VulnerableCode Package Details - pkg:composer/craftcms/cms@2.6.2780

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/craftcms/cms@2.6.2780

Essentials
History (8)

purl	pkg:composer/craftcms/cms@2.6.2780

Next non-vulnerable version	3.6.13
Latest non-vulnerable version	5.9.18
Risk	10.0

Vulnerabilities affecting this package (8)

Vulnerability	Summary	Fixed by
VCID-3n7p-999s-r3f3 Aliases: CVE-2017-8383 GHSA-7qq6-fgpw-xw45	File and Directory Information Exposure Craft CMS does not properly restrict viewing the contents of files in the `craft/app/` folder.	2.6.2975 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.6.2976 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-3twn-e7up-2ugq Aliases: CVE-2018-20465 GHSA-j7fx-v37j-v3w7	Missing Encryption of Sensitive Data Craft CMS allows remote authenticated administrators to read sensitive information via server-side template injection which causes a cleartext username and password to be displayed in a URI field.	3.0.35 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-97zb-4cxh-7yah Aliases: CVE-2017-8385 GHSA-j27g-r58q-624w	Weak Password Recovery Mechanism for Forgotten Password Craft CMS does not prevent modification of the URL in a forgot-password email message.	2.6.2975 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.6.2976 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-dgvz-qam7-23c1 Aliases: CVE-2017-9516 GHSA-6pvw-hh48-jx7p	Cross-site Scripting Craft CMS allows for a potential XSS attack vector by uploading a malicious SVG file.	2.6.2982 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hz6m-gqvb-6kae Aliases: CVE-2017-8052 GHSA-xv5f-2997-qhrq	Cross-site Scripting Craft CMS allows XSS attacks.	2.6.2974 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-mkab-fw34-ekh9 Aliases: CVE-2017-8384 GHSA-9mcw-mwxv-grwj	Cross-site Scripting Craft CMS allows XSS attacks because an array returned by `HttpRequestService::getSegments()` and `getActionSegments()` need not be zero-based.	2.6.2975 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.6.2976 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-nz6e-26rc-f3fa Aliases: CVE-2021-32470 GHSA-h2rj-8wgg-mm43	Cross-site Scripting Craft CMS has an XSS vulnerability.	3.6.13 Affected by 0 other vulnerabilities.
VCID-xv52-rc7v-yba8 Aliases: CVE-2020-9757 GHSA-6q4j-8pjm-5mgc	Injection Vulnerability The `SEOmatic` component for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the `metacontainers` controller.	3.3.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T00:36:23.027854+00:00	GitLab Importer	Affected by	VCID-nz6e-26rc-f3fa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2021-32470.yml	38.6.0
2026-06-04T20:27:50.575195+00:00	GitLab Importer	Affected by	VCID-xv52-rc7v-yba8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2020-9757.yml	38.6.0
2026-06-04T20:17:47.179102+00:00	GitLab Importer	Affected by	VCID-3twn-e7up-2ugq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2018-20465.yml	38.6.0
2026-06-04T20:08:10.823926+00:00	GitLab Importer	Affected by	VCID-dgvz-qam7-23c1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2017-9516.yml	38.6.0
2026-06-04T20:07:56.252830+00:00	GitLab Importer	Affected by	VCID-3n7p-999s-r3f3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2017-8383.yml	38.6.0
2026-06-04T20:07:55.653896+00:00	GitLab Importer	Affected by	VCID-mkab-fw34-ekh9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2017-8384.yml	38.6.0
2026-06-04T20:07:55.009722+00:00	GitLab Importer	Affected by	VCID-97zb-4cxh-7yah	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2017-8385.yml	38.6.0
2026-06-04T20:07:51.729254+00:00	GitLab Importer	Affected by	VCID-hz6m-gqvb-6kae	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2017-8052.yml	38.6.0