VulnerableCode Package Details - pkg:composer/craftcms/cms@4.17.10

Search for packages

Vulnerability	Summary	Fixed by
VCID-j1d4-j44f-yqh9 Aliases: CVE-2026-44010 GHSA-gj2p-p9m4-c8gw	Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.	4.17.12 Affected by 0 other vulnerabilities. 5.9.18 Affected by 0 other vulnerabilities.
VCID-j8qq-yre6-4bfx Aliases: CVE-2026-44011 GHSA-qrgm-p9w5-rrfw	Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.	4.17.12 Affected by 0 other vulnerabilities. 5.9.18 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-j1d4-j44f-yqh9
Aliases:
CVE-2026-44010
GHSA-gj2p-p9m4-c8gw

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.

4.17.12
Affected by 0 other vulnerabilities.

5.9.18
Affected by 0 other vulnerabilities.

VCID-j8qq-yre6-4bfx
Aliases:
CVE-2026-44011
GHSA-qrgm-p9w5-rrfw

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.

4.17.12
Affected by 0 other vulnerabilities.

5.9.18
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:22:06.970823+00:00	GitLab Importer	Affected by	VCID-j8qq-yre6-4bfx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2026-44011.yml	38.6.0
2026-06-12T22:21:50.860226+00:00	GitLab Importer	Affected by	VCID-j1d4-j44f-yqh9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2026-44010.yml	38.6.0

2026-06-12T22:22:06.970823+00:00

GitLab Importer

Affected by

VCID-j8qq-yre6-4bfx

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2026-44011.yml

38.6.0

2026-06-12T22:21:50.860226+00:00

GitLab Importer

Affected by

VCID-j1d4-j44f-yqh9

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2026-44010.yml

38.6.0

Next non-vulnerable version	4.17.12
Latest non-vulnerable version	5.9.18
Risk	4.0