Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/795752?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/795752?format=api", "purl": "pkg:composer/craftcms/cms@5.6.9", "type": "composer", "namespace": "craftcms", "name": "cms", "version": "5.6.9", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.9.18", "latest_non_vulnerable_version": "5.9.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74057?format=api", "vulnerability_id": "VCID-12yx-3kck-s7dp", "summary": "Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29069", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.18029", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.18045", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17869", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29069" }, { "reference_url": "https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8", "reference_id": "c3d02d4a7246f516933f42106c0a67ce062f68d8", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:30:03Z/" } ], "url": "https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29069", "reference_id": "CVE-2026-29069", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29069" }, { "reference_url": "https://github.com/advisories/GHSA-234q-vvw3-mrfq", "reference_id": "GHSA-234q-vvw3-mrfq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-234q-vvw3-mrfq" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq", "reference_id": "GHSA-234q-vvw3-mrfq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:30:03Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40200?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.2" } ], "aliases": [ "CVE-2026-29069", "GHSA-234q-vvw3-mrfq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-12yx-3kck-s7dp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69186?format=api", "vulnerability_id": "VCID-16h7-f3pe-8qh8", "summary": "Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28697", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00208", "scoring_system": "epss", "scoring_elements": "0.43472", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00208", "scoring_system": "epss", "scoring_elements": "0.43296", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00208", "scoring_system": "epss", "scoring_elements": "0.43452", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28697" }, { "reference_url": "https://github.com/craftcms/cms/pull/18216", "reference_id": "18216", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/" } ], "url": "https://github.com/craftcms/cms/pull/18216" }, { "reference_url": "https://github.com/craftcms/cms/pull/18219", "reference_id": "18219", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/" } ], "url": "https://github.com/craftcms/cms/pull/18219" }, { "reference_url": "https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197", "reference_id": "9dc2a4a3ec8e9cd5e8c0d1129f36371437519197", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/" } ], "url": "https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28697", "reference_id": "CVE-2026-28697", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28697" }, { "reference_url": "https://github.com/advisories/GHSA-v47q-jxvr-p68x", "reference_id": "GHSA-v47q-jxvr-p68x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v47q-jxvr-p68x" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x", "reference_id": "GHSA-v47q-jxvr-p68x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28697", "GHSA-v47q-jxvr-p68x" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-16h7-f3pe-8qh8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80076?format=api", "vulnerability_id": "VCID-1c7e-bv58-33ax", "summary": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27128", "reference_id": "", "reference_type": "", "scores": [ { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00625", "published_at": "2026-06-13T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00624", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27128" }, { "reference_url": "https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf", "reference_id": "3e4afe18279951c024c64896aa2b93cda6d95fdf", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:13:24Z/" } ], "url": "https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27128", "reference_id": "CVE-2026-27128", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27128" }, { "reference_url": "https://github.com/advisories/GHSA-6fx5-5cw5-4897", "reference_id": "GHSA-6fx5-5cw5-4897", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6fx5-5cw5-4897" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897", "reference_id": "GHSA-6fx5-5cw5-4897", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:13:24Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39526?format=api", "purl": "pkg:composer/craftcms/cms@5.8.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23" } ], "aliases": [ "CVE-2026-27128", "GHSA-6fx5-5cw5-4897" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1c7e-bv58-33ax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77659?format=api", "vulnerability_id": "VCID-25ym-rhky-wbaq", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33161", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13156", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13161", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13059", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33161" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33161", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33161" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27", "reference_id": "d30df3112220db1ffd6726a3ed11857014c7fb27", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27" }, { "reference_url": "https://github.com/advisories/GHSA-vgjg-248p-rfm2", "reference_id": "GHSA-vgjg-248p-rfm2", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vgjg-248p-rfm2" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2", "reference_id": "GHSA-vgjg-248p-rfm2", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33161", "GHSA-vgjg-248p-rfm2" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-25ym-rhky-wbaq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/79824?format=api", "vulnerability_id": "VCID-543c-646v-4yfj", "summary": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01549", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01546", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01543", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27129" }, { "reference_url": "https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3", "reference_id": "2825388b4f32fb1c9bd709027a1a1fd192d709a3", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/" } ], "url": "https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27129", "reference_id": "CVE-2026-27129", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27129" }, { "reference_url": "https://github.com/advisories/GHSA-v2gc-rm6g-wrw9", "reference_id": "GHSA-v2gc-rm6g-wrw9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v2gc-rm6g-wrw9" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9", "reference_id": "GHSA-v2gc-rm6g-wrw9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "reference_id": "GHSA-x27p-wfqw-hfcc", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39526?format=api", "purl": "pkg:composer/craftcms/cms@5.8.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23" } ], "aliases": [ "CVE-2026-27129", "GHSA-v2gc-rm6g-wrw9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-543c-646v-4yfj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360185?format=api", "vulnerability_id": "VCID-5qkr-aqmx-8qau", "summary": "Craft CMS: Authorized asset \"preview file\" requests bypass allows users without asset access to retrieve private preview metadata\n### Summary\n\nAn authenticated low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data (`previewHtml`) for that private asset.\n\nThe returned preview HTML included a private preview image route containing the target private `assetId`, even though `canView` was `false` for the attacker account.\n\n### Details\n\n1. `assets/preview-file` accepts a maliciously controlled `assetId` and renders preview output.\n2. The action does not enforce per-asset view authorization prior to returning preview content.\n 3. As a result, an authenticated user without asset-view permission can still obtain private preview output.\n\nThis affects Craft installations with authenticated users of mixed privilege levels with private assets.\n\n### Resources\n\n- d30df3112220db1ffd6726a3ed11857014c7fb27\n- b1cddf72c98a", "references": [ { "reference_url": "https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq" }, { "reference_url": "https://github.com/advisories/GHSA-44px-qjjc-xrhq", "reference_id": "GHSA-44px-qjjc-xrhq", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-44px-qjjc-xrhq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "GHSA-44px-qjjc-xrhq" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5qkr-aqmx-8qau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/76900?format=api", "vulnerability_id": "VCID-5r6n-351z-2ybh", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32264", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15346", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15489", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15481", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32264" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32264", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32264" }, { "reference_url": "https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70", "reference_id": "78d181e12e0b15e1300f54ec85f19859d3300f70", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70" }, { "reference_url": "https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620", "reference_id": "dfec46362fcb40b330ce8a4d8136446e65085620", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620" }, { "reference_url": "https://github.com/advisories/GHSA-4484-8v2f-5748", "reference_id": "GHSA-4484-8v2f-5748", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4484-8v2f-5748" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748", "reference_id": "GHSA-4484-8v2f-5748", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374751?format=api", "purl": "pkg:composer/craftcms/cms@5.9.