Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/craftcms/cms@5.9.11
Typecomposer
Namespacecraftcms
Namecms
Version5.9.11
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.9.18
Latest_non_vulnerable_version5.9.18
Affected_by_vulnerabilities
0
url VCID-25ym-rhky-wbaq
vulnerability_id VCID-25ym-rhky-wbaq
summary Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33161
reference_id
reference_type
scores
0
value 0.00042
scoring_system epss
scoring_elements 0.13156
published_at 2026-06-12T12:55:00Z
1
value 0.00042
scoring_system epss
scoring_elements 0.13161
published_at 2026-06-13T12:55:00Z
2
value 0.00042
scoring_system epss
scoring_elements 0.13059
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33161
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33161
reference_id
reference_type
scores
0
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33161
2
reference_url https://github.com/craftcms/cms/releases/tag/4.17.8
reference_id 4.17.8
reference_type
scores
0
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/
url https://github.com/craftcms/cms/releases/tag/4.17.8
3
reference_url https://github.com/craftcms/cms/releases/tag/5.9.14
reference_id 5.9.14
reference_type
scores
0
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/
url https://github.com/craftcms/cms/releases/tag/5.9.14
4
reference_url https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27
reference_id d30df3112220db1ffd6726a3ed11857014c7fb27
reference_type
scores
0
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/
url https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27
5
reference_url https://github.com/advisories/GHSA-vgjg-248p-rfm2
reference_id GHSA-vgjg-248p-rfm2
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vgjg-248p-rfm2
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2
reference_id GHSA-vgjg-248p-rfm2
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.14
purl pkg:composer/craftcms/cms@5.9.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gp2d-vv3n-euda
1
vulnerability VCID-j1d4-j44f-yqh9
2
vulnerability VCID-j8qq-yre6-4bfx
3
vulnerability VCID-smdx-nfbs-2qbx
4
vulnerability VCID-sswc-d2f8-zyc9
5
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14
aliases CVE-2026-33161, GHSA-vgjg-248p-rfm2
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-25ym-rhky-wbaq
1
url VCID-5qkr-aqmx-8qau
vulnerability_id VCID-5qkr-aqmx-8qau
summary 
Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
### Summary

An authenticated low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data (`previewHtml`) for that private asset.

The returned preview HTML included a private preview image route containing the target private `assetId`, even though `canView` was `false` for the attacker account.

### Details

1. `assets/preview-file` accepts a maliciously controlled `assetId` and renders preview output.
2. The action does not enforce per-asset view authorization prior to returning preview content.
 3. As a result, an authenticated user without asset-view permission can still obtain private preview output.

This affects Craft installations with authenticated users of mixed privilege levels with private assets.

### Resources

- d30df3112220db1ffd6726a3ed11857014c7fb27
- b1cddf72c98a
references
0
reference_url https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db
reference_id
reference_type
scores
0
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db
1
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq
2
reference_url https://github.com/advisories/GHSA-44px-qjjc-xrhq
reference_id GHSA-44px-qjjc-xrhq
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-44px-qjjc-xrhq
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.14
purl pkg:composer/craftcms/cms@5.9.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gp2d-vv3n-euda
1
vulnerability VCID-j1d4-j44f-yqh9
2
vulnerability VCID-j8qq-yre6-4bfx
3
vulnerability VCID-smdx-nfbs-2qbx
4
vulnerability VCID-sswc-d2f8-zyc9
5
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14
aliases GHSA-44px-qjjc-xrhq
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5qkr-aqmx-8qau
2
url VCID-e3k3-fp6t-kycw
vulnerability_id VCID-e3k3-fp6t-kycw
summary Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32267
reference_id
reference_type
scores
0
value 0.00046
scoring_system epss
scoring_elements 0.14803
published_at 2026-06-13T12:55:00Z
1
value 0.00046
scoring_system epss
scoring_elements 0.14804
published_at 2026-06-12T12:55:00Z
2
value 0.00046
scoring_system epss
scoring_elements 0.14683
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32267
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32267
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32267
2
reference_url https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33
reference_id 6301e217c5f15617d939c432cb770db50af14b33
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/
url https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33
3
