VCID-uzyt-dujv-nqh6 |
| vulnerability_id |
VCID-uzyt-dujv-nqh6 |
| summary |
Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
The `element-indexes/get-elements` endpoint is vulnerable to **SQL Injection** via the `criteria[orderBy]` parameter (JSON body). The application fails to sanitize this input before using it in the database query.
An attacker with **Control Panel access** can inject arbitrary SQL into the `ORDER BY` clause by omitting `viewState[order]` (or setting both to the same payload).
> [!NOTE]
> The `ORDER BY` clause executes per row. `SLEEP(1)` on 10 rows = 10s delay.
--- |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.22 |
| purl |
pkg:composer/craftcms/cms@5.8.22 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 3 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 4 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 5 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 6 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 7 |
| vulnerability |
VCID-efkn-13cf-97c3 |
|
| 8 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 9 |
| vulnerability |
VCID-g17s-3ghd-5fhm |
|
| 10 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 11 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 12 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 13 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 14 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 15 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 16 |
| vulnerability |
VCID-ntx4-ssgk-jqgh |
|
| 17 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 18 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 19 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 20 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 21 |
| vulnerability |
VCID-s9mh-xu8b-fqgf |
|
| 22 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 23 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 24 |
| vulnerability |
VCID-ukq9-ggdc-byf5 |
|
| 25 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 26 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 27 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 28 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 29 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 30 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 31 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 32 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22 |
|
|
| aliases |
CVE-2026-25495, GHSA-2453-mppf-46cj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uzyt-dujv-nqh6 |
|
| 36 |
| url |
VCID-vg28-8erb-27ae |
| vulnerability_id |
VCID-vg28-8erb-27ae |
| summary |
Craft CMS: Entries Authorship Spoofing via Mass Assignment
The entry creation process allows for **Mass Assignment** of the `authorId` attribute. A user with "Create Entries" permission can inject the `authorIds[]` (or `authorId`) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others.
Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 2 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 3 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 4 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 5 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 6 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 7 |
| vulnerability |
VCID-p4uy-hbad-k3c2 |
|
| 8 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 9 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 10 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 11 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 12 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 13 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 14 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 15 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 16 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 17 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 18 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 19 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-28781, GHSA-2xfc-g69j-x2mp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vg28-8erb-27ae |
|
| 37 |
| url |
VCID-vknb-zmk9-z3cc |
| vulnerability_id |
VCID-vknb-zmk9-z3cc |
| summary |
CraftCMS has an RCE vulnerability via relational conditionals in the control panel
A Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system.
The `BaseElementSelectConditionRule::getElementIds()` method passes user-controlled string input
through `renderObjectTemplate()` -- an unsandboxed Twig rendering function with escaping disabled.
Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full
RCE by sending a crafted condition rule via standard element listing endpoints.
This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and
bypasses all production hardening settings (allowAdminChanges: false, devMode: false,
enableTwigSandbox: true).
Users should update to the patched 5.99 release to mitigate the issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.9.9 |
| purl |
pkg:composer/craftcms/cms@5.9.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 2 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 3 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 4 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 5 |
| vulnerability |
VCID-p4uy-hbad-k3c2 |
|
| 6 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 7 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 8 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 9 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 10 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 11 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 12 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 13 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 14 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9 |
|
|
| aliases |
CVE-2026-31857, GHSA-fp5j-j7j4-mcxc
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vknb-zmk9-z3cc |
|
| 38 |
| url |
VCID-w35e-5gaq-y3aw |
| vulnerability_id |
VCID-w35e-5gaq-y3aw |
| summary |
Craft CMS Vulnerable to Stored XSS in Entry Types Name
Stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list.
--- |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/craftcms/cms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
1.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/craftcms/cms |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/craftcms/cms/releases/tag/5.8.22 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
1.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 1 |
| value |
1.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:22Z/ |
|
|
| url |
https://github.com/craftcms/cms/releases/tag/5.8.22 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr |
| reference_id |
GHSA-7pr4-wx9w-mqwr |
| reference_type |
|
| scores |
| 0 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 1 |
| value |
1.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
1.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 3 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:22Z/ |
|
|
| url |
https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.8.22 |
| purl |
pkg:composer/craftcms/cms@5.8.22 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-4zfr-4pgf-zke4 |
|
| 2 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 3 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 4 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 5 |
| vulnerability |
VCID-ccwe-z8nr-3qhq |
|
| 6 |
| vulnerability |
VCID-ch5h-xzgt-6kgs |
|
| 7 |
| vulnerability |
VCID-efkn-13cf-97c3 |
|
| 8 |
| vulnerability |
VCID-ejv9-c3hf-jfax |
|
| 9 |
| vulnerability |
VCID-g17s-3ghd-5fhm |
|
| 10 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 11 |
| vulnerability |
VCID-j9n2-1u2k-ckc5 |
|
| 12 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 13 |
| vulnerability |
VCID-m28c-yq43-a7cq |
|
| 14 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 15 |
| vulnerability |
VCID-mytj-88ea-73d9 |
|
| 16 |
| vulnerability |
VCID-ntx4-ssgk-jqgh |
|
| 17 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 18 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 19 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 20 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 21 |
| vulnerability |
VCID-s9mh-xu8b-fqgf |
|
| 22 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 23 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 24 |
| vulnerability |
VCID-ukq9-ggdc-byf5 |
|
| 25 |
| vulnerability |
VCID-vg28-8erb-27ae |
|
| 26 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 27 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 28 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 29 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 30 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 31 |
| vulnerability |
VCID-zh94-u2by-xkg5 |
|
| 32 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22 |
|
|
| aliases |
CVE-2026-25491, GHSA-7pr4-wx9w-mqwr
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w35e-5gaq-y3aw |
|
| 39 |
| url |
VCID-whnf-tybt-qqbf |
| vulnerability_id |
VCID-whnf-tybt-qqbf |
| summary |
Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
### Summary
An authenticated low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data (`previewHtml`) for that private asset.
