Search for packages
| purl | pkg:composer/craftcms/cms@4.17.0-beta.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-4zfr-4pgf-zke4 | Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates An authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the `craft.app.fs.write()` method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands. --- |
CVE-2026-28697
GHSA-v47q-jxvr-p68x |
| VCID-ccwe-z8nr-3qhq | Craft CMS: GraphQL Asset Mutation Privilege Escalation Type: Privilege Escalation (CWE-269) Affected: Craft CMS 5.x (likely affects 4.x and 3.x as well) Location: `src/gql/resolvers/mutations/Asset.php lines 57-107` |
CVE-2026-25497
GHSA-fxp3-g6gw-4r4v |
| VCID-ch5h-xzgt-6kgs | Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action The "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating **other users' entries** by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. |
CVE-2026-28782
GHSA-jxm3-pmm2-9gf6 |
| VCID-ejv9-c3hf-jfax | Craft CMS has Twig Function Blocklist Bypass Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have `allowAdminChanges` enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. Twig has already deprecated this behavior, and it will eventually be removed from Twig altogether. https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096 This has been resolved in Craft 4.17.0 and 5.9.0, which removes the blocklist and disables all non-Clousure arrow functions in Twig globally via the `enableTwigSandbox` config setting. That setting is enabled by default on all new Craft projects. Existing Craft projects will need to enable the config setting to take advantage of it. Existing projects should update to the patched versions of 5.9.0 and 4.17.0 to mitigate the issue and enable the config setting. |
CVE-2026-28783
GHSA-5fvc-7894-ghp4 |
| VCID-j9n2-1u2k-ckc5 | Craft CMS has potential authenticated Remote Code Execution via Twig SSTI For this to work, the attacker must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production Alternatively, they can have a non-administrator account with `allowAdminChanges` disabled, but they must have access to the System Messages utility. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue. References: https://github.com/craftcms/cms/pull/18208 |
CVE-2026-28784
GHSA-qc86-q28f-ggww |
| VCID-m28c-yq43-a7cq | Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options Stored XSS in multiple settings. Names/labels are rendered without sanitization via `checkbox.twig` template which uses `{{ label|raw }}`. --- |
GHSA-4mgv-366x-qxvx
|
| VCID-mytj-88ea-73d9 | Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the `create()` Twig function combined with a Symfony Process gadget chain. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). |
CVE-2026-28695
GHSA-94rc-cqvm-m4pw |
| VCID-vg28-8erb-27ae | Craft CMS: Entries Authorship Spoofing via Mass Assignment The entry creation process allows for **Mass Assignment** of the `authorId` attribute. A user with "Create Entries" permission can inject the `authorIds[]` (or `authorId`) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship. |
CVE-2026-28781
GHSA-2xfc-g69j-x2mp |
| VCID-zh94-u2by-xkg5 | Craft CMS has IDOR via GraphQL @parseRefs The GraphQL directive `@parseRefs`, intended to parse internal reference tags (e.g., `{user:1:email}`), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in `Elements::parseRefs` fails to perform authorization checks, allowing attackers to read data they are not authorized to view. |
CVE-2026-28696
GHSA-7x43-mpfg-r9wj |