reference_url https://github.com/advisories/GHSA-cc7p-2j3x-x7xf
reference_id GHSA-cc7p-2j3x-x7xf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cc7p-2j3x-x7xf
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf
reference_id GHSA-cc7p-2j3x-x7xf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.12
purl pkg:composer/craftcms/cms@5.9.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25ym-rhky-wbaq
1
vulnerability VCID-5qkr-aqmx-8qau
2
vulnerability VCID-gp2d-vv3n-euda
3
vulnerability VCID-h9fr-63qv-bffn
4
vulnerability VCID-j1d4-j44f-yqh9
5
vulnerability VCID-j6wk-k1jb-jfd5
6
vulnerability VCID-j8qq-yre6-4bfx
7
vulnerability VCID-nep2-e16y-9yg4
8
vulnerability VCID-py3b-5ps7-7fe3
9
vulnerability VCID-smdx-nfbs-2qbx
10
vulnerability VCID-sswc-d2f8-zyc9
11
vulnerability VCID-up4q-hz23-vkcn
12
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.12
aliases CVE-2026-32267, GHSA-cc7p-2j3x-x7xf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e3k3-fp6t-kycw
3
url VCID-gp2d-vv3n-euda
vulnerability_id VCID-gp2d-vv3n-euda
summary Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." Versions 4.17.9 and 5.9.15 patch the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41129
reference_id
reference_type
scores
0
value 0.00042
scoring_system epss
scoring_elements 0.13144
published_at 2026-06-13T12:55:00Z
1
value 0.00042
scoring_system epss
scoring_elements 0.13139
published_at 2026-06-12T12:55:00Z
2
value 0.00042
scoring_system epss
scoring_elements 0.13041
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41129
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41129
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41129
2
reference_url https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f
reference_id d20aecfaa0eae076c4154be3b17e1f9fa05ce46f
reference_type
scores
0
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/
url https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f
3
reference_url https://github.com/advisories/GHSA-3m9m-24vh-39wx
reference_id GHSA-3m9m-24vh-39wx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3m9m-24vh-39wx
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx
reference_id GHSA-3m9m-24vh-39wx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.15
purl pkg:composer/craftcms/cms@5.9.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-j1d4-j44f-yqh9
1
vulnerability VCID-j8qq-yre6-4bfx
2
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15
aliases CVE-2026-41129, GHSA-3m9m-24vh-39wx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gp2d-vv3n-euda
4
url VCID-h9fr-63qv-bffn
vulnerability_id VCID-h9fr-63qv-bffn
summary Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33162
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02173
published_at 2026-06-11T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.02175
published_at 2026-06-13T12:55:00Z
2
value 0.00013
scoring_system epss
scoring_elements 0.02178
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33162
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33162
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33162
2
reference_url https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e
reference_id 3c1ab1c4445dd9237855a66e6a06ecf3591a718e
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:40:29Z/
url https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e
3
reference_url https://github.com/craftcms/cms/releases/tag/5.9.14
reference_id 5.9.14
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:40:29Z/
url https://github.com/craftcms/cms/releases/tag/5.9.14
4
reference_url https://github.com/advisories/GHSA-f582-6gf6-gx4g
reference_id GHSA-f582-6gf6-gx4g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f582-6gf6-gx4g
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g
reference_id GHSA-f582-6gf6-gx4g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:40:29Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.14
purl pkg:composer/craftcms/cms@5.9.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gp2d-vv3n-euda
1
vulnerability VCID-j1d4-j44f-yqh9
2
vulnerability VCID-j8qq-yre6-4bfx
3
vulnerability VCID-smdx-nfbs-2qbx
4
vulnerability VCID-sswc-d2f8-zyc9
5
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14
aliases CVE-2026-33162, GHSA-f582-6gf6-gx4g
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h9fr-63qv-bffn
5
url VCID-j1d4-j44f-yqh9
vulnerability_id VCID-j1d4-j44f-yqh9
summary Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44010
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02827
published_at 2026-06-12T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02819
published_at 2026-06-11T12:55:00Z
2
value 0.00016
scoring_system epss
scoring_elements 0.0409
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44010
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44010
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44010
2
reference_url https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128
reference_id 834b2cf61ad0dcee9b03add44ed402ebf18db128
