VulnerableCode Package Details - pkg:composer/craftcms/cms@2.6.2976

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/craftcms/cms@2.6.2976

Essentials
History (14)

purl	pkg:composer/craftcms/cms@2.6.2976

Next non-vulnerable version	3.7.33
Latest non-vulnerable version	5.9.18
Risk	10.0

Vulnerabilities affecting this package (11)

Vulnerability	Summary	Fixed by
VCID-3r9x-ax4j-3yha Aliases: CVE-2022-28378 GHSA-7xj5-fwqr-5378	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft CMS before 3.7.29 allows XSS.	3.7.29 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-3twn-e7up-2ugq Aliases: CVE-2018-20465 GHSA-j7fx-v37j-v3w7	Missing Encryption of Sensitive Data Craft CMS allows remote authenticated administrators to read sensitive information via server-side template injection which causes a cleartext username and password to be displayed in a URI field.	3.0.35 Affected by 9 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-8pjj-w8h7-p7ga Aliases: CVE-2022-29933 GHSA-5cjr-78cq-3wrg	Weak Password Recovery Mechanism for Forgotten Password Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).	3.7.36 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.7.37 Affected by 0 other vulnerabilities.
VCID-adak-sn51-23gd Aliases: CVE-2019-17496 GHSA-f3xr-q258-h7m9	Craft CMS XSS Vulnerability Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion.	3.3.8 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-dgvz-qam7-23c1 Aliases: CVE-2017-9516 GHSA-6pvw-hh48-jx7p	Cross-site Scripting Craft CMS allows for a potential XSS attack vector by uploading a malicious SVG file.	2.6.2982 Affected by 10 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-n1z8-7a8m-rfcc Aliases: CVE-2021-27903 GHSA-x2j7-6hxm-87p3	Craft CMS Remote Code Injection An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session).	3.6.7 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-nz6e-26rc-f3fa Aliases: CVE-2021-32470 GHSA-h2rj-8wgg-mm43	Cross-site Scripting Craft CMS has an XSS vulnerability.	3.6.13 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-rx96-8kfy-4ugu Aliases: CVE-2019-15929 GHSA-wvr4-w6cw-4px8	Craft CMS possibility of brute force attempts In Craft CMS before 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.	3.1.7 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-u4t8-gkkb-73bv Aliases: GHSA-wf98-vxv9-jqfv GMS-2022-790	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms/cms.	3.7.29 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-xc5n-1vqa-tqaz Aliases: CVE-2021-27902 GHSA-3jxh-789f-p7m6	Craft CMS Cross-site Scripting Vulnerability An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.	3.6.0 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-xv52-rc7v-yba8 Aliases: CVE-2020-9757 GHSA-6q4j-8pjm-5mgc	Injection Vulnerability The `SEOmatic` component for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the `metacontainers` controller.	3.3.0 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (3)

Vulnerability	Summary	Aliases
VCID-3n7p-999s-r3f3	File and Directory Information Exposure Craft CMS does not properly restrict viewing the contents of files in the `craft/app/` folder.	CVE-2017-8383 GHSA-7qq6-fgpw-xw45
VCID-97zb-4cxh-7yah	Weak Password Recovery Mechanism for Forgotten Password Craft CMS does not prevent modification of the URL in a forgot-password email message.	CVE-2017-8385 GHSA-j27g-r58q-624w
VCID-mkab-fw34-ekh9	Cross-site Scripting Craft CMS allows XSS attacks because an array returned by `HttpRequestService::getSegments()` and `getActionSegments()` need not be zero-based.	CVE-2017-8384 GHSA-9mcw-mwxv-grwj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T02:22:32.841257+00:00	GitLab Importer	Affected by	VCID-rx96-8kfy-4ugu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2019-15929.yml	38.6.0
2026-06-06T02:22:25.703355+00:00	GitLab Importer	Affected by	VCID-adak-sn51-23gd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2019-17496.yml	38.6.0
2026-06-06T01:45:43.911612+00:00	GitLab Importer	Affected by	VCID-8pjj-w8h7-p7ga	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2022-29933.yml	38.6.0
2026-06-06T01:39:39.163018+00:00	GitLab Importer	Affected by	VCID-u4t8-gkkb-73bv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/GMS-2022-790.yml	38.6.0
2026-06-06T01:39:29.758067+00:00	GitLab Importer	Affected by	VCID-3r9x-ax4j-3yha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2022-28378.yml	38.6.0
2026-06-06T00:47:27.105325+00:00	GitLab Importer	Affected by	VCID-xc5n-1vqa-tqaz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2021-27902.yml	38.6.0
2026-06-06T00:47:22.152802+00:00	GitLab Importer	Affected by	VCID-n1z8-7a8m-rfcc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2021-27903.yml	38.6.0
2026-06-06T00:36:23.246699+00:00	GitLab Importer	Affected by	VCID-nz6e-26rc-f3fa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2021-32470.yml	38.6.0
2026-06-04T20:27:50.794458+00:00	GitLab Importer	Affected by	VCID-xv52-rc7v-yba8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2020-9757.yml	38.6.0
2026-06-04T20:17:47.437462+00:00	GitLab Importer	Affected by	VCID-3twn-e7up-2ugq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2018-20465.yml	38.6.0
2026-06-04T20:08:10.920169+00:00	GitLab Importer	Affected by	VCID-dgvz-qam7-23c1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2017-9516.yml	38.6.0
2026-06-04T18:02:56.949908+00:00	GithubOSV Importer	Fixing	VCID-97zb-4cxh-7yah	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j27g-r58q-624w/GHSA-j27g-r58q-624w.json	38.6.0
2026-06-04T17:58:19.232379+00:00	GithubOSV Importer	Fixing	VCID-mkab-fw34-ekh9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9mcw-mwxv-grwj/GHSA-9mcw-mwxv-grwj.json	38.6.0
2026-06-04T17:55:22.214669+00:00	GithubOSV Importer	Fixing	VCID-3n7p-999s-r3f3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7qq6-fgpw-xw45/GHSA-7qq6-fgpw-xw45.json	38.6.0