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11" } ], "aliases": [ "CVE-2026-32264", "GHSA-4484-8v2f-5748" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5r6n-351z-2ybh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77048?format=api", "vulnerability_id": "VCID-6bwp-2ksu-xucy", "summary": "Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via \"as\" or \"on\" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32263", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.1531", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.1545", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15443", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32263" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32263", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32263" }, { "reference_url": "https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7", "reference_id": "d37389dbffafa565143be40a2ab1e1db22a863f7", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:21:06Z/" } ], "url": "https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:21:06Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7" }, { "reference_url": "https://github.com/advisories/GHSA-qx2q-q59v-wf3j", "reference_id": "GHSA-qx2q-q59v-wf3j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qx2q-q59v-wf3j" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j", "reference_id": "GHSA-qx2q-q59v-wf3j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:21:06Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374751?format=api", "purl": "pkg:composer/craftcms/cms@5.9.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11" } ], "aliases": [ "CVE-2026-32263", "GHSA-qx2q-q59v-wf3j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6bwp-2ksu-xucy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66241?format=api", "vulnerability_id": "VCID-726q-jfsa-9qdz", "summary": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25495", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04561", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04577", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04576", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25495" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "5.8.22", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2", "reference_id": "96c60d775c644ff0a0276da52fe29e11d4cd38d2", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/" } ], "url": "https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25495", "reference_id": "CVE-2026-25495", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25495" }, { "reference_url": "https://github.com/advisories/GHSA-2453-mppf-46cj", "reference_id": "GHSA-2453-mppf-46cj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2453-mppf-46cj" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj", "reference_id": "GHSA-2453-mppf-46cj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38960?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25495", "GHSA-2453-mppf-46cj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-726q-jfsa-9qdz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69319?format=api", "vulnerability_id": "VCID-76k8-sveq-3qbf", "summary": "Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with \"Create Entries\" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28781", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16275", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16266", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16124", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28781" }, { "reference_url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8", "reference_id": "830b403870cd784b47ae42a3f5a16e7ac2d7f5a8", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/" } ], "url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8" }, { "reference_url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542", "reference_id": "c6dcbdffaf6ab3ffe77d317336684d83699f4542", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/" } ], "url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28781", "reference_id": "CVE-2026-28781", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28781" }, { "reference_url": "https://github.com/advisories/GHSA-2xfc-g69j-x2mp", "reference_id": "GHSA-2xfc-g69j-x2mp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2xfc-g69j-x2mp" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp", "reference_id": "GHSA-2xfc-g69j-x2mp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28781", "GHSA-2xfc-g69j-x2mp" ], "risk_score": 3.2, "exploitability": "0.5", "weighted_severity": "6.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-76k8-sveq-3qbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212635?format=api", "vulnerability_id": "VCID-7mph-yq7h-5yb8", "summary": "Craft CMS has Stored XSS in Table Field in its \"Row Heading\" Column Type", "references": [ { "reference_url": "https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.19", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.19" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.23", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.23" }, { "reference_url": "https://github.com/advisories/GHSA-6j87-m5qx-9fqp", "reference_id": "GHSA-6j87-m5qx-9fqp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6j87-m5qx-9fqp" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp", "reference_id": "GHSA-6j87-m5qx-9fqp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39526?format=api", "purl": "pkg:composer/craftcms/cms@5.8.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23" } ], "aliases": [ "GHSA-6j87-m5qx-9fqp" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7mph-yq7h-5yb8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93304?format=api", "vulnerability_id": "VCID-8kdh-rvh3-4yfv", "summary": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68456", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00214", "scoring_system": "epss", "scoring_elements": "0.44006", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00214", "scoring_system": "epss", "scoring_elements": "0.44177", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00214", "scoring_system": "epss", "scoring_elements": "0.44159", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68456" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "CHANGELOG.md#5821---2025-12-04", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68456", "reference_id": "CVE-2025-68456", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68456" }, { "reference_url": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39", "reference_id": "f83d4e0c6b906743206b4747db4abf8164b8da39", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/" } ], "url": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39" }, { "reference_url": "https://github.com/advisories/GHSA-v64r-7wg9-23pr", "reference_id": "GHSA-v64r-7wg9-23pr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v64r-7wg9-23pr" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr", "reference_id": "GHSA-v64r-7wg9-23pr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36516?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68456", "GHSA-v64r-7wg9-23pr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8kdh-rvh3-4yfv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93248?format=api", "vulnerability_id": "VCID-8m8v-ymqs-fkh9", "summary": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68437", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03989", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03994", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.04005", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68437" }, { "reference_url": "https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52", "reference_id": "013db636fdb38f3ce5657fd196b6d952f98ebc52", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/" } ], "url": "https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "CHANGELOG.md#5821---2025-12-04", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68437", "reference_id": "CVE-2025-68437", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68437" }, { "reference_url": "https://github.com/advisories/GHSA-x27p-wfqw-hfcc", "reference_id": "GHSA-x27p-wfqw-hfcc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x27p-wfqw-hfcc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "reference_id": "GHSA-x27p-wfqw-hfcc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36516?