VulnerableCode Package Details - pkg:composer/craftcms/cms@5.9.0-beta.2

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-zybg-fqev-eber	Craft CMS has unauthenticated activation email trigger with potential user enumeration The `actionSendActivationEmail()` endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. The vulnerability is not that anonymous access exists - there’s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary `userId` parameters without verifying ownership. Craft CMS allows public user registration. When a user registers but doesn’t receive their activation email (spam filter, typo correction, etc.), they need a way to request a resend. This is why `send-activation-email` is in the `allowAnonymous` array - it’s intentional self-service functionality.	CVE-2026-29069 GHSA-234q-vvw3-mrfq

Vulnerability

Summary

Aliases

VCID-zybg-fqev-eber

Craft CMS has unauthenticated activation email trigger with potential user enumeration The `actionSendActivationEmail()` endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. The vulnerability is not that anonymous access exists - there’s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary `userId` parameters without verifying ownership. Craft CMS allows public user registration. When a user registers but doesn’t receive their activation email (spam filter, typo correction, etc.), they need a way to request a resend. This is why `send-activation-email` is in the `allowAnonymous` array - it’s intentional self-service functionality.

CVE-2026-29069
GHSA-234q-vvw3-mrfq

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T10:54:55.323367+00:00	GithubOSV Importer	Fixing	VCID-zybg-fqev-eber	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-234q-vvw3-mrfq/GHSA-234q-vvw3-mrfq.json	38.6.0
2026-05-31T01:08:13.365057+00:00	GHSA Importer	Fixing	VCID-zybg-fqev-eber	https://github.com/advisories/GHSA-234q-vvw3-mrfq	38.6.0
2026-05-30T21:07:34.583521+00:00	GitLab Importer	Fixing	VCID-zybg-fqev-eber	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2026-29069.yml	38.6.0