Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/craftcms/cms@5.8.21
purl pkg:composer/craftcms/cms@5.8.21
Next non-vulnerable version 5.8.23
Latest non-vulnerable version 5.9.18
Risk 4.0
Vulnerabilities affecting this package (7)
Vulnerability Summary Fixed by
VCID-51qg-ehr3-3qeu
Aliases:
CVE-2026-25494
GHSA-m5r2-8p9x-hp5m
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation The `saveAsset` GraphQL mutation uses `filter_var(..., FILTER_VALIDATE_IP)` to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. ---
5.8.22
Affected by 5 other vulnerabilities.
VCID-76vz-cxx8-z7fc
Aliases:
GHSA-g3hp-vvqf-8vw6
Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions. > [!NOTE] > This is a separate vulnerability from the previously reported "[Stored XSS via User Group Name in User Settings Page](https://github.com/craftcms/cms/security/advisories/GHSA-2423-8xxj-wc3g)" and "[Multiple Stored XSS in User Group Edit Page](https://github.com/craftcms/cms/security/advisories/GHSA-vx7g-xw92-g4xj)". This affects a different sink: the individual user's permissions page.
5.8.22
Affected by 5 other vulnerabilities.
VCID-7b71-dsva-cfan
Aliases:
CVE-2026-25496
GHSA-9f5h-mmq6-2x78
Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the `|md|raw` Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles.
5.8.22
Affected by 5 other vulnerabilities.
VCID-jy6d-5zfh-7ycp
Aliases:
CVE-2026-25498
GHSA-7jx7-3846-m7w7
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior A Remote Code Execution (RCE) vulnerability exists in Craft CMS where the `assembleLayoutFromPost()` function in `src/services/Fields.php` fails to sanitize user-supplied configuration data before passing it to `Craft::createObject()`. This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an **unpatched variant** of the behavior injection vulnerability addressed in GHSA-255j-qw47-wjh5, affecting different endpoints through a separate code path. ---
5.8.22
Affected by 5 other vulnerabilities.
VCID-u3cv-q3ft-qkhj
Aliases:
CVE-2026-25493
GHSA-8jr8-7hr4-vhfx
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect The `saveAsset` GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. ---
5.8.22
Affected by 5 other vulnerabilities.
VCID-uzyt-dujv-nqh6
Aliases:
CVE-2026-25495
GHSA-2453-mppf-46cj
Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]` The `element-indexes/get-elements` endpoint is vulnerable to **SQL Injection** via the `criteria[orderBy]` parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with **Control Panel access** can inject arbitrary SQL into the `ORDER BY` clause by omitting `viewState[order]` (or setting both to the same payload). > [!NOTE] > The `ORDER BY` clause executes per row. `SLEEP(1)` on 10 rows = 10s delay. ---
5.8.22
Affected by 5 other vulnerabilities.
VCID-w35e-5gaq-y3aw
Aliases:
CVE-2026-25491
GHSA-7pr4-wx9w-mqwr
Craft CMS Vulnerable to Stored XSS in Entry Types Name Stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. ---
5.8.22
Affected by 5 other vulnerabilities.