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/
url https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128
3
reference_url https://github.com/advisories/GHSA-gj2p-p9m4-c8gw
reference_id GHSA-gj2p-p9m4-c8gw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gj2p-p9m4-c8gw
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw
reference_id GHSA-gj2p-p9m4-c8gw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.18
purl pkg:composer/craftcms/cms@5.9.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18
aliases CVE-2026-44010, GHSA-gj2p-p9m4-c8gw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j1d4-j44f-yqh9
6
url VCID-j6wk-k1jb-jfd5
vulnerability_id VCID-j6wk-k1jb-jfd5
summary Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33160
reference_id
reference_type
scores
0
value 0.00016
scoring_system epss
scoring_elements 0.03998
published_at 2026-06-11T12:55:00Z
1
value 0.00016
scoring_system epss
scoring_elements 0.04003
published_at 2026-06-13T12:55:00Z
2
value 0.00016
scoring_system epss
scoring_elements 0.04014
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33160
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33160
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33160
2
reference_url https://github.com/craftcms/cms/releases/tag/4.17.8
reference_id 4.17.8
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/
url https://github.com/craftcms/cms/releases/tag/4.17.8
3
reference_url https://github.com/craftcms/cms/releases/tag/5.9.14
reference_id 5.9.14
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/
url https://github.com/craftcms/cms/releases/tag/5.9.14
4
reference_url https://github.com/craftcms/cms/commit/7290d91639e
reference_id 7290d91639e
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/
url https://github.com/craftcms/cms/commit/7290d91639e
5
reference_url https://github.com/advisories/GHSA-5pgf-h923-m958
reference_id GHSA-5pgf-h923-m958
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5pgf-h923-m958
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958
reference_id GHSA-5pgf-h923-m958
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.14
purl pkg:composer/craftcms/cms@5.9.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gp2d-vv3n-euda
1
vulnerability VCID-j1d4-j44f-yqh9
2
vulnerability VCID-j8qq-yre6-4bfx
3
vulnerability VCID-smdx-nfbs-2qbx
4
vulnerability VCID-sswc-d2f8-zyc9
5
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14
aliases CVE-2026-33160, GHSA-5pgf-h923-m958
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j6wk-k1jb-jfd5
7
url VCID-j8qq-yre6-4bfx
vulnerability_id VCID-j8qq-yre6-4bfx
summary Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44011
reference_id
reference_type
scores
0
value 0.00022
scoring_system epss
scoring_elements 0.06356
published_at 2026-06-11T12:55:00Z
1
value 0.00022
scoring_system epss
scoring_elements 0.06376
published_at 2026-06-12T12:55:00Z
2
value 0.00024
scoring_system epss
scoring_elements 0.06955
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44011
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44011
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44011
2
reference_url https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3
reference_id ab85ca7f5f926994f723f60584054a1f4c4c5de3
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/
url https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3
3
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5
reference_id GHSA-255j-qw47-wjh5
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5
4
reference_url https://github.com/advisories/GHSA-qrgm-p9w5-rrfw
reference_id GHSA-qrgm-p9w5-rrfw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qrgm-p9w5-rrfw
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw
reference_id GHSA-qrgm-p9w5-rrfw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.18
purl pkg:composer/craftcms/cms@5.9.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18
aliases CVE-2026-44011, GHSA-qrgm-p9w5-rrfw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j8qq-yre6-4bfx
8
url VCID-nep2-e16y-9yg4
vulnerability_id VCID-nep2-e16y-9yg4
summary Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33159
reference_id
reference_type
scores
0
value 0.00023
scoring_system epss
scoring_elements 0.06624
published_at 2026-06-12T12:55:00Z
1
value 0.00023
scoring_system epss
scoring_elements 0.06613
published_at 2026-06-13T12:55:00Z
2
value 0.00023
scoring_system epss
scoring_elements 0.06602
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33159
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33159
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33159
2
reference_url https://github.com/craftcms/cms/releases/tag/4.17.8
reference_id 4.17.8
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/
url https://github.com/craftcms/cms/releases/tag/4.17.8
3
reference_url https://github.com/craftcms/cms/releases/tag/5.9.14
reference_id 5.9.14
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/