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68437", "GHSA-x27p-wfqw-hfcc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8m8v-ymqs-fkh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71374?format=api", "vulnerability_id": "VCID-8rkv-wfha-n7hb", "summary": "Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31857", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33724", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33702", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33522", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31857" }, { "reference_url": "https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80", "reference_id": "8d4903647dcfd31b8d40ed027e27082013347a80", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:02:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31857", "reference_id": "CVE-2026-31857", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31857" }, { "reference_url": "https://github.com/advisories/GHSA-fp5j-j7j4-mcxc", "reference_id": "GHSA-fp5j-j7j4-mcxc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fp5j-j7j4-mcxc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc", "reference_id": "GHSA-fp5j-j7j4-mcxc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:02:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40681?format=api", "purl": "pkg:composer/craftcms/cms@5.9.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9" } ], "aliases": [ "CVE-2026-31857", "GHSA-fp5j-j7j4-mcxc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8rkv-wfha-n7hb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65868?format=api", "vulnerability_id": "VCID-b25s-j3du-sfg5", "summary": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25496", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08265", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08303", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08305", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25496" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "5.8.22", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513", "reference_id": "cb5fb0e979e72f315c9178fc031883d49527f513", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/" } ], "url": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25496", "reference_id": "CVE-2026-25496", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25496" }, { "reference_url": "https://github.com/advisories/GHSA-9f5h-mmq6-2x78", "reference_id": "GHSA-9f5h-mmq6-2x78", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9f5h-mmq6-2x78" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78", "reference_id": "GHSA-9f5h-mmq6-2x78", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38960?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25496", "GHSA-9f5h-mmq6-2x78" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b25s-j3du-sfg5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74141?format=api", "vulnerability_id": "VCID-bn85-sts4-5ygq", "summary": "Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29113", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.0069", "published_at": "2026-06-13T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00691", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29113" }, { "reference_url": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc", "reference_id": "6a88468dc35a27cccc8fef254f415a447d4a07cc", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/" } ], "url": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29113", "reference_id": "CVE-2026-29113", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29113" }, { "reference_url": "https://github.com/advisories/GHSA-vg3j-hpm9-8v5v", "reference_id": "GHSA-vg3j-hpm9-8v5v", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vg3j-hpm9-8v5v" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v", "reference_id": "GHSA-vg3j-hpm9-8v5v", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40451?format=api", "purl": "pkg:composer/craftcms/cms@5.9.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7" } ], "aliases": [ "CVE-2026-29113", "GHSA-vg3j-hpm9-8v5v" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bn85-sts4-5ygq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/79811?format=api", "vulnerability_id": "VCID-bsh8-7q16-t7e4", "summary": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability, an attacker must have an administrator account, and `allowAdminChanges` must be enabled in production, which is against Craft's security recommendations. Versions 4.16.19 and 5.8.23 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27126", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01772", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01769", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01764", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27126" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27126", "reference_id": "CVE-2026-27126", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27126" }, { "reference_url": "https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b", "reference_id": "f5d488d9bb6eff7670ed2c2fe30e15692e92c52b", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:33:58Z/" } ], "url": "https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b" }, { "reference_url": "https://github.com/advisories/GHSA-3jh3-prx3-w6wc", "reference_id": "GHSA-3jh3-prx3-w6wc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3jh3-prx3-w6wc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc", "reference_id": "GHSA-3jh3-prx3-w6wc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:33:58Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39526?format=api", "purl": "pkg:composer/craftcms/cms@5.8.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23" } ], "aliases": [ "CVE-2026-27126", "GHSA-3jh3-prx3-w6wc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bsh8-7q16-t7e4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/358928?format=api", "vulnerability_id": "VCID-c38g-6ttm-yuep", "summary": "", "references": [ { "reference_url": "http://github.com/craftcms/cms/pull/17026", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://github.com/craftcms/cms/pull/17026" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46731", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00231", "scoring_system": "epss", "scoring_elements": "0.46162", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00909", "scoring_system": "epss", "scoring_elements": "0.76267", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00909", "scoring_system": "epss", "scoring_elements": "0.76337", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46731" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46731", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46731" }, { "reference_url": "https://github.com/advisories/GHSA-7c58-g782-9j38", "reference_id": "GHSA-7c58-g782-9j38", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7c58-g782-9j38" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv", "reference_id": "GHSA-f3cw-hg6r-chfv", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378959?format=api", "purl": "pkg:composer/craftcms/cms@5.6.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-czuy-m8wp-fka2" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-f67g-n9d6-pkb5" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.15" } ], "aliases": [ "CVE-2025-46731", "GHSA-7c58-g782-9j38" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c38g-6ttm-yuep" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/114672?format=api", "vulnerability_id": "VCID-czuy-m8wp-fka2", "summary": "Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.93094", "scoring_system": "epss", "scoring_elements": "0.99799", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32432" }, { "reference_url": "https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32432" }, { "reference_url": "https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432" }, { "reference_url": "https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical", "reference_id": "CHANGELOG.md#3915---2025-04-10-critical", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical" }, { "reference_url": "https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical", "reference_id": "CHANGELOG.md#41415---2025-04-10-critical", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical", "reference_id": "CHANGELOG.md#5617---2025-04-10-critical", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py", "reference_id": "CVE-2025-32432", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py" }, { "reference_url": "https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47", "reference_id": "e1c85441fa47eeb7c688c2053f25419bc0547b47", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47" }, { "reference_url": "https://github.com/advisories/GHSA-f3gw-9ww9-jmc3", "reference_id": "GHSA-f3gw-9ww9-jmc3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f3gw-9ww9-jmc3" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3", "reference_id": "GHSA-f3gw-9ww9-jmc3", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376457?format=api", "purl": "pkg:composer/craftcms/cms@5.6.