The returned preview HTML included a private preview image route containing the target private `assetId`, even though `canView` was `false` for the attacker account.
### Details
1. `assets/preview-file` accepts a maliciously controlled `assetId` and renders preview output.
2. The action does not enforce per-asset view authorization prior to returning preview content.
3. As a result, an authenticated user without asset-view permission can still obtain private preview output.
This affects Craft installations with authenticated users of mixed privilege levels with private assets.
### Resources
- d30df3112220db1ffd6726a3ed11857014c7fb27
- b1cddf72c98a |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-44px-qjjc-xrhq
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-whnf-tybt-qqbf |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
| url |
VCID-zh94-u2by-xkg5 |
| vulnerability_id |
VCID-zh94-u2by-xkg5 |
| summary |
Craft CMS has IDOR via GraphQL @parseRefs
The GraphQL directive `@parseRefs`, intended to parse internal reference tags (e.g., `{user:1:email}`), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in `Elements::parseRefs` fails to perform authorization checks, allowing attackers to read data they are not authorized to view. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 2 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 3 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 4 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 5 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 6 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 7 |
| vulnerability |
VCID-p4uy-hbad-k3c2 |
|
| 8 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 9 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 10 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 11 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 12 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 13 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 14 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 15 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 16 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 17 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 18 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
| 19 |
| vulnerability |
VCID-zybg-fqev-eber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1 |
|
|
| aliases |
CVE-2026-28696, GHSA-7x43-mpfg-r9wj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zh94-u2by-xkg5 |
|
| 44 |
| url |
VCID-zybg-fqev-eber |
| vulnerability_id |
VCID-zybg-fqev-eber |
| summary |
Craft CMS has unauthenticated activation email trigger with potential user enumeration
The `actionSendActivationEmail()` endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system.
The vulnerability is not that anonymous access exists - there’s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary `userId` parameters without verifying ownership.
Craft CMS allows public user registration. When a user registers but doesn’t receive their activation email (spam filter, typo correction, etc.), they need a way to request a resend. This is why `send-activation-email` is in the `allowAnonymous` array - it’s intentional self-service functionality. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/craftcms/cms@5.9.0-beta.2 |
| purl |
pkg:composer/craftcms/cms@5.9.0-beta.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3u81-kkt8-j7e7 |
|
| 1 |
| vulnerability |
VCID-64xk-a8pc-bkey |
|
| 2 |
| vulnerability |
VCID-68jz-k8d5-u7dk |
|
| 3 |
| vulnerability |
VCID-785m-94zq-mqe8 |
|
| 4 |
| vulnerability |
VCID-gxan-r3pw-7uhw |
|
| 5 |
| vulnerability |
VCID-kf34-utdc-cbay |
|
| 6 |
| vulnerability |
VCID-mfvj-g7bk-h3hw |
|
| 7 |
| vulnerability |
VCID-p4uy-hbad-k3c2 |
|
| 8 |
| vulnerability |
VCID-q1jg-5qq3-zkbv |
|
| 9 |
| vulnerability |
VCID-rhm7-ju23-yuby |
|
| 10 |
| vulnerability |
VCID-rnze-pnhe-abh4 |
|
| 11 |
| vulnerability |
VCID-rrce-ncgp-qbcg |
|
| 12 |
| vulnerability |
VCID-t4zv-mpqc-9fbx |
|
| 13 |
| vulnerability |
VCID-ttgr-49ur-z7aa |
|
| 14 |
| vulnerability |
VCID-vknb-zmk9-z3cc |
|
| 15 |
| vulnerability |
VCID-whnf-tybt-qqbf |
|
| 16 |
| vulnerability |
VCID-xpq3-v9ts-x7es |
|
| 17 |
| vulnerability |
VCID-xysn-pqxv-hyds |
|
| 18 |
| vulnerability |
VCID-zebb-ngev-a7de |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.2 |
|
|
| aliases |
CVE-2026-29069, GHSA-234q-vvw3-mrfq
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zybg-fqev-eber |
|