url https://github.com/craftcms/cms/releases/tag/5.9.14
4
reference_url https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592
reference_id 7f0ead833f7c2b91ae12003caad833479dd08592
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/
url https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592
5
reference_url https://github.com/advisories/GHSA-6mrr-q3pj-h53w
reference_id GHSA-6mrr-q3pj-h53w
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6mrr-q3pj-h53w
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w
reference_id GHSA-6mrr-q3pj-h53w
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.14
purl pkg:composer/craftcms/cms@5.9.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gp2d-vv3n-euda
1
vulnerability VCID-j1d4-j44f-yqh9
2
vulnerability VCID-j8qq-yre6-4bfx
3
vulnerability VCID-smdx-nfbs-2qbx
4
vulnerability VCID-sswc-d2f8-zyc9
5
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14
aliases CVE-2026-33159, GHSA-6mrr-q3pj-h53w
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nep2-e16y-9yg4
9
url VCID-py3b-5ps7-7fe3
vulnerability_id VCID-py3b-5ps7-7fe3
summary Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33158
reference_id
reference_type
scores
0
value 0.00016
scoring_system epss
scoring_elements 0.03898
published_at 2026-06-11T12:55:00Z
1
value 0.00016
scoring_system epss
scoring_elements 0.03906
published_at 2026-06-13T12:55:00Z
2
value 0.00016
scoring_system epss
scoring_elements 0.03916
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33158
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33158
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33158
2
reference_url https://github.com/craftcms/cms/releases/tag/4.17.8
reference_id 4.17.8
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/
url https://github.com/craftcms/cms/releases/tag/4.17.8
3
reference_url https://github.com/craftcms/cms/releases/tag/5.9.14
reference_id 5.9.14
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/
url https://github.com/craftcms/cms/releases/tag/5.9.14
4
reference_url https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860
reference_id 7290d91639e5e3a4f7e221dfbef95c9b77331860
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/
url https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860
5
reference_url https://github.com/advisories/GHSA-3pvf-vxrv-hh9c
reference_id GHSA-3pvf-vxrv-hh9c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3pvf-vxrv-hh9c
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c
reference_id GHSA-3pvf-vxrv-hh9c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.14
purl pkg:composer/craftcms/cms@5.9.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gp2d-vv3n-euda
1
vulnerability VCID-j1d4-j44f-yqh9
2
vulnerability VCID-j8qq-yre6-4bfx
3
vulnerability VCID-smdx-nfbs-2qbx
4
vulnerability VCID-sswc-d2f8-zyc9
5
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14
aliases CVE-2026-33158, GHSA-3pvf-vxrv-hh9c
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-py3b-5ps7-7fe3
10
url VCID-smdx-nfbs-2qbx
vulnerability_id VCID-smdx-nfbs-2qbx
summary 
Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. 
When `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41130
reference_id
reference_type
scores
0
value 0.00051
scoring_system epss
scoring_elements 0.16424
published_at 2026-06-12T12:55:00Z
1
value 0.00051
scoring_system epss
scoring_elements 0.16435
published_at 2026-06-13T12:55:00Z
2
value 0.00051
scoring_system epss
scoring_elements 0.1628
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41130
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41130
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41130
2
reference_url https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783
reference_id ebe7e85f1c89700d64332f72492be2e9a594e783
reference_type
scores
0
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/
url https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783
3
reference_url https://github.com/advisories/GHSA-95wr-3f2v-v2wh
reference_id GHSA-95wr-3f2v-v2wh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-95wr-3f2v-v2wh
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh
reference_id GHSA-95wr-3f2v-v2wh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.15
purl pkg:composer/craftcms/cms@5.9.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-j1d4-j44f-yqh9
1
vulnerability VCID-j8qq-yre6-4bfx
2
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15
aliases CVE-2026-41130, GHSA-95wr-3f2v-v2wh
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-smdx-nfbs-2qbx
11
url VCID-sswc-d2f8-zyc9
vulnerability_id VCID-sswc-d2f8-zyc9
summary Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty `groups` value removes all existing group memberships. Version 5.9.15 contains a patch.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41128
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12782
published_at 2026-06-13T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12774