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-f67g-n9d6-pkb5" }, { "vulnerability": "VCID-fs3m-av1v-fuf1" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.17" } ], "aliases": [ "CVE-2025-32432", "GHSA-f3gw-9ww9-jmc3" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-czuy-m8wp-fka2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77152?format=api", "vulnerability_id": "VCID-e3k3-fp6t-kycw", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32267", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14803", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14804", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14683", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32267" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32267", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32267" }, { "reference_url": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33", "reference_id": "6301e217c5f15617d939c432cb770db50af14b33", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/" } ], "url": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33" }, { "reference_url": "https://github.com/advisories/GHSA-cc7p-2j3x-x7xf", "reference_id": "GHSA-cc7p-2j3x-x7xf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cc7p-2j3x-x7xf" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf", "reference_id": "GHSA-cc7p-2j3x-x7xf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374516?format=api", "purl": "pkg:composer/craftcms/cms@5.9.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.12" } ], "aliases": [ "CVE-2026-32267", "GHSA-cc7p-2j3x-x7xf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e3k3-fp6t-kycw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212713?format=api", "vulnerability_id": "VCID-e9qn-ar3q-g3e4", "summary": "Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options", "references": [ { "reference_url": "https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2" }, { "reference_url": "https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276" }, { "reference_url": "https://github.com/advisories/GHSA-4mgv-366x-qxvx", "reference_id": "GHSA-4mgv-366x-qxvx", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4mgv-366x-qxvx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx", "reference_id": "GHSA-4mgv-366x-qxvx", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "GHSA-4mgv-366x-qxvx" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e9qn-ar3q-g3e4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/87581?format=api", "vulnerability_id": "VCID-f67g-n9d6-pkb5", "summary": "Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: \"Craft CMS has a potential RCE with a compromised security key\". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54417", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00219", "scoring_system": "epss", "scoring_elements": "0.4456", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00219", "scoring_system": "epss", "scoring_elements": "0.44728", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00219", "scoring_system": "epss", "scoring_elements": "0.44712", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54417" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23209", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23209" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54417", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54417" }, { "reference_url": "https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57", "reference_id": "a19d46be78a9ca1ea474012a10e97bed0d787f57", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-11T13:38:12Z/" } ], "url": "https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57" }, { "reference_url": "https://github.com/advisories/GHSA-2vcf-qxv3-2mgw", "reference_id": "GHSA-2vcf-qxv3-2mgw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2vcf-qxv3-2mgw" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-2vcf-qxv3-2mgw", "reference_id": "GHSA-2vcf-qxv3-2mgw", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-11T13:38:12Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2vcf-qxv3-2mgw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377700?format=api", "purl": "pkg:composer/craftcms/cms@5.8.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.4" } ], "aliases": [ "CVE-2025-54417", "GHSA-2vcf-qxv3-2mgw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f67g-n9d6-pkb5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/105090?format=api", "vulnerability_id": "VCID-fs3m-av1v-fuf1", "summary": "Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.39398", "scoring_system": "epss", "scoring_elements": "0.974", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.39398", "scoring_system": "epss", "scoring_elements": "0.9739", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.39398", "scoring_system": "epss", "scoring_elements": "0.97398", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-35939" }, { "reference_url": "https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35939" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939" }, { "reference_url": "https://github.com/craftcms/cms/pull/17220", "reference_id": "17220", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://github.com/craftcms/cms/pull/17220" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.15.3", "reference_id": "4.15.3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.15.3" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.7.5", "reference_id": "5.7.5", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.7.5" }, { "reference_url": "https://www.cve.org/CVERecord?id=CVE-2025-35939", "reference_id": "CVERecord?id=CVE-2025-35939", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://www.cve.org/CVERecord?id=CVE-2025-35939" }, { "reference_url": "https://github.com/advisories/GHSA-7vrx-9684-xrf2", "reference_id": "GHSA-7vrx-9684-xrf2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7vrx-9684-xrf2" }, { "reference_url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json", "reference_id": "va-25-147-01.json", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40676?format=api", "purl": "pkg:composer/craftcms/cms@5.7.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-f67g-n9d6-pkb5" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tfc8-rkdd-53f7" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.7.5" } ], "aliases": [ "CVE-2025-35939", "GHSA-7vrx-9684-xrf2" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fs3m-av1v-fuf1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69357?format=api", "vulnerability_id": "VCID-g637-7ns6-kyhj", "summary": "Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28783", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11214", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11156", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11222", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28783" }, { "reference_url": "https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096" }, { "reference_url": "https://github.com/craftcms/cms/pull/18208", "reference_id": "18208", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/" } ], "url": "https://github.com/craftcms/cms/pull/18208" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28783", "reference_id": "CVE-2026-28783", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28783" }, { "reference_url": "https://github.com/advisories/GHSA-5fvc-7894-ghp4", "reference_id": "GHSA-5fvc-7894-ghp4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5fvc-7894-ghp4" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4", "reference_id": "GHSA-5fvc-7894-ghp4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28783", "GHSA-5fvc-7894-ghp4" ], "risk_score": 4.2, "exploitability": "0.5", "weighted_severity": "8.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g637-7ns6-kyhj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81009?format=api", "vulnerability_id": "VCID-gp2d-vv3n-euda", "summary": "Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: \"Edit assets in the <VolumeName> volume\" and \"Create assets in the <VolumeName> volume.\" Versions 4.17.9 and 5.9.15 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13144", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13139", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13041", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41129" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41129", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41129" }, { "reference_url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f", "reference_id": "d20aecfaa0eae076c4154be3b17e1f9fa05ce46f", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/" } ], "url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f" }, { "reference_url": "https://github.com/advisories/GHSA-3m9m-24vh-39wx", "reference_id": "GHSA-3m9m-24vh-39wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3m9m-24vh-39wx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx", "reference_id": "GHSA-3m9m-24vh-39wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373533?format=api", "purl": "pkg:composer/craftcms/cms@5.9.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15" } ], "aliases": [ "CVE-2026-41129", "GHSA-3m9m-24vh-39wx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gp2d-vv3n-euda" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80104?format=api", "vulnerability_id": "VCID-grmm-88sf-wyd4", "summary": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27127", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.0071", "published_at": "2026-06-13T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00709", "published_at": "2026-06-12T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00711", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27127" }, { "reference_url": "https://curl.se/libcurl/c/CURLOPT_RESOLVE.