Search for packages
| purl | pkg:composer/craftcms/cms@5.9.13 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-25ym-rhky-wbaq
Aliases: CVE-2026-33161 GHSA-vgjg-248p-rfm2 |
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14. |
Affected by 6 other vulnerabilities. |
|
VCID-5qkr-aqmx-8qau
Aliases: GHSA-44px-qjjc-xrhq |
Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata ### Summary An authenticated low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data (`previewHtml`) for that private asset. The returned preview HTML included a private preview image route containing the target private `assetId`, even though `canView` was `false` for the attacker account. ### Details 1. `assets/preview-file` accepts a maliciously controlled `assetId` and renders preview output. 2. The action does not enforce per-asset view authorization prior to returning preview content. 3. As a result, an authenticated user without asset-view permission can still obtain private preview output. This affects Craft installations with authenticated users of mixed privilege levels with private assets. ### Resources - d30df3112220db1ffd6726a3ed11857014c7fb27 - b1cddf72c98a |
Affected by 6 other vulnerabilities. |
|
VCID-gp2d-vv3n-euda
Aliases: CVE-2026-41129 GHSA-3m9m-24vh-39wx |
Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." Versions 4.17.9 and 5.9.15 patch the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-h9fr-63qv-bffn
Aliases: CVE-2026-33162 GHSA-f582-6gf6-gx4g |
Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14. |
Affected by 6 other vulnerabilities. |
|
VCID-j1d4-j44f-yqh9
Aliases: CVE-2026-44010 GHSA-gj2p-p9m4-c8gw |
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18. |
Affected by 0 other vulnerabilities. |
|
VCID-j6wk-k1jb-jfd5
Aliases: CVE-2026-33160 GHSA-5pgf-h923-m958 |
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14. |
Affected by 6 other vulnerabilities. |
|
VCID-j8qq-yre6-4bfx
Aliases: CVE-2026-44011 GHSA-qrgm-p9w5-rrfw |
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18. |
Affected by 0 other vulnerabilities. |
|
VCID-nep2-e16y-9yg4
Aliases: CVE-2026-33159 GHSA-6mrr-q3pj-h53w |
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14. |
Affected by 6 other vulnerabilities. |
|
VCID-py3b-5ps7-7fe3
Aliases: CVE-2026-33158 GHSA-3pvf-vxrv-hh9c |
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14. |
Affected by 6 other vulnerabilities. |
|
VCID-smdx-nfbs-2qbx
Aliases: CVE-2026-41130 GHSA-95wr-3f2v-v2wh |
Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-sswc-d2f8-zyc9
Aliases: CVE-2026-41128 GHSA-jq2f-59pj-p3m3 |
Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty `groups` value removes all existing group memberships. Version 5.9.15 contains a patch. |
Affected by 3 other vulnerabilities. |
|
VCID-vj1t-r17b-rufc
Aliases: CVE-2026-44012 GHSA-33m5-hqp9-97pw |
Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-up4q-hz23-vkcn | Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13. |
CVE-2026-33157
GHSA-2fph-6v5w-89hh |