published_at 2026-06-12T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12684
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41128
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41128
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41128
2
reference_url https://github.com/craftcms/cms/commit/b135384808ad43fcf8836a9dd9b877fb0087bc27
reference_id b135384808ad43fcf8836a9dd9b877fb0087bc27
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T18:13:25Z/
url https://github.com/craftcms/cms/commit/b135384808ad43fcf8836a9dd9b877fb0087bc27
3
reference_url https://github.com/advisories/GHSA-jq2f-59pj-p3m3
reference_id GHSA-jq2f-59pj-p3m3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jq2f-59pj-p3m3
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-jq2f-59pj-p3m3
reference_id GHSA-jq2f-59pj-p3m3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T18:13:25Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-jq2f-59pj-p3m3
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.15
purl pkg:composer/craftcms/cms@5.9.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-j1d4-j44f-yqh9
1
vulnerability VCID-j8qq-yre6-4bfx
2
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15
aliases CVE-2026-41128, GHSA-jq2f-59pj-p3m3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sswc-d2f8-zyc9
12
url VCID-up4q-hz23-vkcn
vulnerability_id VCID-up4q-hz23-vkcn
summary Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33157
reference_id
reference_type
scores
0
value 0.00101
scoring_system epss
scoring_elements 0.27322
published_at 2026-06-11T12:55:00Z
1
value 0.00101
scoring_system epss
scoring_elements 0.27547
published_at 2026-06-13T12:55:00Z
2
value 0.00101
scoring_system epss
scoring_elements 0.27524
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33157
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33157
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33157
2
reference_url https://github.com/craftcms/cms/releases/tag/5.9.13
reference_id 5.9.13
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/
url https://github.com/craftcms/cms/releases/tag/5.9.13
3
reference_url https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e
reference_id 97e90b4bdee369c1af3ca77a77531132df240e4e
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/
url https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e
4
reference_url https://github.com/advisories/GHSA-255j-qw47-wjh5
reference_id GHSA-255j-qw47-wjh5
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-255j-qw47-wjh5
5
reference_url https://github.com/advisories/GHSA-2fph-6v5w-89hh
reference_id GHSA-2fph-6v5w-89hh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2fph-6v5w-89hh
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh
reference_id GHSA-2fph-6v5w-89hh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh
7
reference_url https://github.com/advisories/GHSA-7jx7-3846-m7w7
reference_id GHSA-7jx7-3846-m7w7
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-7jx7-3846-m7w7
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.13
purl pkg:composer/craftcms/cms@5.9.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25ym-rhky-wbaq
1
vulnerability VCID-5qkr-aqmx-8qau
2
vulnerability VCID-gp2d-vv3n-euda
3
vulnerability VCID-h9fr-63qv-bffn
4
vulnerability VCID-j1d4-j44f-yqh9
5
vulnerability VCID-j6wk-k1jb-jfd5
6
vulnerability VCID-j8qq-yre6-4bfx
7
vulnerability VCID-nep2-e16y-9yg4
8
vulnerability VCID-py3b-5ps7-7fe3
9
vulnerability VCID-smdx-nfbs-2qbx
10
vulnerability VCID-sswc-d2f8-zyc9
11
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.13
aliases CVE-2026-33157, GHSA-2fph-6v5w-89hh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-up4q-hz23-vkcn
13
url VCID-vj1t-r17b-rufc
vulnerability_id VCID-vj1t-r17b-rufc
summary Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44012
reference_id
reference_type
scores
0
value 0.00012
scoring_system epss
scoring_elements 0.01713
published_at 2026-06-12T12:55:00Z
1
value 0.00012
scoring_system epss
scoring_elements 0.0171
published_at 2026-06-11T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02419
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44012
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44012
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44012
2
reference_url https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586
reference_id e3f3eaab3d85badd713cfc2c24e5f0792ecdb586
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:49:35Z/
url https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586
3
reference_url https://github.com/advisories/GHSA-33m5-hqp9-97pw
reference_id GHSA-33m5-hqp9-97pw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-33m5-hqp9-97pw
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw
reference_id GHSA-33m5-hqp9-97pw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:49:35Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.18
purl pkg:composer/craftcms/cms@5.9.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18