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://curl.se/libcurl/c/CURLOPT_RESOLVE.html" }, { "reference_url": "https://github.com/mogwailabs/DNSrebinder", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mogwailabs/DNSrebinder" }, { "reference_url": "https://github.com/nccgroup/singularity", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nccgroup/singularity" }, { "reference_url": "https://github.com/taviso/rbndr", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/taviso/rbndr" }, { "reference_url": "https://unit42.paloaltonetworks.com/dns-rebinding", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://unit42.paloaltonetworks.com/dns-rebinding" }, { "reference_url": "https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575", "reference_id": "a4cf3fb63bba3249cf1e2882b18a2d29e77a8575", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/" } ], "url": "https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27127", "reference_id": "CVE-2026-27127", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27127" }, { "reference_url": "https://github.com/advisories/GHSA-gp2f-7wcm-5fhx", "reference_id": "GHSA-gp2f-7wcm-5fhx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gp2f-7wcm-5fhx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx", "reference_id": "GHSA-gp2f-7wcm-5fhx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "reference_id": "GHSA-x27p-wfqw-hfcc", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39526?format=api", "purl": "pkg:composer/craftcms/cms@5.8.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23" } ], "aliases": [ "CVE-2026-27127", "GHSA-gp2f-7wcm-5fhx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-grmm-88sf-wyd4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78014?format=api", "vulnerability_id": "VCID-h9fr-63qv-bffn", "summary": "Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33162", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02173", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02175", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02178", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33162" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33162", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33162" }, { "reference_url": "https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e", "reference_id": "3c1ab1c4445dd9237855a66e6a06ecf3591a718e", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:40:29Z/" } ], "url": "https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:40:29Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/advisories/GHSA-f582-6gf6-gx4g", "reference_id": "GHSA-f582-6gf6-gx4g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f582-6gf6-gx4g" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g", "reference_id": "GHSA-f582-6gf6-gx4g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:40:29Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33162", "GHSA-f582-6gf6-gx4g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h9fr-63qv-bffn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67999?format=api", "vulnerability_id": "VCID-j1d4-j44f-yqh9", "summary": "Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44010", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02827", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02819", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.0409", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44010" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44010", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44010" }, { "reference_url": "https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128", "reference_id": "834b2cf61ad0dcee9b03add44ed402ebf18db128", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/" } ], "url": "https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128" }, { "reference_url": "https://github.com/advisories/GHSA-gj2p-p9m4-c8gw", "reference_id": "GHSA-gj2p-p9m4-c8gw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gj2p-p9m4-c8gw" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw", "reference_id": "GHSA-gj2p-p9m4-c8gw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376015?format=api", "purl": "pkg:composer/craftcms/cms@5.9.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18" } ], "aliases": [ "CVE-2026-44010", "GHSA-gj2p-p9m4-c8gw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j1d4-j44f-yqh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77888?format=api", "vulnerability_id": "VCID-j6wk-k1jb-jfd5", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33160", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03998", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.04003", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.04014", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33160" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33160", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33160" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/7290d91639e", "reference_id": "7290d91639e", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/commit/7290d91639e" }, { "reference_url": "https://github.com/advisories/GHSA-5pgf-h923-m958", "reference_id": "GHSA-5pgf-h923-m958", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5pgf-h923-m958" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958", "reference_id": "GHSA-5pgf-h923-m958", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33160", "GHSA-5pgf-h923-m958" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j6wk-k1jb-jfd5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67887?format=api", "vulnerability_id": "VCID-j8qq-yre6-4bfx", "summary": "Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44011", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06356", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06376", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06955", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44011" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44011", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44011" }, { "reference_url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3", "reference_id": "ab85ca7f5f926994f723f60584054a1f4c4c5de3", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/" } ], "url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5" }, { "reference_url": "https://github.com/advisories/GHSA-qrgm-p9w5-rrfw", "reference_id": "GHSA-qrgm-p9w5-rrfw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qrgm-p9w5-rrfw" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw", "reference_id": "GHSA-qrgm-p9w5-rrfw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376015?format=api", "purl": "pkg:composer/craftcms/cms@5.9.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18" } ], "aliases": [ "CVE-2026-44011", "GHSA-qrgm-p9w5-rrfw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j8qq-yre6-4bfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77955?format=api", "vulnerability_id": "VCID-nep2-e16y-9yg4", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33159", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06624", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06613", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06602", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33159" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33159", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33159" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592", "reference_id": "7f0ead833f7c2b91ae12003caad833479dd08592", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592" }, { "reference_url": "https://github.com/advisories/GHSA-6mrr-q3pj-h53w", "reference_id": "GHSA-6mrr-q3pj-h53w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6mrr-q3pj-h53w" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w", "reference_id": "GHSA-6mrr-q3pj-h53w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33159", "GHSA-6mrr-q3pj-h53w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nep2-e16y-9yg4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69160?format=api", "vulnerability_id": "VCID-nhab-uyen-ayhq", "summary": "Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28696", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07121", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07126", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07094", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28696" }, { "reference_url": "https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9", "reference_id": "4d98a07e47580f1712095825d3e3c4d67bc9f8b9", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:00:48Z/" } ], "url": "https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28696", "reference_id": "CVE-2026-28696", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28696" }, { "reference_url": "https://github.com/advisories/GHSA-7x43-mpfg-r9wj", "reference_id": "GHSA-7x43-mpfg-r9wj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7x43-mpfg-r9wj" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj", "reference_id": "GHSA-7x43-mpfg-r9wj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:00:48Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28696", "GHSA-7x43-mpfg-r9wj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nhab-uyen-ayhq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65884?format=api", "vulnerability_id": "VCID-p8kk-e27s-n7cs", "summary": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25493", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05835", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05818", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05844", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25493" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98", "reference_id": "0974055634af68998f67850ab2045d8aaa19fa98", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/" } ], "url": "https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "5.8.22", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25493", "reference_id": "CVE-2026-25493", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25493" }, { "reference_url": "https://github.com/advisories/GHSA-8jr8-7hr4-vhfx", "reference_id": "GHSA-8jr8-7hr4-vhfx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8jr8-7hr4-vhfx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx", "reference_id": "GHSA-8jr8-7hr4-vhfx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38960?