Vulnerabilities fixed by this package (5)
Vulnerability Summary Aliases
VCID-2re8-4twc-eqez Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI For this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. References: https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 CVE-2025-68454
GHSA-742x-x762-7383
VCID-5h4n-14xc-uuf6 Craft CMS vulnerable to potential information disclosure via unchecked asset relocation Authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Resources: https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9 https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9 CVE-2025-68436
GHSA-53vf-c43h-j2x9
VCID-6epu-syvm-d3ed Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (`5.6.0`) version of Craft CMS. Leveraging a legitimate but maliciously crafted Yii `Behavior` class, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted `Behavior` is attached to a Yii `Component`, and an event is also fired on the tainted `Component`. CVE-2025-68455
GHSA-255j-qw47-wjh5
VCID-pggs-g9c8-w7d1 Unauthenticated Craft CMS users can trigger a database backup Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.Resources: https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md CVE-2025-68456
GHSA-v64r-7wg9-23pr
VCID-t5h6-xvev-f3g7 Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation The Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.References: https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md CVE-2025-68437
GHSA-x27p-wfqw-hfcc

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-31T10:53:15.250787+00:00 GithubOSV Importer Fixing VCID-t5h6-xvev-f3g7 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-x27p-wfqw-hfcc/GHSA-x27p-wfqw-hfcc.json 38.6.0
2026-05-31T10:53:13.204399+00:00 GithubOSV Importer Fixing VCID-2re8-4twc-eqez https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-742x-x762-7383/GHSA-742x-x762-7383.json 38.6.0
2026-05-31T10:52:56.678400+00:00 GithubOSV Importer Fixing VCID-5h4n-14xc-uuf6 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-53vf-c43h-j2x9/GHSA-53vf-c43h-j2x9.json 38.6.0
2026-05-31T10:52:54.846784+00:00 GithubOSV Importer Fixing VCID-6epu-syvm-d3ed https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-255j-qw47-wjh5/GHSA-255j-qw47-wjh5.json 38.6.0
2026-05-31T10:52:45.746807+00:00 GithubOSV Importer Fixing VCID-pggs-g9c8-w7d1 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-v64r-7wg9-23pr/GHSA-v64r-7wg9-23pr.json 38.6.0
2026-05-31T01:08:28.888005+00:00 GHSA Importer Affected by VCID-76vz-cxx8-z7fc https://github.com/advisories/GHSA-g3hp-vvqf-8vw6 38.6.0
2026-05-31T01:07:16.388336+00:00 GHSA Importer Affected by VCID-jy6d-5zfh-7ycp https://github.com/advisories/GHSA-7jx7-3846-m7w7 38.6.0
2026-05-31T01:07:16.204108+00:00 GHSA Importer Affected by VCID-7b71-dsva-cfan https://github.com/advisories/GHSA-9f5h-mmq6-2x78 38.6.0
2026-05-31T01:07:16.163108+00:00 GHSA Importer Affected by VCID-uzyt-dujv-nqh6 https://github.com/advisories/GHSA-2453-mppf-46cj 38.6.0
2026-05-31T01:07:16.072616+00:00 GHSA Importer Affected by VCID-51qg-ehr3-3qeu https://github.com/advisories/GHSA-m5r2-8p9x-hp5m 38.6.0
2026-05-31T01:07:15.973475+00:00 GHSA Importer Affected by VCID-u3cv-q3ft-qkhj https://github.com/advisories/GHSA-8jr8-7hr4-vhfx 38.6.0
2026-05-31T01:07:15.777918+00:00 GHSA Importer Affected by VCID-w35e-5gaq-y3aw https://github.com/advisories/GHSA-7pr4-wx9w-mqwr 38.6.0
2026-05-31T01:06:25.447731+00:00 GHSA Importer Fixing VCID-6epu-syvm-d3ed https://github.com/advisories/GHSA-255j-qw47-wjh5 38.6.0
2026-05-31T01:06:25.354294+00:00 GHSA Importer Fixing VCID-pggs-g9c8-w7d1 https://github.com/advisories/GHSA-v64r-7wg9-23pr 38.6.0
2026-05-31T01:06:25.305085+00:00 GHSA Importer Fixing VCID-2re8-4twc-eqez https://github.com/advisories/GHSA-742x-x762-7383 38.6.0
2026-05-31T01:06:25.139037+00:00 GHSA Importer Fixing VCID-t5h6-xvev-f3g7 https://github.com/advisories/GHSA-x27p-wfqw-hfcc 38.6.0
2026-05-31T01:06:25.060137+00:00 GHSA Importer Fixing VCID-5h4n-14xc-uuf6 https://github.com/advisories/GHSA-53vf-c43h-j2x9 38.6.0
2026-05-30T21:05:45.210998+00:00 GitLab Importer Fixing VCID-pggs-g9c8-w7d1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2025-68456.yml 38.6.0
2026-05-30T21:05:44.928769+00:00 GitLab Importer Fixing VCID-6epu-syvm-d3ed https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2025-68455.yml 38.6.0
2026-05-30T21:05:44.452292+00:00 GitLab Importer Fixing VCID-2re8-4twc-eqez https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2025-68454.yml 38.6.0
2026-05-30T21:05:44.381922+00:00 GitLab Importer Fixing VCID-5h4n-14xc-uuf6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2025-68436.yml 38.6.0
2026-05-30T21:05:43.539830+00:00 GitLab Importer Fixing VCID-t5h6-xvev-f3g7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2025-68437.yml 38.6.0