aliases CVE-2026-44012, GHSA-33m5-hqp9-97pw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vj1t-r17b-rufc
Fixing_vulnerabilities
0
url VCID-5r6n-351z-2ybh
vulnerability_id VCID-5r6n-351z-2ybh
summary Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32264
reference_id
reference_type
scores
0
value 0.00048
scoring_system epss
scoring_elements 0.15346
published_at 2026-06-11T12:55:00Z
1
value 0.00048
scoring_system epss
scoring_elements 0.15489
published_at 2026-06-13T12:55:00Z
2
value 0.00048
scoring_system epss
scoring_elements 0.15481
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32264
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32264
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32264
2
reference_url https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70
reference_id 78d181e12e0b15e1300f54ec85f19859d3300f70
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/
url https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70
3
reference_url https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620
reference_id dfec46362fcb40b330ce8a4d8136446e65085620
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/
url https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620
4
reference_url https://github.com/advisories/GHSA-4484-8v2f-5748
reference_id GHSA-4484-8v2f-5748
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4484-8v2f-5748
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748
reference_id GHSA-4484-8v2f-5748
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7
reference_id GHSA-7jx7-3846-m7w7
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7
fixed_packages
0
url pkg:composer/craftcms/cms@4.17.5
purl pkg:composer/craftcms/cms@4.17.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25ym-rhky-wbaq
1
vulnerability VCID-5qkr-aqmx-8qau
2
vulnerability VCID-e3k3-fp6t-kycw
3
vulnerability VCID-gp2d-vv3n-euda
4
vulnerability VCID-j1d4-j44f-yqh9
5
vulnerability VCID-j6wk-k1jb-jfd5
6
vulnerability VCID-j8qq-yre6-4bfx
7
vulnerability VCID-nep2-e16y-9yg4
8
vulnerability VCID-py3b-5ps7-7fe3
9
vulnerability VCID-smdx-nfbs-2qbx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.5
1
url pkg:composer/craftcms/cms@5.9.11
purl pkg:composer/craftcms/cms@5.9.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25ym-rhky-wbaq
1
vulnerability VCID-5qkr-aqmx-8qau
2
vulnerability VCID-e3k3-fp6t-kycw
3
vulnerability VCID-gp2d-vv3n-euda
4
vulnerability VCID-h9fr-63qv-bffn
5
vulnerability VCID-j1d4-j44f-yqh9
6
vulnerability VCID-j6wk-k1jb-jfd5
7
vulnerability VCID-j8qq-yre6-4bfx
8
vulnerability VCID-nep2-e16y-9yg4
9
vulnerability VCID-py3b-5ps7-7fe3
10
vulnerability VCID-smdx-nfbs-2qbx
11
vulnerability VCID-sswc-d2f8-zyc9
12
vulnerability VCID-up4q-hz23-vkcn
13
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11
aliases CVE-2026-32264, GHSA-4484-8v2f-5748
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5r6n-351z-2ybh
1
url VCID-6bwp-2ksu-xucy
vulnerability_id VCID-6bwp-2ksu-xucy
summary Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32263
reference_id
reference_type
scores
0
value 0.00048
scoring_system epss
scoring_elements 0.1531
published_at 2026-06-11T12:55:00Z
1
value 0.00048
scoring_system epss
scoring_elements 0.1545
published_at 2026-06-13T12:55:00Z
2
value 0.00048
scoring_system epss
scoring_elements 0.15443
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32263
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32263
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32263
2
reference_url https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7
reference_id d37389dbffafa565143be40a2ab1e1db22a863f7
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:21:06Z/
url https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7
3
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7
reference_id GHSA-7jx7-3846-m7w7
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:21:06Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7
4
reference_url https://github.com/advisories/GHSA-qx2q-q59v-wf3j
reference_id GHSA-qx2q-q59v-wf3j
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qx2q-q59v-wf3j
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j
reference_id GHSA-qx2q-q59v-wf3j
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:21:06Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.11
purl pkg:composer/craftcms/cms@5.9.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25ym-rhky-wbaq
1
vulnerability VCID-5qkr-aqmx-8qau
2
vulnerability VCID-e3k3-fp6t-kycw
3
vulnerability VCID-gp2d-vv3n-euda
4
vulnerability VCID-h9fr-63qv-bffn
5
vulnerability VCID-j1d4-j44f-yqh9
6
vulnerability VCID-j6wk-k1jb-jfd5
7
vulnerability VCID-j8qq-yre6-4bfx
8
vulnerability VCID-nep2-e16y-9yg4
9
vulnerability VCID-py3b-5ps7-7fe3
10
vulnerability VCID-smdx-nfbs-2qbx
11
vulnerability VCID-sswc-d2f8-zyc9
12
vulnerability VCID-up4q-hz23-vkcn
13
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11