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25493", "GHSA-8jr8-7hr4-vhfx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p8kk-e27s-n7cs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77697?format=api", "vulnerability_id": "VCID-py3b-5ps7-7fe3", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33158", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03898", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03906", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03916", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33158" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33158", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33158" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860", "reference_id": "7290d91639e5e3a4f7e221dfbef95c9b77331860", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860" }, { "reference_url": "https://github.com/advisories/GHSA-3pvf-vxrv-hh9c", "reference_id": "GHSA-3pvf-vxrv-hh9c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3pvf-vxrv-hh9c" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c", "reference_id": "GHSA-3pvf-vxrv-hh9c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33158", "GHSA-3pvf-vxrv-hh9c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-py3b-5ps7-7fe3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69679?format=api", "vulnerability_id": "VCID-qmcc-3ued-m7gk", "summary": "Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the \"Duplicate\" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only \"View Entries\" permission (where the \"Duplicate\" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28782", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.131", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13092", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.12995", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28782" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28782", "reference_id": "CVE-2026-28782", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28782" }, { "reference_url": "https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d", "reference_id": "fb61a91357f5761c852400185ba931f51d82783d", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:34:53Z/" } ], "url": "https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d" }, { "reference_url": "https://github.com/advisories/GHSA-jxm3-pmm2-9gf6", "reference_id": "GHSA-jxm3-pmm2-9gf6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jxm3-pmm2-9gf6" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6", "reference_id": "GHSA-jxm3-pmm2-9gf6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:34:53Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28782", "GHSA-jxm3-pmm2-9gf6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qmcc-3ued-m7gk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212817?format=api", "vulnerability_id": "VCID-qr5e-wjjt-zudz", "summary": "Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page", "references": [ { "reference_url": "https://github.com/advisories/GHSA-g3hp-vvqf-8vw6", "reference_id": "GHSA-g3hp-vvqf-8vw6", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g3hp-vvqf-8vw6" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6", "reference_id": "GHSA-g3hp-vvqf-8vw6", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38960?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "GHSA-g3hp-vvqf-8vw6" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qr5e-wjjt-zudz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93099?format=api", "vulnerability_id": "VCID-qrmg-jky7-87cb", "summary": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68454", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.66459", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.66446", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.66351", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68454" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "CHANGELOG.md#5821---2025-12-04", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68454", "reference_id": "CVE-2025-68454", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68454" }, { "reference_url": "https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe", "reference_id": "d82680f4a05f9576883bb83c3f6243d33ca73ebe", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/" } ], "url": "https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe" }, { "reference_url": "https://github.com/advisories/GHSA-742x-x762-7383", "reference_id": "GHSA-742x-x762-7383", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-742x-x762-7383" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383", "reference_id": "GHSA-742x-x762-7383", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36516?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68454", "GHSA-742x-x762-7383" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qrmg-jky7-87cb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65934?format=api", "vulnerability_id": "VCID-r47n-36pn-cbe4", "summary": "Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25497", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07463", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07456", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07428", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25497" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "5.8.22", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409", "reference_id": "ac7edf868c1a81fd9c4dc49d3b3edf1cce113409", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25497", "reference_id": "CVE-2026-25497", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25497" }, { "reference_url": "https://github.com/advisories/GHSA-fxp3-g6gw-4r4v", "reference_id": "GHSA-fxp3-g6gw-4r4v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fxp3-g6gw-4r4v" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v", "reference_id": "GHSA-fxp3-g6gw-4r4v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-25497", "GHSA-fxp3-g6gw-4r4v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r47n-36pn-cbe4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93536?format=api", "vulnerability_id": "VCID-rezz-ka5s-hyg2", "summary": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68455", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0114", "scoring_system": "epss", "scoring_elements": "0.7891", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0114", "scoring_system": "epss", "scoring_elements": "0.78828", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0114", "scoring_system": "epss", "scoring_elements": "0.78893", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68455" }, { "reference_url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7", "reference_id": "27f55886098b56c00ddc53b69239c9c9192252c7", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7" }, { "reference_url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef", "reference_id": "6e608a1a5bfb36943f94f584b7548ca542a86fef", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "CHANGELOG.md#5821---2025-12-04", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68455", "reference_id": "CVE-2025-68455", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68455" }, { "reference_url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593", "reference_id": "ec43c497edde0b2bf2e39a119cded2e55f9fe593", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593" }, { "reference_url": "https://github.com/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-255j-qw47-wjh5" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36516?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68455", "GHSA-255j-qw47-wjh5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rezz-ka5s-hyg2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81021?format=api", "vulnerability_id": "VCID-smdx-nfbs-2qbx", "summary": "Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. \nWhen `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41130", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16424", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16435", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1628", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41130" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41130", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41130" }, { "reference_url": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783", "reference_id": "ebe7e85f1c89700d64332f72492be2e9a594e783", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/" } ], "url": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783" }, { "reference_url": "https://github.com/advisories/GHSA-95wr-3f2v-v2wh", "reference_id": "GHSA-95wr-3f2v-v2wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-95wr-3f2v-v2wh" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh", "reference_id": "GHSA-95wr-3f2v-v2wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373533?format=api", "purl": "pkg:composer/craftcms/cms@5.9.