aliases CVE-2026-32263, GHSA-qx2q-q59v-wf3j
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6bwp-2ksu-xucy
2
url VCID-ayrf-rfwj-37bf
vulnerability_id VCID-ayrf-rfwj-37bf
summary Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an administrator is logged in and executes a specifically crafted payload while an elevated session is active, the attacker’s account can be elevated to administrator. This issue has been fixed in version 5.9.11.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33051
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.04745
published_at 2026-06-12T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.04731
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33051
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33051
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33051
2
reference_url https://github.com/craftcms/cms/releases/tag/5.9.11
reference_id 5.9.11
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T01:53:08Z/
url https://github.com/craftcms/cms/releases/tag/5.9.11
3
reference_url https://github.com/craftcms/cms/commit/f634a9d21edcafd83a6716047d275f985aba6be1
reference_id f634a9d21edcafd83a6716047d275f985aba6be1
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T01:53:08Z/
url https://github.com/craftcms/cms/commit/f634a9d21edcafd83a6716047d275f985aba6be1
4
reference_url https://github.com/advisories/GHSA-3x4w-mxpf-fhqq
reference_id GHSA-3x4w-mxpf-fhqq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3x4w-mxpf-fhqq
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqq
reference_id GHSA-3x4w-mxpf-fhqq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T01:53:08Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqq
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.11
purl pkg:composer/craftcms/cms@5.9.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25ym-rhky-wbaq
1
vulnerability VCID-5qkr-aqmx-8qau
2
vulnerability VCID-e3k3-fp6t-kycw
3
vulnerability VCID-gp2d-vv3n-euda
4
vulnerability VCID-h9fr-63qv-bffn
5
vulnerability VCID-j1d4-j44f-yqh9
6
vulnerability VCID-j6wk-k1jb-jfd5
7
vulnerability VCID-j8qq-yre6-4bfx
8
vulnerability VCID-nep2-e16y-9yg4
9
vulnerability VCID-py3b-5ps7-7fe3
10
vulnerability VCID-smdx-nfbs-2qbx
11
vulnerability VCID-sswc-d2f8-zyc9
12
vulnerability VCID-up4q-hz23-vkcn
13
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11
aliases CVE-2026-33051, GHSA-3x4w-mxpf-fhqq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ayrf-rfwj-37bf
3
url VCID-yc89-41eq-b3eh
vulnerability_id VCID-yc89-41eq-b3eh
summary Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32262
reference_id
reference_type
scores
0
value 0.0004
scoring_system epss
scoring_elements 0.12406
published_at 2026-06-12T12:55:00Z
1
value 0.0004
scoring_system epss
scoring_elements 0.12414
published_at 2026-06-13T12:55:00Z
2
value 0.0004
scoring_system epss
scoring_elements 0.12316
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32262
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32262
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32262
2
reference_url https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11
reference_id c997efbe4c66c14092714233aeebff15cdbfcf11
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/
url https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11
3
reference_url https://github.com/advisories/GHSA-472v-j2g4-g9h2
reference_id GHSA-472v-j2g4-g9h2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-472v-j2g4-g9h2
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2
reference_id GHSA-472v-j2g4-g9h2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2
fixed_packages
0
url pkg:composer/craftcms/cms@4.17.5
purl pkg:composer/craftcms/cms@4.17.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25ym-rhky-wbaq
1
vulnerability VCID-5qkr-aqmx-8qau
2
vulnerability VCID-e3k3-fp6t-kycw
3
vulnerability VCID-gp2d-vv3n-euda
4
vulnerability VCID-j1d4-j44f-yqh9
5
vulnerability VCID-j6wk-k1jb-jfd5
6
vulnerability VCID-j8qq-yre6-4bfx
7
vulnerability VCID-nep2-e16y-9yg4
8
vulnerability VCID-py3b-5ps7-7fe3
9
vulnerability VCID-smdx-nfbs-2qbx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.5
1
url pkg:composer/craftcms/cms@5.9.11
purl pkg:composer/craftcms/cms@5.9.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25ym-rhky-wbaq
1
vulnerability VCID-5qkr-aqmx-8qau
2
vulnerability VCID-e3k3-fp6t-kycw
3
vulnerability VCID-gp2d-vv3n-euda
4
vulnerability VCID-h9fr-63qv-bffn
5
vulnerability VCID-j1d4-j44f-yqh9
6
vulnerability VCID-j6wk-k1jb-jfd5
7
vulnerability VCID-j8qq-yre6-4bfx
8
vulnerability VCID-nep2-e16y-9yg4
9
vulnerability VCID-py3b-5ps7-7fe3
10
vulnerability VCID-smdx-nfbs-2qbx
11
vulnerability VCID-sswc-d2f8-zyc9
12
vulnerability VCID-up4q-hz23-vkcn
13
vulnerability VCID-vj1t-r17b-rufc
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11
aliases CVE-2026-32262, GHSA-472v-j2g4-g9h2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yc89-41eq-b3eh
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11