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15" } ], "aliases": [ "CVE-2026-41130", "GHSA-95wr-3f2v-v2wh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-smdx-nfbs-2qbx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81004?format=api", "vulnerability_id": "VCID-sswc-d2f8-zyc9", "summary": "Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty `groups` value removes all existing group memberships. Version 5.9.15 contains a patch.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41128", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12782", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12774", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12684", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41128" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41128", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41128" }, { "reference_url": "https://github.com/craftcms/cms/commit/b135384808ad43fcf8836a9dd9b877fb0087bc27", "reference_id": "b135384808ad43fcf8836a9dd9b877fb0087bc27", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T18:13:25Z/" } ], "url": "https://github.com/craftcms/cms/commit/b135384808ad43fcf8836a9dd9b877fb0087bc27" }, { "reference_url": "https://github.com/advisories/GHSA-jq2f-59pj-p3m3", "reference_id": "GHSA-jq2f-59pj-p3m3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jq2f-59pj-p3m3" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-jq2f-59pj-p3m3", "reference_id": "GHSA-jq2f-59pj-p3m3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T18:13:25Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-jq2f-59pj-p3m3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373533?format=api", "purl": "pkg:composer/craftcms/cms@5.9.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15" } ], "aliases": [ "CVE-2026-41128", "GHSA-jq2f-59pj-p3m3" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sswc-d2f8-zyc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/121029?format=api", "vulnerability_id": "VCID-tfc8-rkdd-53f7", "summary": "Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57811", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00227", "scoring_system": "epss", "scoring_elements": "0.45622", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00227", "scoring_system": "epss", "scoring_elements": "0.45778", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00227", "scoring_system": "epss", "scoring_elements": "0.45769", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57811" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57811", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57811" }, { "reference_url": "https://github.com/craftcms/cms/pull/17612", "reference_id": "17612", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/" } ], "url": "https://github.com/craftcms/cms/pull/17612" }, { "reference_url": "https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc", "reference_id": "e77f8a287dcdda41f1724f525d03542f18566cbc", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/" } ], "url": "https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc" }, { "reference_url": "https://github.com/advisories/GHSA-crcq-738g-pqvc", "reference_id": "GHSA-crcq-738g-pqvc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-crcq-738g-pqvc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc", "reference_id": "GHSA-crcq-738g-pqvc", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv", "reference_id": "GHSA-f3cw-hg6r-chfv", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40131?format=api", "purl": "pkg:composer/craftcms/cms@5.8.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8kdh-rvh3-4yfv" }, { "vulnerability": "VCID-8m8v-ymqs-fkh9" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-qrmg-jky7-87cb" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-rezz-ka5s-hyg2" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-wnr9-2wyr-wug4" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.7" } ], "aliases": [ "CVE-2025-57811", "GHSA-crcq-738g-pqvc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tfc8-rkdd-53f7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71384?format=api", "vulnerability_id": "VCID-tte6-fheg-g7hg", "summary": "Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the fix was never applied to it. Any authenticated control panel user (no admin required) can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. Users should update to the patched 5.9.9 release to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31858", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.1364", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13638", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13521", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31858" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31858", "reference_id": "CVE-2026-31858", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31858" }, { "reference_url": "https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42", "reference_id": "e1a3dd669ae31491b86ad996e88a1d30d33d9a42", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:01:02Z/" } ], "url": "https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj", "reference_id": "GHSA-2453-mppf-46cj", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj" }, { "reference_url": "https://github.com/advisories/GHSA-g7j6-fmwx-7vp8", "reference_id": "GHSA-g7j6-fmwx-7vp8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g7j6-fmwx-7vp8" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8", "reference_id": "GHSA-g7j6-fmwx-7vp8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:01:02Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40681?format=api", "purl": "pkg:composer/craftcms/cms@5.9.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9" } ], "aliases": [ "CVE-2026-31858", "GHSA-g7j6-fmwx-7vp8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tte6-fheg-g7hg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77715?format=api", "vulnerability_id": "VCID-up4q-hz23-vkcn", "summary": "Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (\"as\" and \"on\" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33157", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00101", "scoring_system": "epss", "scoring_elements": "0.27322", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00101", "scoring_system": "epss", "scoring_elements": "0.27547", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00101", "scoring_system": "epss", "scoring_elements": "0.27524", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33157" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33157", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33157" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.13", "reference_id": "5.9.13", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.13" }, { "reference_url": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e", "reference_id": "97e90b4bdee369c1af3ca77a77531132df240e4e", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/" } ], "url": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e" }, { "reference_url": "https://github.com/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-255j-qw47-wjh5" }, { "reference_url": "https://github.com/advisories/GHSA-2fph-6v5w-89hh", "reference_id": "GHSA-2fph-6v5w-89hh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2fph-6v5w-89hh" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh", "reference_id": "GHSA-2fph-6v5w-89hh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh" }, { "reference_url": "https://github.com/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7jx7-3846-m7w7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374903?format=api", "purl": "pkg:composer/craftcms/cms@5.9.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.13" } ], "aliases": [ "CVE-2026-33157", "GHSA-2fph-6v5w-89hh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-up4q-hz23-vkcn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66131?format=api", "vulnerability_id": "VCID-uxc7-pe63-2khp", "summary": "Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25491", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07187", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07183", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07153", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25491" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "5.8.22", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:22Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4", "reference_id": "cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:22Z/" } ], "url": "https://github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25491", "reference_id": "CVE-2026-25491", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25491" }, { "reference_url": "https://github.com/advisories/GHSA-7pr4-wx9w-mqwr", "reference_id": "GHSA-7pr4-wx9w-mqwr", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7pr4-wx9w-mqwr" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr", "reference_id": "GHSA-7pr4-wx9w-mqwr", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:22Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38960?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25491", "GHSA-7pr4-wx9w-mqwr" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uxc7-pe63-2khp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67762?format=api", "vulnerability_id": "VCID-vj1t-r17b-rufc", "summary": "Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44012", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01713", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.0171", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02419", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44012" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44012", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44012" }, { "reference_url": "https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586", "reference_id": "e3f3eaab3d85badd713cfc2c24e5f0792ecdb586", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:49:35Z/" } ], "url": "https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586" }, { "reference_url": "https://github.com/advisories/GHSA-33m5-hqp9-97pw", "reference_id": "GHSA-33m5-hqp9-97pw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-33m5-hqp9-97pw" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw", "reference_id": "GHSA-33m5-hqp9-97pw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:49:35Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376015?format=api", "purl": "pkg:composer/craftcms/cms@5.9.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18" } ], "aliases": [ "CVE-2026-44012", "GHSA-33m5-hqp9-97pw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vj1t-r17b-rufc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65908?format=api", "vulnerability_id": "VCID-vrpf-parp-7kgr", "summary": "Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25498", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.59295", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.59283", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.59171", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25498" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748", "reference_id": "395c64f0b80b507be1c862a2ec942eaacb353748", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/" } ], "url": "https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "5.8.22", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25498", "reference_id": "CVE-2026-25498", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25498" }, { "reference_url": "https://github.com/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7jx7-3846-m7w7" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38960?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25498", "GHSA-7jx7-3846-m7w7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vrpf-parp-7kgr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93221?format=api", "vulnerability_id": "VCID-wnr9-2wyr-wug4", "summary": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68436", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.1177", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11776", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11692", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68436" }, { "reference_url": "https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9", "reference_id": "4bcb0db554e273b66ce3b75263a13414c2368fc9", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:10Z/" } ], "url": "https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68436", "reference_id": "CVE-2025-68436", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68436" }, { "reference_url": "https://github.com/advisories/GHSA-53vf-c43h-j2x9", "reference_id": "GHSA-53vf-c43h-j2x9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-53vf-c43h-j2x9" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9", "reference_id": "GHSA-53vf-c43h-j2x9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:10Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36516?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-726q-jfsa-9qdz" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-b25s-j3du-sfg5" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-p8kk-e27s-n7cs" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-qr5e-wjjt-zudz" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-uxc7-pe63-2khp" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-vrpf-parp-7kgr" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-y2ya-ys74-vqbv" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68436", "GHSA-53vf-c43h-j2x9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wnr9-2wyr-wug4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69404?format=api", "vulnerability_id": "VCID-x1w2-ytck-17bn", "summary": "Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28784", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06182", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06191", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06203", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28784" }, { "reference_url": "https://github.com/craftcms/cms/pull/18208", "reference_id": "18208", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/" } ], "url": "https://github.com/craftcms/cms/pull/18208" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28784", "reference_id": "CVE-2026-28784", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28784" }, { "reference_url": "https://github.com/advisories/GHSA-qc86-q28f-ggww", "reference_id": "GHSA-qc86-q28f-ggww", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qc86-q28f-ggww" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww", "reference_id": "GHSA-qc86-q28f-ggww", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww" }, { "reference_url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production", "reference_id": "securing-craft#set-allowAdminChanges-to-false-in-production", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/" } ], "url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38984?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28784", "GHSA-qc86-q28f-ggww" ], "risk_score": 3.9, "exploitability": "0.5", "weighted_severity": "7.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x1w2-ytck-17bn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65892?format=api", "vulnerability_id": "VCID-y2ya-ys74-vqbv", "summary": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25494", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05818", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05835", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05844", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25494" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "5.8.22", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25494", "reference_id": "CVE-2026-25494", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25494" }, { "reference_url": "https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2", "reference_id": "d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/" } ], "url": "https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2" }, { "reference_url": "https://github.com/advisories/GHSA-m5r2-8p9x-hp5m", "reference_id": "GHSA-m5r2-8p9x-hp5m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m5r2-8p9x-hp5m" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m", "reference_id": "GHSA-m5r2-8p9x-hp5m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38960?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yx-3kck-s7dp" }, { "vulnerability": "VCID-16h7-f3pe-8qh8" }, { "vulnerability": "VCID-1c7e-bv58-33ax" }, { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-543c-646v-4yfj" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-76k8-sveq-3qbf" }, { "vulnerability": "VCID-7mph-yq7h-5yb8" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-9yzy-78sh-xydu" }, { "vulnerability": "VCID-bn85-sts4-5ygq" }, { "vulnerability": "VCID-br1f-q8nk-v7b3" }, { "vulnerability": "VCID-bsh8-7q16-t7e4" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-e9qn-ar3q-g3e4" }, { "vulnerability": "VCID-g637-7ns6-kyhj" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-grmm-88sf-wyd4" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-nhab-uyen-ayhq" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-qmcc-3ued-m7gk" }, { "vulnerability": "VCID-r47n-36pn-cbe4" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-x1w2-ytck-17bn" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25494", "GHSA-m5r2-8p9x-hp5m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y2ya-ys74-vqbv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77578?format=api", "vulnerability_id": "VCID-yc89-41eq-b3eh", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32262", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12406", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12414", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12316", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32262" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32262", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32262" }, { "reference_url": "https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11", "reference_id": "c997efbe4c66c14092714233aeebff15cdbfcf11", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/" } ], "url": "https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11" }, { "reference_url": "https://github.com/advisories/GHSA-472v-j2g4-g9h2", "reference_id": "GHSA-472v-j2g4-g9h2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-472v-j2g4-g9h2" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2", "reference_id": "GHSA-472v-j2g4-g9h2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374751?format=api", "purl": "pkg:composer/craftcms/cms@5.9.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11" } ], "aliases": [ "CVE-2026-32262", "GHSA-472v-j2g4-g9h2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yc89-41eq-b3eh" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.9" }